Overview

overview

10

Static

static

10

cd94462486...32.exe

windows7-x64

10

cd94462486...32.exe

windows10-2004-x64

10

cdb97c07f0...ca.exe

windows7-x64

1

cdb97c07f0...ca.exe

windows10-2004-x64

1

cdfbee96df...25.exe

windows7-x64

10

cdfbee96df...25.exe

windows10-2004-x64

10

ce01fc8942...b5.exe

windows7-x64

10

ce01fc8942...b5.exe

windows10-2004-x64

10

ce5340f773...6e.exe

windows7-x64

10

ce5340f773...6e.exe

windows10-2004-x64

10

ce6d4255fc...f1.exe

windows7-x64

10

ce6d4255fc...f1.exe

windows10-2004-x64

10

ce8f0a3c5b...fc.exe

windows7-x64

8

ce8f0a3c5b...fc.exe

windows10-2004-x64

8

cef4f0409d...db.exe

windows7-x64

10

cef4f0409d...db.exe

windows10-2004-x64

10

cf15609eab...81.exe

windows7-x64

9

cf15609eab...81.exe

windows10-2004-x64

9

cf3f6f6285...6e.exe

windows7-x64

10

cf3f6f6285...6e.exe

windows10-2004-x64

10

cf450b1869...e9.exe

windows7-x64

10

cf450b1869...e9.exe

windows10-2004-x64

10

cf56059ae5...a1.exe

windows7-x64

10

cf56059ae5...a1.exe

windows10-2004-x64

10

cf79ab31cc...04.exe

windows7-x64

10

cf79ab31cc...04.exe

windows10-2004-x64

10

cf8d6b1a05...68.exe

windows7-x64

10

cf8d6b1a05...68.exe

windows10-2004-x64

10

cf96c893c9...10.exe

windows7-x64

1

cf96c893c9...10.exe

windows10-2004-x64

1

cfd31bf82d...9b.exe

windows7-x64

7

cfd31bf82d...9b.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf3f6f628505c197d6909686370e5f6e.exe

  • Size

    5.9MB

  • MD5

    cf3f6f628505c197d6909686370e5f6e

  • SHA1

    98cda86393598f0aa526c80c10e377562a1cf0a2

  • SHA256

    2b323a76d3a42fa7ff85eac60489c1b6dc4347df65203ae95f524d205e9f5a15

  • SHA512

    de5ac0268bec608447260034e784a60a176fb777ec17f0583cbcc1515792ec765c013de4e696456c89ec97bc5c90245fba4104e830a764821544c08acd1b76c0

  • SSDEEP

    98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4e:xyeU11Rvqmu8TWKnF6N/1wH

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf3f6f628505c197d6909686370e5f6e.exe
    "C:\Users\Admin\AppData\Local\Temp\cf3f6f628505c197d6909686370e5f6e.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d9c22b4eaa3c0b9c12c7/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/dfe2e59cddd00040f555dab607351a1d/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:784
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OEQgktfaqX.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3688
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2772
        • C:\Program Files\Windows Multimedia Platform\cf3f6f628505c197d6909686370e5f6e.exe
          "C:\Program Files\Windows Multimedia Platform\cf3f6f628505c197d6909686370e5f6e.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5356
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb14a999-f34c-4648-a6c2-54128ceb0321.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5632
            • C:\Program Files\Windows Multimedia Platform\cf3f6f628505c197d6909686370e5f6e.exe
              "C:\Program Files\Windows Multimedia Platform\cf3f6f628505c197d6909686370e5f6e.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4456
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e8c7060-e426-424b-b25c-a4e725f1463c.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4204
                • C:\Program Files\Windows Multimedia Platform\cf3f6f628505c197d6909686370e5f6e.exe
                  "C:\Program Files\Windows Multimedia Platform\cf3f6f628505c197d6909686370e5f6e.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:3500
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7e027b7-4bd7-497e-966a-3e5fa8a45255.vbs"
                    8⤵
                      PID:5552
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\972153cd-2cec-46fe-bd9a-9240a3ef437e.vbs"
                      8⤵
                        PID:5580
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d65a4617-4d67-4706-bf06-23b45689aa07.vbs"
                    6⤵
                      PID:4100
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d42a63aa-19b9-42d0-ab24-699db23b7276.vbs"
                  4⤵
                    PID:5680
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1904
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\TAPI\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1596
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1332
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2192
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3320
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4532
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\lib\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4908
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\lib\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3928
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk-1.8\lib\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2280
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\upfc.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4180
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\upfc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3860
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\upfc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1124
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4728
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3060
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2088
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "cf3f6f628505c197d6909686370e5f6ec" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\cf3f6f628505c197d6909686370e5f6e.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "cf3f6f628505c197d6909686370e5f6e" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\cf3f6f628505c197d6909686370e5f6e.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4480
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "cf3f6f628505c197d6909686370e5f6ec" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\cf3f6f628505c197d6909686370e5f6e.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2156
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Registry.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4332
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Registry.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:888
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Registry.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:672
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\lsass.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3988
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4788
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\lsass.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2508
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\sihost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4824
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Music\sihost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:984
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\sihost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1216

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Internet Explorer\en-US\upfc.exe
              Filesize

              5.9MB

              MD5

              df7147d6d9f774b4fb26792e18962648

              SHA1

              f30bd113c443f288801ff32948cb89bc5869b2db

              SHA256

              234b15f6838541a11cd27477bb96b2da2fb060cffce859fcc01c4b35060a3565

              SHA512

              ad536ca4160bfd1284163aa3b2dd2984d870355c881c45dfb2e630558c516a5e978f0b8cf32fcdade3e2db08f25562e1d7097d6ff6593b59a5567f4aaadd42ab

              Download Submit

            • C:\Program Files\Windows Multimedia Platform\cf3f6f628505c197d6909686370e5f6e.exe
              Filesize

              5.9MB

              MD5

              cd5a87bdc3ff63b5fc66c7404caf04d0

              SHA1

              2c8f96278b8ab646a6210b75d5616f2673633c3c

              SHA256

              28fc3d638fed1a9653d7074a96da178c722f2bae667820b722ead17ee0459f4f

              SHA512

              c734ab8dfdb4d1a5039db2271f82f836fc0bd015dd85c7ff1c1b2059e67278a5b94a90399fefb183d21d1a2d7ea2481358753ff50ca018ad9ea45c3fea11ea19

              Download Submit

            • C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
              Filesize

              5.9MB

              MD5

              cf3f6f628505c197d6909686370e5f6e

              SHA1

              98cda86393598f0aa526c80c10e377562a1cf0a2

              SHA256

              2b323a76d3a42fa7ff85eac60489c1b6dc4347df65203ae95f524d205e9f5a15

              SHA512

              de5ac0268bec608447260034e784a60a176fb777ec17f0583cbcc1515792ec765c013de4e696456c89ec97bc5c90245fba4104e830a764821544c08acd1b76c0

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cf3f6f628505c197d6909686370e5f6e.exe.log
              Filesize

              1KB

              MD5

              612072f28dae34eb75a144057666a2ba

              SHA1

              3b965a3b1b492b77c9cdbc86e04898bdd4eb948c

              SHA256

              ee0e6893ee76e6e771eea4116de524ce047ccdd04c7d6267a52b4a8e8198db26

              SHA512

              b0e397c2dac42d19f0864c223d6f2f74149de7d1d6f1e67d5da99695ac9ad1f6019d0ac392852d4c285182f97fec708dc01d0a6e5a8646d06e0da3ab863cd07f

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              241a30ee59b4b06c007874e90fe80d6d

              SHA1

              5f1ba41ebc6984909a65725c2e686c6012bd32c6

              SHA256

              91b63fc7449595695b9e0ee26704ea721dc66d7da9e99b38c66962f6d93e65bb

              SHA512

              61f9ce6d433cc8efe06587ddcb4921a1bf6516fcd3c36ad79a2583acf1122202bf9565ccd5e8c28430b0fd09b1564b2a17b97f7a6c9e6ffe5a0ea76400fbaaf8

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5298af510096b88490b00b468206c966

              SHA1

              afc8d92a832bf530001e9d7bce0a917067b1a753

              SHA256

              d1dae534bb9fc91682d16c2a30657cf3eafa4db82fec8d1477dde2d0e9af5a18

              SHA512

              9653df3b73599ad282259e3990d18b4e56f556d6fbc33697293503cc88738473245f7507b571059460ce57e6267219bc7b95ed1e90c198d0726a13b91427419e

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              cdae8369b356c383f186f15ac80256f1

              SHA1

              b62a39f603d48b59dce44b0c12e2f7dbb80dbbeb

              SHA256

              a49bfe04654a00340432a23b5a19c21ad86dfa3cd358ecfeae6aa541d73b701d

              SHA512

              44cb9c4709720d37f4bb6ddce85697f1c5b21914753e2acb017d977acc0dd93a03c2b3fa6727484cafbbbd873f83087ed41cffa90bfd55db888d3a57f47e52a7

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              866b998de2a440675992d5e0b435d66d

              SHA1

              ce1f8f5a204ae7b3429c743cacb20ed24de54394

              SHA256

              4e8db49692ec5a2e4a40bee16fb03d703794c31730112b2fbd6c82fb6fd1ad44

              SHA512

              54d3ee420baca65db4280a78451eba383210c09c941d096f1ffa9176cd60d68b3d650a855a42cd12699003839f4af1847e73802f2b89be44ab3a0037a1d57f16

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              3a1e48b8d7963bbbb73f442cd864dca3

              SHA1

              7f71e6af810a734d5f6a0c3ba90c171442e7e334

              SHA256

              33f70a94f53d11ebf2ea52debe0eb6afd7b30a095b31e784b0d4a0fb42b708e9

              SHA512

              26599ce4722f735e1b19f8b68d82318978d577245530e23f5445330dbccb395ffff4e6c4020cdeada5b179b94b557a3e093c2dbe5606b1b6956c1f73a91f637e

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              316c42ca95cd0ccbfd60996129f65adc

              SHA1

              e80bc56d3e28fc9081faae6a735d262fb0a8bbb1

              SHA256

              2cc6c0e6fc4690b21a7d1e699a487e22845a85933bab71638df535bb668e2d2f

              SHA512

              7be9772d74adec60087a0d18ef2a7ce837e7755f59077f311c4e52727184057774d279a508fb2407560f7a0b79f5c9a48fab8aff3f629bf2d967218816384242

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5224a8af64b17b8a36247f8bda22bc94

              SHA1

              841edc986867d9813534b217790e76b017c48617

              SHA256

              464cb1185c4ac036587a0583565205a60a9d67c6130ac6bf3e666d197a79aa55

              SHA512

              041d2827788aa8b7f3320b013380d74cc12a444adcf587ef8dfcbb52353548abf1746f34e33f0bfb6117ed488e85d9f8e0bfffbf79011546199ee371e192fdde

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\6e8c7060-e426-424b-b25c-a4e725f1463c.vbs
              Filesize

              757B

              MD5

              6d298aa2913ac955cd15988b2c119eb2

              SHA1

              d5edd287593ae0b4389437036198c2d6104e57ae

              SHA256

              681fbeae6b2ddd8d866df91a54c1c2d4621dab1a978e0ec41c24fe201eca73a8

              SHA512

              110409871aaa060affc4437551d1b0d6717b9a0f0f1d102ad8a86302b9477c5d57c0cd634562bc02f80d0560f403107f316b6be73a94f42ce07aab082bbbdd2e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\OEQgktfaqX.bat
              Filesize

              246B

              MD5

              e87131a32982642cc74112aae8ab6911

              SHA1

              ecf952824549543a6ee4efcc47bcdf75f76c466e

              SHA256

              92090b7868429af1c30662555d5fa4fd090245670a21ef09ea04e005692c0061

              SHA512

              ce487317eb54a4db875475df1a5f1031f1484822db98c6e6da87e702c3f446335d1a2caa969d239d57acb2eb24ff5b3089adb0341a8b97abddf619dc7e184d03

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dhsvdrln.cqb.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\b7e027b7-4bd7-497e-966a-3e5fa8a45255.vbs
              Filesize

              757B

              MD5

              827c4caaae09a4a50bc2c57477399811

              SHA1

              0c3bb3b2b5c61333da9388502ab9c9886428be8b

              SHA256

              e9abc77b1266db3dc0fa18e657daab1e98a3619c0813ef196ba5a3053cb54f8e

              SHA512

              4302c4f91fde3e7f7f720e84e422a9873771b19f0acdbc1f3c169f18b8335bfb9d55554bf63924b3deb77e4e3f387183120cbec794f0923f895e9b6fe142fa43

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\d42a63aa-19b9-42d0-ab24-699db23b7276.vbs
              Filesize

              533B

              MD5

              db9e7becc8c4b80451a241acf7783f19

              SHA1

              b07d29e2f5a08b2d2b881a6fe84643cb21fd1213

              SHA256

              e27653990f7ccaf416eda680aac5af26c95d700b78ccb33eb006593f69ad8e4e

              SHA512

              c055caf9ff30806a5e9fe7dba49308a0aaeb9c0be7949552db233743dafe352f57be918035e33cd8f7140425b3bd497159293dd0d9aa35e08df5944b29a62426

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\fb14a999-f34c-4648-a6c2-54128ceb0321.vbs
              Filesize

              757B

              MD5

              a1c4febd9fdd6fb9ac0c61be69c08853

              SHA1

              4958a213edae9d3c8a679c6e2a72f93ec39cb085

              SHA256

              6b2bedb57406166df8db13b6cd2084ce71ce56bcd156dffd8ff2206013a1eea8

              SHA512

              747746fe9965b4038d7b8377726730670c0f4d9e4796bca9f84851e732a3388b0b3e15a344ca3232bbb6faa4d9fa19ff7decb16c4ee488cea0aee8f6b40ccbfc

              Download Submit

            • C:\Users\Public\AccountPictures\lsass.exe
              Filesize

              5.9MB

              MD5

              b99ec0c84b61f6f6e03d9bfd2e79e49b

              SHA1

              5a475e85dcb7c470d8f98e780f0da51fed86e2de

              SHA256

              d30862baad55c3657a504af34d83e65a8f3d386ef3b826f130359b5a67ee0122

              SHA512

              0ec76a2cbf766a8720070eb8836f47ed0f3724c652fae76b72123bad0827d7a7ba905f53335291858e02f6f6e04b9232d69d35a06fe85d8215f8dc4f0759347a

              Download Submit

            • C:\Users\Public\Music\sihost.exe
              Filesize

              5.9MB

              MD5

              2b7a1c3eb30198771783cb1048287841

              SHA1

              34abbb071443b07308fae29f8733c9eacd63af66

              SHA256

              dacc0f12938d15639d26dbddccaf766a8992946236c17b548843d4a37cec4527

              SHA512

              ed1b6de2a88f028659308bf7145b1e508f6a1cdd5fc76b85eec8bb6fb3343410304cf71f443add14b5d5633266bfc2ddf71f0d41816241f359e373b2ed660121

              Download Submit

            • memory/212-175-0x0000025971860000-0x0000025971882000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3596-16-0x000000001BB50000-0x000000001BB60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3596-18-0x000000001D4A0000-0x000000001D4F6000-memory.dmp

              Filesize

              344KB

              Download

            • memory/3596-24-0x000000001D530000-0x000000001D542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3596-25-0x000000001DA90000-0x000000001DFB8000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/3596-27-0x000000001D570000-0x000000001D57C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3596-26-0x000000001D560000-0x000000001D56C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3596-29-0x000000001D590000-0x000000001D59C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3596-28-0x000000001D580000-0x000000001D588000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-30-0x000000001D5A0000-0x000000001D5AC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3596-32-0x000000001D6C0000-0x000000001D6CC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3596-31-0x000000001D6B0000-0x000000001D6B8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-33-0x000000001D6D0000-0x000000001D6DA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3596-35-0x000000001D7F0000-0x000000001D7F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-36-0x000000001D800000-0x000000001D80E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3596-38-0x000000001D820000-0x000000001D82C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3596-37-0x000000001D810000-0x000000001D818000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-34-0x000000001D7E0000-0x000000001D7EE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3596-39-0x000000001D830000-0x000000001D838000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-40-0x000000001D840000-0x000000001D84A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3596-41-0x000000001D850000-0x000000001D85C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3596-21-0x000000001D510000-0x000000001D51C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3596-20-0x000000001D500000-0x000000001D508000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-19-0x000000001D4F0000-0x000000001D4FC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3596-22-0x000000001D520000-0x000000001D528000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-163-0x00007FFF4D903000-0x00007FFF4D905000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3596-17-0x000000001D490000-0x000000001D49A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3596-0-0x00007FFF4D903000-0x00007FFF4D905000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3596-15-0x000000001BB40000-0x000000001BB48000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-185-0x00007FFF4D900000-0x00007FFF4E3C1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3596-14-0x000000001BB70000-0x000000001BB7C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3596-13-0x000000001BB60000-0x000000001BB72000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3596-12-0x000000001BB30000-0x000000001BB38000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-11-0x000000001BB10000-0x000000001BB26000-memory.dmp

              Filesize

              88KB

              Download

            • memory/3596-10-0x000000001BB00000-0x000000001BB10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3596-9-0x00000000030A0000-0x00000000030A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-8-0x000000001D340000-0x000000001D390000-memory.dmp

              Filesize

              320KB

              Download

            • memory/3596-7-0x000000001BAE0000-0x000000001BAFC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/3596-6-0x0000000003090000-0x0000000003098000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3596-5-0x0000000003080000-0x000000000308E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3596-1-0x00000000005A0000-0x0000000000E98000-memory.dmp

              Filesize

              9.0MB

              Download

            • memory/3596-2-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3596-4-0x0000000003070000-0x000000000307E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3596-3-0x00007FFF4D900000-0x00007FFF4E3C1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4456-340-0x000000001D870000-0x000000001D882000-memory.dmp

              Filesize

              72KB

              Download

            • memory/5356-328-0x000000001BAE0000-0x000000001BB36000-memory.dmp

              Filesize

              344KB

              Download

            • memory/5356-326-0x00000000004B0000-0x0000000000DA8000-memory.dmp

              Filesize

              9.0MB

              Download