Overview

overview

10

Static

static

3

1771060a61...d8.exe

windows7-x64

10

1771060a61...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe

  • Size

    1.9MB

  • MD5

    447eece2bd8956409434aa2a41f94c23

  • SHA1

    bce3ace0ee29acf1b7e2e957aeacdbdeccb9537f

  • SHA256

    1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8

  • SHA512

    f7ea67a4fcc417381002c0f991c1d3910468b62a1d7ecd797d24bffdce4e609c2a29eb9889aacecf7932f3ad816ccb4f1df6b6d62ba1ed2499d48a42008e49ec

  • SSDEEP

    49152:zES0GzPDPtGUE/Nb8HdX+rKXJyCnKhgLn0Hcx:zES0qybydXUyfK2LCM

Score
10/10
dcratdiscoveryexecutioninfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
    "C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\djzjrqz1\djzjrqz1.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp" "c:\Windows\System32\CSCBB91C27C55E94E8E9E95901019B73FCE.TMP"
        3⤵
          PID:2252
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4100
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4340
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4164
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2504
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4060
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:5036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3392
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3404
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\services.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\3082\explorer.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:5028
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vapMmHwgGO.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4872
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:5256
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5392
          • C:\Program Files\Uninstall Information\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe
            "C:\Program Files\Uninstall Information\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:5896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3540
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2192
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1252
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd81" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd81" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework64\3082\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\3082\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework64\3082\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd81" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4920
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd81" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2296

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      2
      T1082

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe
        Filesize

        1.9MB

        MD5

        447eece2bd8956409434aa2a41f94c23

        SHA1

        bce3ace0ee29acf1b7e2e957aeacdbdeccb9537f

        SHA256

        1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8

        SHA512

        f7ea67a4fcc417381002c0f991c1d3910468b62a1d7ecd797d24bffdce4e609c2a29eb9889aacecf7932f3ad816ccb4f1df6b6d62ba1ed2499d48a42008e49ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1771060a61273b3e508afad18244ba53155e715d22bc9b503224658ccf48dfd8.exe.log
        Filesize

        1KB

        MD5

        af6acd95d59de87c04642509c30e81c1

        SHA1

        f9549ae93fdb0a5861a79a08f60aa81c4b32377b

        SHA256

        7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

        SHA512

        93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6d3e9c29fe44e90aae6ed30ccf799ca8

        SHA1

        c7974ef72264bbdf13a2793ccf1aed11bc565dce

        SHA256

        2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

        SHA512

        60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e448fe0d240184c6597a31d3be2ced58

        SHA1

        372b8d8c19246d3e38cd3ba123cc0f56070f03cd

        SHA256

        c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

        SHA512

        0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        5f0ddc7f3691c81ee14d17b419ba220d

        SHA1

        f0ef5fde8bab9d17c0b47137e014c91be888ee53

        SHA256

        a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

        SHA512

        2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        aaaac7c68d2b7997ed502c26fd9f65c2

        SHA1

        7c5a3731300d672bf53c43e2f9e951c745f7fbdf

        SHA256

        8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

        SHA512

        c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e243a38635ff9a06c87c2a61a2200656

        SHA1

        ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

        SHA256

        af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

        SHA512

        4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        28d4235aa2e6d782751f980ceb6e5021

        SHA1

        f5d82d56acd642b9fc4b963f684fd6b78f25a140

        SHA256

        8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

        SHA512

        dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        a8e8360d573a4ff072dcc6f09d992c88

        SHA1

        3446774433ceaf0b400073914facab11b98b6807

        SHA256

        bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

        SHA512

        4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES9BE2.tmp
        Filesize

        1KB

        MD5

        601d5a475fcbbeac755d7fe8287f7cb6

        SHA1

        6da709bd65cd6626a4cc1fbaad0f107ee7f734aa

        SHA256

        65a133be40b5e2c9f4742b83a837d4c0c5d163adbd29ff125aec6f57d4b71e55

        SHA512

        f4a97f0097400d795bcf23331596c0bf8bc75e7c019db576c481c4f419f91cd7508a0b252b0cedb2d3f32a5d473d64ce65fc1a97985c741b1739f429240abb8f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tzpa05pd.nw0.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\vapMmHwgGO.bat
        Filesize

        235B

        MD5

        e01111a1a14c1cff4c7b4853c637bfcf

        SHA1

        9d87af0a28c4f0f8bc848d02ae17ad1192b6b102

        SHA256

        a1229c2b351e79d9d7e44c19a89cd59fe5afdac9d7bbb7d875a28fad5590a136

        SHA512

        4cd54f285477ae2603f3c0b86964270cb9c544ac0daec76cdf9c86f2d2309460c1969cb059e21176fa0ec1b4570f6939d0d5e978786a625dfe74a723500c99c3

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\djzjrqz1\djzjrqz1.0.cs
        Filesize

        394B

        MD5

        f1abe8bfd7e7560ce5dd609ffe1ac94c

        SHA1

        baaf018c4538b02b6b41245b08967144da0bb3a1

        SHA256

        40e3ac7dd95f81a88b5a4425418c320c866e633f9868e247f85ea642e817f57e

        SHA512

        cdd7009a39705279ce74bc93986fa98f2fe8cbcf3a27a1d5dbeb66a893fb891a2b3a2aa7ea9c8ec3ead395a52fc467ed98797e28901f0890dd340b334ee999b0

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\djzjrqz1\djzjrqz1.cmdline
        Filesize

        235B

        MD5

        7ccac63efe0f230613a07c346875c845

        SHA1

        e114955e16bf33e01dfd9c5311429136a5935b76

        SHA256

        e843fbba18160aea7c38bba7aecf6d4abe6f6542bc1ec12696162b706a1fc441

        SHA512

        9404067dda24493515032ddb14e9bd4df81fed5510208b255b6556c20f51aa9d26953c2433ddf87dfe7129b3ab7d1770a4407e870f311069069ca5591a5b278b

        Download Submit

      • \??\c:\Windows\System32\CSCBB91C27C55E94E8E9E95901019B73FCE.TMP
        Filesize

        1KB

        MD5

        65d5babddb4bd68783c40f9e3678613f

        SHA1

        71e76abb44dbea735b9faaccb8c0fad345b514f4

        SHA256

        d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f

        SHA512

        21223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf

        Download Submit

      • memory/1484-57-0x000002952DC50000-0x000002952DC72000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2752-10-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-15-0x000000001B9C0000-0x000000001B9CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2752-37-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-38-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-30-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-23-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-22-0x000000001BA30000-0x000000001BA3C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2752-16-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-56-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-20-0x000000001BA20000-0x000000001BA2E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2752-18-0x000000001B9D0000-0x000000001B9DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2752-36-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-0-0x00007FFD554F3000-0x00007FFD554F5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2752-11-0x000000001BFA0000-0x000000001BFF0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2752-13-0x000000001BA00000-0x000000001BA18000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2752-9-0x000000001B9E0000-0x000000001B9FC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2752-7-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-6-0x00000000031E0000-0x00000000031EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2752-4-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-3-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-2-0x00007FFD554F0000-0x00007FFD55FB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2752-1-0x0000000000CB0000-0x0000000000EA8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/5896-258-0x000000001DC20000-0x000000001DD35000-memory.dmp

        Filesize

        1.1MB

        Download