Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

192f0f1221...a0.exe

windows7-x64

10

192f0f1221...a0.exe

windows10-2004-x64

10

193e069cb0...e1.exe

windows7-x64

10

193e069cb0...e1.exe

windows10-2004-x64

10

196a171e0e...b9.exe

windows7-x64

10

196a171e0e...b9.exe

windows10-2004-x64

10

197a511efa...32.exe

windows7-x64

8

197a511efa...32.exe

windows10-2004-x64

8

19ec0ef7b7...c4.exe

windows7-x64

10

19ec0ef7b7...c4.exe

windows10-2004-x64

10

1a4ae15ef3...a3.exe

windows7-x64

10

1a4ae15ef3...a3.exe

windows10-2004-x64

10

1a76abc85d...f9.exe

windows7-x64

6

1a76abc85d...f9.exe

windows10-2004-x64

6

1a9cd1714a...bf.exe

windows7-x64

10

1a9cd1714a...bf.exe

windows10-2004-x64

10

1b06c73e9c...af.exe

windows7-x64

10

1b06c73e9c...af.exe

windows10-2004-x64

10

1b0acebe24...06.exe

windows7-x64

10

1b0acebe24...06.exe

windows10-2004-x64

10

1b64ed84e0...ca.exe

windows7-x64

10

1b64ed84e0...ca.exe

windows10-2004-x64

10

1b7c2cbdf7...fc.exe

windows7-x64

10

1b7c2cbdf7...fc.exe

windows10-2004-x64

10

1bb302f6b2...b3.exe

windows7-x64

10

1bb302f6b2...b3.exe

windows10-2004-x64

10

1bbf7d818b...fd.exe

windows7-x64

10

1bbf7d818b...fd.exe

windows10-2004-x64

10

1be2b92cea...ae.exe

windows7-x64

10

1be2b92cea...ae.exe

windows10-2004-x64

10

1c2345047a...a0.exe

windows7-x64

10

1c2345047a...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

  • Size

    5.9MB

  • MD5

    5d8505501b7faa4c7e541b0a32467a58

  • SHA1

    ed0b9de10c38774af49d9279e25a8958817f33a7

  • SHA256

    1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca

  • SHA512

    a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9

  • SSDEEP

    98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw44:xyeU11Rvqmu8TWKnF6N/1wt

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
    "C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7e20f84d5244aba7145631d4073af8/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d25f591a00514bc9ba8441/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5576
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qBGrhynT9k.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5124
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4152
        • C:\Windows\SchCache\RuntimeBroker.exe
          "C:\Windows\SchCache\RuntimeBroker.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3452
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ba4ddaa-2c4c-440c-91ea-27a1f3bfde1a.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5596
            • C:\Windows\SchCache\RuntimeBroker.exe
              C:\Windows\SchCache\RuntimeBroker.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:5580
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20626e4a-0faf-4ef3-8ddf-a195b3f2a6e8.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:6056
                • C:\Windows\SchCache\RuntimeBroker.exe
                  C:\Windows\SchCache\RuntimeBroker.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:3928
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\016572c6-dcbe-4182-ba74-32fa00f2c5ad.vbs"
                    8⤵
                      PID:644
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71eb074a-ff8c-4127-bcc0-fbc231863966.vbs"
                      8⤵
                        PID:4912
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e7969a5-c762-4775-ad8b-e59e5d56ba70.vbs"
                    6⤵
                      PID:4708
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d2ed16b-a161-447d-b2d2-35a36bb2eea3.vbs"
                  4⤵
                    PID:3816
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\Client\Registry.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4680
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Client\Registry.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4248
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\Client\Registry.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4152
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3160
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5472
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:956
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3928
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5648
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3808
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3828
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4652
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4728

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\edge_BITS_4596_217729105\SearchApp.exe
              Filesize

              5.9MB

              MD5

              c4f20b3daec8da9201a5db7645dbecbc

              SHA1

              6840df79e3192739090b6e2eb73a02069493d920

              SHA256

              93f7c3241d7f7ddd215eca92edc2c0f75588e1655bf3e82c9a4144cbce37f312

              SHA512

              980aa912418c7182fb5d95e641ed33fcdbbda33b819a300b39478f46cd3e024a342533248a5feb5adbece9dd48f7b0343dd8b49fae6c1484f2486304ad68201e

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
              Filesize

              1KB

              MD5

              229da4b4256a6a948830de7ee5f9b298

              SHA1

              8118b8ddc115689ca9dc2fe8c244350333c5ba8b

              SHA256

              3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

              SHA512

              3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              856d4328f99937476c1d34b5a03daaf8

              SHA1

              367f439b74760c236f1a95cf5d7de28ff3ec4b40

              SHA256

              6159722066119c162ed49973d2852c8c4420d89fcc78e69e2e7317a53f85cca1

              SHA512

              7782c1f714d9c21512b46f0c3caa1c475d304f0fd9b6c4537b3c4ac3b3a5ec9a6ee83d5240867364c34c8ac7a751f90aacce6d952d5ea17af834c65a5ef5d91e

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              672e8b21617ca3b368c6c154913fcfff

              SHA1

              cb3dab8c008b5fba2af958ce2c416c01baa6a98b

              SHA256

              b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec

              SHA512

              98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              990f2ad22e4ee8bb16d0e84568ff1c04

              SHA1

              8ee103c2c4969dd252d3f136479e718361e2ace2

              SHA256

              9e058905555242348650ecae8008fd39cf63bac0f3160637aab912fd54fd2578

              SHA512

              ab70a31915f4241c23a020a0e1c8ad5b2468c06911ceb4418b5377619953780f14070a2674858b1a7d999b356448ffdb51db6393e56f20defb291866383f5802

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              354ebb8d437ee057dacfef36baced4e9

              SHA1

              30460dbe64847ebb524d7d1fd5b9bf8a851a7626

              SHA256

              bcf3ba98af6ee96a3eba9bbc6bdb2ae36b883f5f1e9cdad2974cbbcb9c102237

              SHA512

              1f2cb272ad33df6e34949ac4d60ec0702316d9e21992be52cd9c6abd846472e7c868a8e96b5922b016e7952e460671e5768d007e28d84940a1b956eef4705b53

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              ea2f44a25582e20c2e1d21c73bbd4fa1

              SHA1

              d63ef1804bad1a542aeb3cf5111cd86a9111d7a1

              SHA256

              43ec39d124ebadf53f254b9aef5f1d2f73526a681682d0409af5e34beb8737d8

              SHA512

              49ed57cd127b56793cf2bc1dfae0ccb45d3a9eaaf9475ea7ec65b4d6782c0b846b832bedfa19e65c4b54d7a7b19dfd177bfcb3e0fadad8640c4bb6515ee2c835

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              3f0db2be09ea50e93f81f83a58fdc049

              SHA1

              862883227880dde307538079454109d35f39723e

              SHA256

              b747c644e6479e6e921d09626c68d2df0d33d2a707f9432e5fc1b138e6c9387d

              SHA512

              a7f4644e8f4a0dd59f47645ba7afe312c9e714f923019add5cddf6491f3466731abd66c854bdaa497c0f162c1ae08df5c6506e2171ec9d74ae5c9ffcd69f0773

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5f3d606f9a5f1201bfc1f01c54e842c4

              SHA1

              f1917e50b557b135953ecbe63e1fc1e675b541f1

              SHA256

              dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

              SHA512

              d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              0c56ba5098c530bbd1cdb28d50090d39

              SHA1

              ff63178ea722ec2db118c81051bf85544fb6b316

              SHA256

              0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1

              SHA512

              cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              a39de506d9f3cb0eef9451868bf8f3ff

              SHA1

              183758ff7964ae923989989be46a822e0d4dc37f

              SHA256

              d982bcb0bdbe495e997ead8d128c2f8f0bb66c41fc5e0142d4fb5bf9193e1416

              SHA512

              041df31ed5f2668dcf99143cbffcc7891394f33c6229f2459cba2226f07a8fcf31e072db62c6735fdb4b9fbc103998094a735a285db84a69bb7d983ffb96efaa

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\016572c6-dcbe-4182-ba74-32fa00f2c5ad.vbs
              Filesize

              713B

              MD5

              0c7e8ce20911836f15b1542c555e8dcc

              SHA1

              0bd49cfd05078cceeb0aa301133f33dab95cbba9

              SHA256

              0ca836d9c5ff38e389e3aa620d9b2ee26b4d4e7185b1a6ce8db89ac5d617b074

              SHA512

              99a78e24f46d98c088e9339cb83adf08348c532888ccce3aa76e98f69778a6b90bf43ecaeed0e56ce754d76f173b85e91e8808babd2559cd8f50ddef0d1df4bd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\0ba4ddaa-2c4c-440c-91ea-27a1f3bfde1a.vbs
              Filesize

              713B

              MD5

              9d2cb3a1c306ab483d679cbc4501b77b

              SHA1

              3c164647f53162cd52a36e101e9e0564ed5564d0

              SHA256

              7153cdad4019e129359209facf9def753001fe5feb4b589e95de99cbd700097b

              SHA512

              ea042c73f6e931219ee1731879d7b9d635239848998a232c16c9907130a7d91bb49974cd35b355166f2befb5cd21f12713964bb4a95be1115fbe369b2e27e2bf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\20626e4a-0faf-4ef3-8ddf-a195b3f2a6e8.vbs
              Filesize

              713B

              MD5

              df51fa1d2b197e92d0c729951cb4eacb

              SHA1

              2bc7bf81c37accb381f81c83bccef9bf49ee719d

              SHA256

              c180f6165ba171d913f166fefed5f69c040e3d20ba96435c4b728daac1d85fa4

              SHA512

              6f26152fdb48083366608bad541ba556ff8f65cce319acb13c9dbd2aa3aa66776f47c436023400a52743c2a7092f276ed1308dab2515f339acb32dcad867bff4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7d2ed16b-a161-447d-b2d2-35a36bb2eea3.vbs
              Filesize

              489B

              MD5

              e066f2f4b6ad5a9d0ea363ecb06f39fb

              SHA1

              11475ba0dc83b982056b11bca29b76a0c0669359

              SHA256

              8fdb7c35e437cd511fbc0ef39569c3ed897ce87d37e8f4e2055debd005f5638c

              SHA512

              0db1a7449c6cf1eb814ed802bb3492a8d56e6cb31b139241d59b5b7972288a748c6698da2ddf3ad925a8bd57ada3fe8889fc58a0cc42d619c8e0f365ccb4db62

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RCX65C0.tmp
              Filesize

              5.9MB

              MD5

              5d8505501b7faa4c7e541b0a32467a58

              SHA1

              ed0b9de10c38774af49d9279e25a8958817f33a7

              SHA256

              1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca

              SHA512

              a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45q3dq30.1kd.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\qBGrhynT9k.bat
              Filesize

              202B

              MD5

              419c283ac4129c67d4061846103ce2b4

              SHA1

              6fe7c117266cd2ade613ea82cf639b209ee1139f

              SHA256

              d5ebc5a4678364498c5803df0eddf506fdee8761edbdc699cffc325d814480f5

              SHA512

              774f71852835b8f67f78f547244aab11422e4732ad50f17e8a5a2db7b219ed6a76dd92f5eebbfa26e47a337e4b4630519d0848328565137c5220f01025df7ba2

              Download Submit

            • C:\Windows\SchCache\RuntimeBroker.exe
              Filesize

              5.9MB

              MD5

              22a708087242dc27cf3b2287dcef9c54

              SHA1

              edfd010cb5168ed11f6e527011862f0341f41257

              SHA256

              b14a69a55e6297ed6f45ff0142f11882c237dd1ec5f6d754ba81afeb79f82a5d

              SHA512

              e7c46dcc261bb1bee2c4c7460a31f88191c44fd69d276ac4b68c91192fe4c541db42443fb25c1616ff00d254a52e7eaea2c74813a34135eeb2f0356f63e999ef

              Download Submit

            • memory/884-125-0x000001D07E230000-0x000001D07E252000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3452-255-0x0000000000DF0000-0x00000000016E8000-memory.dmp

              Filesize

              9.0MB

              Download

            • memory/3452-257-0x000000001D370000-0x000000001D382000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3928-283-0x000000001DB00000-0x000000001DB12000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4440-16-0x00000000030A0000-0x00000000030B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4440-20-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-41-0x000000001D600000-0x000000001D60C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4440-40-0x000000001D700000-0x000000001D70A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4440-39-0x000000001D5F0000-0x000000001D5F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-38-0x000000001D5D0000-0x000000001D5DC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4440-37-0x000000001D5C0000-0x000000001D5C8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-36-0x000000001D5B0000-0x000000001D5BE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4440-35-0x000000001D5A0000-0x000000001D5A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-34-0x000000001D590000-0x000000001D59E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4440-32-0x000000001D570000-0x000000001D57C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4440-31-0x000000001D5E0000-0x000000001D5E8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-30-0x000000001D360000-0x000000001D36C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4440-29-0x000000001D350000-0x000000001D35C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4440-28-0x000000001D340000-0x000000001D348000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-27-0x000000001D330000-0x000000001D33C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4440-26-0x000000001D320000-0x000000001D32C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4440-25-0x000000001D850000-0x000000001DD78000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/4440-24-0x000000001D2F0000-0x000000001D302000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4440-22-0x000000001BB20000-0x000000001BB28000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-21-0x000000001BB10000-0x000000001BB1C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4440-33-0x000000001D580000-0x000000001D58A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4440-144-0x00007FFB5C990000-0x00007FFB5D451000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4440-19-0x000000001B990000-0x000000001B99C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4440-18-0x000000001BAC0000-0x000000001BB16000-memory.dmp

              Filesize

              344KB

              Download

            • memory/4440-17-0x000000001B980000-0x000000001B98A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4440-0-0x00007FFB5C993000-0x00007FFB5C995000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4440-15-0x0000000003080000-0x0000000003088000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-14-0x0000000003090000-0x000000000309C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4440-11-0x0000000002FF0000-0x0000000003006000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4440-12-0x0000000003010000-0x0000000003018000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-13-0x0000000003020000-0x0000000003032000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4440-9-0x0000000002EB0000-0x0000000002EB8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-10-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4440-8-0x0000000003030000-0x0000000003080000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4440-7-0x0000000002E90000-0x0000000002EAC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4440-6-0x0000000001440000-0x0000000001448000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4440-5-0x0000000001430000-0x000000000143E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4440-4-0x0000000001420000-0x000000000142E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4440-3-0x00007FFB5C990000-0x00007FFB5D451000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4440-2-0x00000000013E0000-0x00000000013E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4440-1-0x0000000000360000-0x0000000000C58000-memory.dmp

              Filesize

              9.0MB

              Download