Analysis

  • max time kernel
    116s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 14:02

General

  • Target

    b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe

  • Size

    1.1MB

  • MD5

    b8da80bdfe6252c354345441684b6151

  • SHA1

    040dcd00ac82eb3add9bd49bc9c2c773093cdd07

  • SHA256

    b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9

  • SHA512

    da03b9665eb425db14c28ddc631a3cda5425ed140d2bae37b08a8c9f8e6208a45072be53d8b02b4e15bab53fa439e46d27c0a2681f3c94d1b3ae47de37e5a7e6

  • SSDEEP

    24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpdD:EPkVXFGDQoP7FRCZRonh4hfewhmpdD

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe
    "C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\fontdrvhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1192
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2940
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2264
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\upfc.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:624
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2448
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1392
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1524
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Registry.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2924
      • C:\Recovery\WindowsRE\RuntimeBroker.exe
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Recovery\WindowsRE\RuntimeBroker.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          PID:1856
        • C:\Recovery\WindowsRE\RuntimeBroker.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          PID:1276
        • C:\Recovery\WindowsRE\RuntimeBroker.exe
          "{path}"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3612
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12a842ce-9905-4c2c-a5cc-70e757bc3ddd.vbs"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4172
            • C:\Recovery\WindowsRE\RuntimeBroker.exe
              C:\Recovery\WindowsRE\RuntimeBroker.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:4616
              • C:\Recovery\WindowsRE\RuntimeBroker.exe
                "{path}"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1032
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c64d66b-8042-423d-aabf-1cc8584a9573.vbs"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4996
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\690a5c9e-f827-4be5-8cb3-e7e52dc421a7.vbs"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1340
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\660e9bff-b811-442f-86e8-60d5e7166f84.vbs"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2140
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3488
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Links\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4420
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:556
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4160
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\upfc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2280
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3220
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2828
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:372
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5072
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3556
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4120
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:400
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3368
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\Registry.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3124
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5048
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\Registry.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\WindowsRE\sihost.exe

    Filesize

    1.1MB

    MD5

    b8da80bdfe6252c354345441684b6151

    SHA1

    040dcd00ac82eb3add9bd49bc9c2c773093cdd07

    SHA256

    b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9

    SHA512

    da03b9665eb425db14c28ddc631a3cda5425ed140d2bae37b08a8c9f8e6208a45072be53d8b02b4e15bab53fa439e46d27c0a2681f3c94d1b3ae47de37e5a7e6

  • C:\Recovery\WindowsRE\sihost.exe

    Filesize

    1.1MB

    MD5

    3649cf92c4899ba248fe1b17b26350f0

    SHA1

    c253afb99ceb3e10292730ffe9d9d81d68f65d91

    SHA256

    1cd267c7345261e44a9e9d9528eb336a8e4169f019fd53540dd4fe51138632e3

    SHA512

    8627c71003688076d2ad8d95c3fcd8b3f9a7792ff15c9229548cb4b3ecfb547e04d90206dfcfd521c21215de225f1d5a1f6ce61d78aec66ebe476db82eb587cf

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b2719db92d9b7537b1373d406215176928eff13d8a695342bc486c720985add9.exe.log

    Filesize

    1KB

    MD5

    84e77a587d94307c0ac1357eb4d3d46f

    SHA1

    83cc900f9401f43d181207d64c5adba7a85edc1e

    SHA256

    e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

    SHA512

    aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    c2afd2dec448491e9f4ffec30171f1ae

    SHA1

    e0a2c25a72419f3e6e3ca133fe1ed7ea607abde9

    SHA256

    56dcfea9b7def0e0a05737a83ca5cd279a40e7e18b073554cdd3a65826375484

    SHA512

    146ebb8620d6177cc337a3ca5d4c6bf7c49e3f1912da4f4cf77274c80dbda37fe229eca7214cc806dce5c9d74909ec6f920ed8726bca0fe7500770df6fdb16d2

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    ce9f6cf6003f0fec6e21a1561849fbf6

    SHA1

    db15a584d68056e0b33cd1468de3d00d80190616

    SHA256

    b3cc8e1873c945e6e0f5e65a055e9e5921184f2592da57ae5231776e22f31b4e

    SHA512

    742362ec479d226d9dc90ad560d51b9af132173ceba9f2e60cd841305fe54d071df6149f65c9b1a14ca115336349330cf34a393cdf076e76ecf121fc6c46bf38

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    5abeada7360cf75b1d1987c8cf09b7e2

    SHA1

    83623b977b9b606aa990ed163711d9e5a4856a0a

    SHA256

    777f4f6fe255a0c720a29f5b9ccea2f75adfdafbc52012f778455e5b0e200325

    SHA512

    18ea215706e482b20e6627862d5da121c0fc03546ee95ac544c703d0fa1f2915ea7b43e25ba2471a43cfb0f05f5ce50cac097859c2eb52805828aa4685099a99

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    b276a074a179172aa7a3c16e9c5b0d94

    SHA1

    db756c67e16e6021b31a75a9389f90af375b740e

    SHA256

    acf72659ff76730b5814281e04e323aeb4eb7ee88638634fc88065b9f247a197

    SHA512

    bce69e1c485b9eaec4344786e8ee4794448152e04b660d5b721e954bc10ed708bac8f5d685045ef797ee4b5edd80394ea172dd5065dd58cf2c1219b8dbbfa5cf

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    07acc3d31cd30cd3a85821d6a41e6756

    SHA1

    3d666c1135239887886be62bcd9c09d7857b9231

    SHA256

    10c061b8576a3f30ebb9ab746f77d4560a71285d832d9e80873a36582fc1dfed

    SHA512

    c68fc1f54ed4086e537c0119da6a9a17d36de4f9fd422e0b820770a257c4c88c0bd52c409241dcc6449390106c77df685f454e6197f3abd98dbd0ca0ece768d5

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    b82f5973b42f5bf67e70704d796e9f79

    SHA1

    ced6b082a8ec53a6a3188d78a223b98ae55f5b52

    SHA256

    ab26458fabadb9d1777cce05562a57e32de715fe4c55dd08e2e60d24213fa1a3

    SHA512

    ec856feeb33cc2ce44bbeead6fcd7d54784bbbc4f9666ea97930f9aed97ebf0cacceaccd627b27afd113b17af413093868837cd1e1dd15d16c548ac711d425a1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    51c131f6e8c3af88efa4eb91b338eb6d

    SHA1

    a4a58ab19e63ca326df440c5f0892a50ba0e9d62

    SHA256

    2592305069662f94f37017e80ba97cd0a3edc8023950dbe4551b8af8228ee3fe

    SHA512

    fd2e4f72a0f8db757f30147c357320770e0802aa14c87719fba1d23212c2e9b821f87f8389c8f9ad1dedcd6130d4be5bf2658d35e784744e7b4c615e72f51912

  • C:\Users\Admin\AppData\Local\Temp\12a842ce-9905-4c2c-a5cc-70e757bc3ddd.vbs

    Filesize

    715B

    MD5

    3dedfbee3dddf7089f4a62170ff26800

    SHA1

    ddf687edea1958e084e54cb1cbdcc897541668fc

    SHA256

    41e28bdcd58ee868f488e3116ef91bee986ea6b65a7416475e8f4db4baecc43f

    SHA512

    24aa90cd016a998c479a39a6390460066a942f993655777eb2fca1f83b1ee0265f8a1d7b15763fe7b26303be9dba166e31f3172c630a98b77a56fe37e9fc0714

  • C:\Users\Admin\AppData\Local\Temp\3c64d66b-8042-423d-aabf-1cc8584a9573.vbs

    Filesize

    715B

    MD5

    073c1d6a19168498683923cfa4d98829

    SHA1

    f39109b47ddd4b3858ce04a9b28590ff2af12f52

    SHA256

    a7774bdfa876cfa0b38b7f4b0756ae1c77741afb2c2f837917de44b5fc9cdd58

    SHA512

    03831ffc56348b1b6b578940bb2ebd382d62b6083867af2ee3399ab0fb6c2c09ecf1ff2faaf41fe2fbe428e032d14b3b0ad22b7926cb2a9b35df70509e5b48b4

  • C:\Users\Admin\AppData\Local\Temp\660e9bff-b811-442f-86e8-60d5e7166f84.vbs

    Filesize

    491B

    MD5

    8be2aabeb3b0dabcd1e6586f959b0784

    SHA1

    7176bddb61f1d56ffd7183765f9fba064758c5a3

    SHA256

    81b8a78d98a7eaeef1c58f846c66bcc83e88ab109828d1ad20df139ccc09984e

    SHA512

    bbd71de0d6ca597be10b4f9d727cd110d993de8d2139f85094d6558932140e551f48757f0c54367b75e8dabcd07c47499bdd8631bf73d3232906a64da64df084

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqddrznh.ka3.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RuntimeBroker.exe

    Filesize

    1.1MB

    MD5

    ef4718ad2c88bc5f7a5f7901f2dd83b8

    SHA1

    a86baf1020db6c49deb8e7713d2433c78bd681aa

    SHA256

    aaa9b9fd4009e6aec1440c5a6d0dd98c099a3b2158a5b4a4c99f6c88e1ce68fb

    SHA512

    388da9d34f2e87b34b6e32e88b3d91e77d2ceb18bee0a0fda4764a45cb50e218cf8c2331195252fd663a24d1734fbb694a4a4282608500fec3501d171b5e5d45

  • C:\Windows\AppReadiness\RuntimeBroker.exe

    Filesize

    1.1MB

    MD5

    0ef4fdfa35db0cc181cfbe9eab6cb599

    SHA1

    5ef86eb320cbea7d076295e1739d34b727d574e6

    SHA256

    38748dec29c8cc5403444f518f9b6f0611426d774e961d6b0551b4e9dc62ccc8

    SHA512

    09136377a0acbdcd99eb95fcc99be0c4f4050b82c5ae089cae7763944ba95395a8763ded4f7aeb053201ef0665cb90d3bcd15869616d97a7d4d784ddf5aab5de

  • memory/624-178-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

    Filesize

    216KB

  • memory/624-378-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/1192-398-0x0000000006F60000-0x0000000006F6A000-memory.dmp

    Filesize

    40KB

  • memory/1192-352-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

    Filesize

    304KB

  • memory/1192-430-0x0000000007180000-0x0000000007216000-memory.dmp

    Filesize

    600KB

  • memory/1192-366-0x0000000007530000-0x0000000007BAA000-memory.dmp

    Filesize

    6.5MB

  • memory/1192-229-0x00000000052D0000-0x0000000005336000-memory.dmp

    Filesize

    408KB

  • memory/1192-367-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

    Filesize

    104KB

  • memory/1192-353-0x0000000006B90000-0x0000000006BC2000-memory.dmp

    Filesize

    200KB

  • memory/1192-364-0x0000000006170000-0x000000000618E000-memory.dmp

    Filesize

    120KB

  • memory/1192-365-0x0000000006BD0000-0x0000000006C73000-memory.dmp

    Filesize

    652KB

  • memory/1192-354-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/1192-351-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

    Filesize

    120KB

  • memory/1192-228-0x0000000004C00000-0x0000000004C22000-memory.dmp

    Filesize

    136KB

  • memory/1192-470-0x00000000070E0000-0x00000000070F1000-memory.dmp

    Filesize

    68KB

  • memory/1192-481-0x0000000007110000-0x000000000711E000-memory.dmp

    Filesize

    56KB

  • memory/1192-482-0x0000000007120000-0x0000000007134000-memory.dmp

    Filesize

    80KB

  • memory/1192-483-0x0000000007240000-0x000000000725A000-memory.dmp

    Filesize

    104KB

  • memory/1192-230-0x00000000055A0000-0x00000000058F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1192-179-0x0000000004C30000-0x0000000005258000-memory.dmp

    Filesize

    6.2MB

  • memory/1192-484-0x0000000007220000-0x0000000007228000-memory.dmp

    Filesize

    32KB

  • memory/1392-368-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/1524-388-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/1992-21-0x0000000000E30000-0x0000000000E46000-memory.dmp

    Filesize

    88KB

  • memory/1992-22-0x0000000000E60000-0x0000000000E70000-memory.dmp

    Filesize

    64KB

  • memory/1992-285-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

  • memory/1992-350-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

  • memory/1992-33-0x0000000007480000-0x00000000074E6000-memory.dmp

    Filesize

    408KB

  • memory/1992-30-0x00000000059A0000-0x00000000059AC000-memory.dmp

    Filesize

    48KB

  • memory/1992-29-0x0000000005980000-0x000000000598A000-memory.dmp

    Filesize

    40KB

  • memory/1992-28-0x0000000005950000-0x000000000595C000-memory.dmp

    Filesize

    48KB

  • memory/1992-27-0x0000000005930000-0x000000000593E000-memory.dmp

    Filesize

    56KB

  • memory/1992-26-0x0000000005910000-0x000000000591A000-memory.dmp

    Filesize

    40KB

  • memory/1992-25-0x0000000005900000-0x000000000590C000-memory.dmp

    Filesize

    48KB

  • memory/1992-24-0x0000000007770000-0x0000000007C9C000-memory.dmp

    Filesize

    5.2MB

  • memory/1992-23-0x0000000005870000-0x0000000005882000-memory.dmp

    Filesize

    72KB

  • memory/1992-18-0x0000000000DE0000-0x0000000000DFC000-memory.dmp

    Filesize

    112KB

  • memory/1992-12-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

  • memory/1992-20-0x0000000000E10000-0x0000000000E20000-memory.dmp

    Filesize

    64KB

  • memory/1992-15-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

  • memory/1992-17-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

  • memory/1992-19-0x0000000005820000-0x0000000005870000-memory.dmp

    Filesize

    320KB

  • memory/1992-177-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

  • memory/2260-431-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/2264-471-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/2448-441-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/2656-400-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/2660-419-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/2924-460-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/2940-399-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB

  • memory/3076-9-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

  • memory/3076-7-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

    Filesize

    72KB

  • memory/3076-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

    Filesize

    4KB

  • memory/3076-11-0x00000000096D0000-0x00000000097FE000-memory.dmp

    Filesize

    1.2MB

  • memory/3076-10-0x0000000007100000-0x00000000071F6000-memory.dmp

    Filesize

    984KB

  • memory/3076-16-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

  • memory/3076-8-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

    Filesize

    4KB

  • memory/3076-1-0x0000000000010000-0x000000000013C000-memory.dmp

    Filesize

    1.2MB

  • memory/3076-5-0x0000000004C30000-0x0000000004C3A000-memory.dmp

    Filesize

    40KB

  • memory/3076-6-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

  • memory/3076-4-0x0000000004CA0000-0x0000000004D3C000-memory.dmp

    Filesize

    624KB

  • memory/3076-3-0x0000000004B10000-0x0000000004BA2000-memory.dmp

    Filesize

    584KB

  • memory/3076-2-0x0000000005020000-0x00000000055C4000-memory.dmp

    Filesize

    5.6MB

  • memory/4988-429-0x0000000071530000-0x000000007157C000-memory.dmp

    Filesize

    304KB