Overview

overview

10

Static

static

3

44e15f3bc7...b5.exe

windows7-x64

10

44e15f3bc7...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2024 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe

  • Size

    1.1MB

  • MD5

    25e219d16e556ca28df1ae887c017818

  • SHA1

    751f30629bc2320d4d33e1dc0b2f6cb522bdff8b

  • SHA256

    44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5

  • SHA512

    281fd1a68e828ad98365d6a6a47293d51330deb6a9fb0b9d32045e6f5174cecdb1072846134e333a2b7b544b3d8c54202608a989292a40e1bc4925df88f83fd8

  • SSDEEP

    24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpdv:EPkVXFGDQoP7FRCZRonh4hfewhmpdv

Score
10/10
dcratdiscoveryexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
    "C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:632
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2892
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4772
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3376
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\smss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\sppsvc.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1744
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\winlogon.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3380
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\csrss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4108
      • C:\Users\Admin\Searches\RuntimeBroker.exe
        "C:\Users\Admin\Searches\RuntimeBroker.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Users\Admin\Searches\RuntimeBroker.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          PID:2392
        • C:\Users\Admin\Searches\RuntimeBroker.exe
          "{path}"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\232b8490-0dbf-48a2-a5d3-a241b07a5c55.vbs"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:844
            • C:\Users\Admin\Searches\RuntimeBroker.exe
              C:\Users\Admin\Searches\RuntimeBroker.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4688
              • C:\Users\Admin\Searches\RuntimeBroker.exe
                "{path}"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2368
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fa73bc6-f66f-4ca0-91c5-923930a84aa0.vbs"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3796
                  • C:\Users\Admin\Searches\RuntimeBroker.exe
                    C:\Users\Admin\Searches\RuntimeBroker.exe
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:408
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efb22859-3745-4a7c-b190-5c0e98e06dae.vbs"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3100
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e92fb89b-4788-4ef1-8ea4-fb13063c968d.vbs"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3348
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4128
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Searches\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4356
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2132
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4916
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:644
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3244
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2296
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Vss\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1184
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ModemLogs\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4176
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2052
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe
    Filesize

    1.1MB

    MD5

    8fff57fca70ab517f34e808c8769ac8d

    SHA1

    287f7ee831128303984fbb9921e6d69bc1de6bb5

    SHA256

    5bc64bd331b546161bdb042c0547b7b112e728bf7b2abd491c93d6a0d7799920

    SHA512

    cc898d97ea21b668e438e9aa364f62382ef3f015f2ba01d42a3bfc4e80ac48a3dd566879aba521f9c15656a3d3072cb1df2864d5e18045d49c6f76e90a5f40e0

    Download Submit

  • C:\Program Files\Windows Mail\csrss.exe
    Filesize

    1.1MB

    MD5

    bb4eea2509a606b1f379616d9e9d076b

    SHA1

    1d2fd4d95a928ebfcc48d95ef6934fed3dd77ca1

    SHA256

    1e2d591cbe53394bb4ca72fa9fda3bf1a263284803f2cd984da698086a01463e

    SHA512

    8319ff17b24033acfb2283a071a4a2d7c99dc7ff432d22a2d132abc1ad7e390c3c5c11c5824d4ca407b2db68b8dc699612ad2b282110545a21a745ba1204d22f

    Download Submit

  • C:\Program Files\Windows NT\Accessories\smss.exe
    Filesize

    1.1MB

    MD5

    25e219d16e556ca28df1ae887c017818

    SHA1

    751f30629bc2320d4d33e1dc0b2f6cb522bdff8b

    SHA256

    44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5

    SHA512

    281fd1a68e828ad98365d6a6a47293d51330deb6a9fb0b9d32045e6f5174cecdb1072846134e333a2b7b544b3d8c54202608a989292a40e1bc4925df88f83fd8

    Download Submit

  • C:\Recovery\WindowsRE\WmiPrvSE.exe
    Filesize

    1.1MB

    MD5

    c42fe22743cc5f3f2e3d378cb0a79c31

    SHA1

    20356427a0bb1c1558cddca09d037e242b5631ea

    SHA256

    a70fc428b1aadaefbefd83ca2c4af66e582992f061c0cab2cda6b91c2f214788

    SHA512

    555b342017a605620b4eaa54ab272dce08559bee46b3dac205915a5adfa7ab297b2284711990f794672d0a780ab78c21f6a38e48e86a807585b1dbb51e16b3f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe.log
    Filesize

    1KB

    MD5

    84e77a587d94307c0ac1357eb4d3d46f

    SHA1

    83cc900f9401f43d181207d64c5adba7a85edc1e

    SHA256

    e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

    SHA512

    aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    b2bfb44c713d21eea93c839d0de8079f

    SHA1

    5e7b47d09f5b8b60fbc3d7e0d0af0c1791675a25

    SHA256

    1326885986cdcaa1e6396d65fa4323c6cf28785f6f808293d4890c37272e5b13

    SHA512

    44047671662aac0daec41cb39748403cc3862c4e7708e1b5cb2b4b322e7a0b5063b6f402cf2d2809a8f29ee4786ea3de8769c32d30ce5c589fd01d71a4a87d4b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    8f041c9cb194276cd11ce6a9f6fb046d

    SHA1

    2f4f2db57c9f0756c48ee8ba952ab9108f83e468

    SHA256

    a3895807cbdb9317a7858c6841d165fc2861dcec8f6c3b8a820937d0c190c2b8

    SHA512

    aed5ea1b28a610788da273948b38d21d33631e82456d574bc3e13f22cf0fb93532271235799a8e1ae16fe0c53e3771af6254d5fbd821393bfdf2f5d770c4b6fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    0dfc194ad5c5e1603cf4741f7a417ecb

    SHA1

    7b17775cd6d49c51f23086c95dad41ddd9967d65

    SHA256

    31b3903e33e2f389a39806102e9199f1e233e243c9bfdcbb20e90b508d358fb2

    SHA512

    7a18416f8384d625da690fa503892e322b0db4b8d2b99f0faffa22cc34377d06891c28918dc56d9eaeb296f088bdd3a63e3487f06ec40e59e43ec5c20ad979d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    7f8ad755373b19d5d90ab7e2a0e71be7

    SHA1

    3003269ac12e96979655e4cbb219b549f81d8943

    SHA256

    3e9b4bff987676cbddb10d14cf047e66e3a20c09b91e10e909d2493ee243edf7

    SHA512

    0c7ba55c1292e24244647fb94a8121ec8de4887d2d891feb4468a73f173c79de00b2635c0703578e63c958fc384747f90cda8cd58584c67f13e0488673608ebf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\232b8490-0dbf-48a2-a5d3-a241b07a5c55.vbs
    Filesize

    716B

    MD5

    c2a49e30a88a568210caa894f8b4ed7d

    SHA1

    e7abc2d4564ad598e39091961b696bb2a86f579d

    SHA256

    2c42947d9c3c9de387d5c683f58abb59ffc29695768bd805401982478864663c

    SHA512

    9a96f412d418915acc0ba955417786f6ba620cde83eb4b6f3a805caef353e5994fbd70575de43e81119c83d5dea53d19e24e172d25eb4b57c69a25483db46819

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4fa73bc6-f66f-4ca0-91c5-923930a84aa0.vbs
    Filesize

    717B

    MD5

    c6c02394bda1cd8a336472e98fefcaf1

    SHA1

    e31687ee45164e76c9b74c019379e424105ad31a

    SHA256

    80665df2d433fb86f5c58e3d6c85fb8fb01b7cdb131f4782dde7544024e93b5d

    SHA512

    b14c79f00e7791307e83ad10b7cbf3d5ef3e95a7cb6bce3ebcdf6454571a48241922072ed13cb5cc3e7e2b1632982752b59419cc87b15620d4b4d94ba3bd84f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnvayspj.zio.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\e92fb89b-4788-4ef1-8ea4-fb13063c968d.vbs
    Filesize

    493B

    MD5

    df396cb14a861dc9f2cf4189cb9a4fb4

    SHA1

    2f7ea8f94d4d1e91b6e5bdc02bc3f2315adace9c

    SHA256

    6aa10a0acbfe1253698e04add02a9af58d10345865e22b846ab3d253ace7eae7

    SHA512

    2239acd69eeca2ba54ac6c6febd8cc78f431a7151efa53ee6aa62e2107c9e4c562a1cdb13d06d0de9be6c7807b507f424e287f0b5dbf8af912ffd6ae72b7247e

    Download Submit

  • memory/8-290-0x0000000074B00000-0x00000000752B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/8-30-0x0000000005DA0000-0x0000000005DAC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/8-15-0x0000000074B00000-0x00000000752B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/8-18-0x0000000001920000-0x000000000193C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/8-19-0x0000000005C00000-0x0000000005C50000-memory.dmp

    Filesize

    320KB

    Download

  • memory/8-20-0x0000000001950000-0x0000000001960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/8-21-0x0000000001970000-0x0000000001986000-memory.dmp

    Filesize

    88KB

    Download

  • memory/8-22-0x00000000019A0000-0x00000000019B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/8-23-0x0000000005C50000-0x0000000005C62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/8-24-0x0000000006B30000-0x000000000705C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/8-25-0x0000000005CF0000-0x0000000005CFC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/8-17-0x0000000074B00000-0x00000000752B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/8-29-0x0000000005D70000-0x0000000005D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/8-28-0x0000000005D40000-0x0000000005D4C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/8-27-0x0000000005D20000-0x0000000005D2E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/8-26-0x0000000005D00000-0x0000000005D0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/8-33-0x0000000006850000-0x00000000068B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/8-12-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/632-331-0x0000000070F30000-0x0000000070F7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1416-359-0x0000000070F30000-0x0000000070F7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-293-0x00000000057F0000-0x0000000005802000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1744-340-0x0000000070F30000-0x0000000070F7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2388-393-0x0000000007430000-0x0000000007444000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2388-394-0x0000000007530000-0x000000000754A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2388-146-0x00000000028B0000-0x00000000028E6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2388-196-0x0000000005640000-0x0000000005662000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2388-203-0x00000000058B0000-0x0000000005C04000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2388-395-0x0000000007510000-0x0000000007518000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2388-291-0x0000000005E90000-0x0000000005EAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2388-292-0x00000000063D0000-0x000000000641C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2388-197-0x0000000005720000-0x0000000005786000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2388-305-0x0000000004C30000-0x0000000004C4E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2388-295-0x0000000070F30000-0x0000000070F7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2388-294-0x0000000006EB0000-0x0000000006EE2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2388-306-0x00000000070F0000-0x0000000007193000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2388-391-0x00000000073F0000-0x0000000007401000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2388-390-0x0000000007470000-0x0000000007506000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2388-319-0x0000000007200000-0x000000000721A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2388-318-0x0000000007860000-0x0000000007EDA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2388-379-0x0000000007260000-0x000000000726A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2892-369-0x0000000070F30000-0x0000000070F7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3124-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3124-5-0x0000000004D60000-0x0000000004D6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3124-9-0x0000000074B00000-0x00000000752B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3124-1-0x0000000000280000-0x00000000003AC000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3124-10-0x0000000007260000-0x0000000007356000-memory.dmp

    Filesize

    984KB

    Download

  • memory/3124-6-0x0000000074B00000-0x00000000752B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3124-16-0x0000000074B00000-0x00000000752B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3124-11-0x0000000009830000-0x000000000995E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3124-3-0x0000000004C70000-0x0000000004D02000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3124-2-0x0000000005180000-0x0000000005724000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3124-4-0x0000000004DB0000-0x0000000004E4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3124-8-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3124-7-0x0000000005000000-0x0000000005012000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3376-320-0x0000000070F30000-0x0000000070F7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3380-380-0x0000000070F30000-0x0000000070F7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4108-307-0x0000000070F30000-0x0000000070F7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4108-392-0x00000000079E0000-0x00000000079EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4108-147-0x0000000005670000-0x0000000005C98000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4688-430-0x00000000053F0000-0x0000000005402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4772-317-0x0000000070F30000-0x0000000070F7C000-memory.dmp

    Filesize

    304KB

    Download