Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

f5ae5532f1...b5.exe

windows7-x64

10

f5ae5532f1...b5.exe

windows10-2004-x64

10

f5cb51ffdb...c0.exe

windows7-x64

10

f5cb51ffdb...c0.exe

windows10-2004-x64

10

f5ed127464...bc.exe

windows7-x64

10

f5ed127464...bc.exe

windows10-2004-x64

10

f62837f3bc...7a.exe

windows7-x64

10

f62837f3bc...7a.exe

windows10-2004-x64

10

f628fa20e8...3b.exe

windows7-x64

10

f628fa20e8...3b.exe

windows10-2004-x64

10

f640f01e80...c5.exe

windows7-x64

7

f640f01e80...c5.exe

windows10-2004-x64

7

f66fa3036e...07.exe

windows7-x64

7

f66fa3036e...07.exe

windows10-2004-x64

7

f68f044685...50.exe

windows7-x64

8

f68f044685...50.exe

windows10-2004-x64

10

f6ac1ea5c1...25.exe

windows7-x64

8

f6ac1ea5c1...25.exe

windows10-2004-x64

8

f6b7978847...1a.exe

windows7-x64

7

f6b7978847...1a.exe

windows10-2004-x64

7

f6e2978004...35.exe

windows7-x64

7

f6e2978004...35.exe

windows10-2004-x64

10

f721adec82...71.exe

windows7-x64

10

f721adec82...71.exe

windows10-2004-x64

10

f736c152b3...c8.exe

windows7-x64

10

f736c152b3...c8.exe

windows10-2004-x64

10

f780377dd9...c9.exe

windows7-x64

7

f780377dd9...c9.exe

windows10-2004-x64

7

f7a96bf083...c8.exe

windows7-x64

1

f7a96bf083...c8.exe

windows10-2004-x64

1

f812ad48d0...9b.exe

windows7-x64

10

f812ad48d0...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f736c152b3d1812f1142ed0da99e0ac8.exe

  • Size

    5.9MB

  • MD5

    f736c152b3d1812f1142ed0da99e0ac8

  • SHA1

    5df819dd9a3c73b64b33950ecfac1c690fa0f03d

  • SHA256

    78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246

  • SHA512

    a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041

  • SSDEEP

    98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4X:hyeU11Rvqmu8TWKnF6N/1wC

Score
10/10
dcratdefense_evasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 26 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe
    "C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/60739cf6f660743813/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/900323d723f1dd1206/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5672
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QlUAi7r3gG.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3560
        • C:\60739cf6f660743813\RuntimeBroker.exe
          "C:\60739cf6f660743813\RuntimeBroker.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2068
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51788177-7b06-4263-be00-cb1714319a60.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1464
            • C:\60739cf6f660743813\RuntimeBroker.exe
              C:\60739cf6f660743813\RuntimeBroker.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:5824
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb2ead8f-9817-4be7-9a92-4d73cf819c69.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4796
                • C:\60739cf6f660743813\RuntimeBroker.exe
                  C:\60739cf6f660743813\RuntimeBroker.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:5876
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3950d6d-a1ac-4877-9677-be4d5e7b39e1.vbs"
                    8⤵
                      PID:4080
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a445fbf-fc5a-4667-bcc4-85205342bcf9.vbs"
                      8⤵
                        PID:4752
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a81598e-e58d-4122-a170-3e174a465ea4.vbs"
                    6⤵
                      PID:4448
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78b1e79a-c363-458c-9120-91ee233342d1.vbs"
                  4⤵
                    PID:2584
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1104
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1536
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5536
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4292
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4224
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1384
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\fontdrvhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1976
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4476
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\900323d723f1dd1206\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4676
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\upfc.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4720
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\upfc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4724
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\upfc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4612
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Videos\Registry.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4796
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Videos\Registry.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4668
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Videos\Registry.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3316
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4820
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4864
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5628
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5824
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5768
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3484
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3632
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1436
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2428
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5924
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2296

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\60739cf6f660743813\RuntimeBroker.exe
              Filesize

              5.9MB

              MD5

              2e26597ec11568698f4a46375340b02f

              SHA1

              ebe58cbd3c81b1d9b523599404c9aa12e91a4ae2

              SHA256

              15c7bb9d1f8f02570a1cd53b808371479ce149268e2315c6ae56ee7f28ca79f3

              SHA512

              5513c6b369afe623e838a98e438243b3e4ab85b7040961ad91c503dc83496deed1ef6a26d03a0092891c146da24b24d29e85c162fadb52495bc379aed5a24de3

              Download Submit

            • C:\900323d723f1dd1206\RuntimeBroker.exe
              Filesize

              5.9MB

              MD5

              37648b94421f3935c73dd5203c72a122

              SHA1

              2668ed7f4b1571994b9abf051aaa77132ecebb75

              SHA256

              7ebbfb69a6e00479d08b4fd3755149f36fcbf5bee11268295cc80843a0db5a3f

              SHA512

              808a37c9db386a278702d3017252b5683d466fba44e1a08a76189e002b496171cb9d57a92d4418a13b9c5d9497cf1b0193d8b87e9d5a385943ca90c4050957a0

              Download Submit

            • C:\900323d723f1dd1206\fontdrvhost.exe
              Filesize

              5.9MB

              MD5

              8b082715d2152f4959de5435a766f41c

              SHA1

              18c0ff228654a3c34eca0a686c8f2557ea7851ff

              SHA256

              a17811c9d36fd87b536c2867f2e1d34f33f2476c6ff76ffdfa23a1410ae4c0d6

              SHA512

              95825afba01c530a644bc88ef138b09a99fc6ef76e0c5ef2d059dacf7d4fe2cb171ccd2755251ccd595a48d6694ba50ec3493b0befc90cf01985bc1d0a97beab

              Download Submit

            • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\upfc.exe
              Filesize

              5.9MB

              MD5

              0e7b4726fe7e3a24d671063dd5b204cf

              SHA1

              64015b7476ccd99498cceef9c3e1d5a5b253e10c

              SHA256

              c31e61ef7c9e549758eb59d2628cb024876b48584dbd936e4af36c894828b3c8

              SHA512

              0777c30874003206b39f88d3647c6e885c78a1f7b4247d8abd2d8981fadc2b49d29c74a105aa1e851a0d63dd21acfb4d93c34d1826a76509a7c1d8b7ab4a6a71

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
              Filesize

              1KB

              MD5

              229da4b4256a6a948830de7ee5f9b298

              SHA1

              8118b8ddc115689ca9dc2fe8c244350333c5ba8b

              SHA256

              3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

              SHA512

              3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              c79cf713064165d9921621736789b679

              SHA1

              4d8b3c69ddab8dd528496de06ce7e6e6c2758389

              SHA256

              6de25d006efb9912c4460725c3ff494adc8585749971235d743dae6cb568068e

              SHA512

              22dbec206c054253a245c7eac9cbfa4d62b49a11b02adea88b6dc8e1ee4243d46e8f61efa5374d43260ff686dbd3c769b7e14bbc6d5fb2f8999f258a904a04a5

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5e4343881dc5fcb6305d29ef34a5ce28

              SHA1

              823b588ad6905d682cc3b7ac7bf7184d71da3d45

              SHA256

              27e82cc6e13b0db3a8b74798dffe21837cd4ef1f519519227bbd41ef05f428ac

              SHA512

              7a8c265e8dc6b4ad85132c4182270322023b4d59c97b466b5cce24402426c32fe14500343938c069cb17f985c73ef00f06187669d5b0c2050839a4cf6eb91762

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              47dc8ed1f00b2cf40d90efa529ee35cc

              SHA1

              851d6a181ebb44256367c73042ed4f774bce9bdd

              SHA256

              2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

              SHA512

              3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              16e669660431a76b6985bae6a3e0ca0f

              SHA1

              55aead2478e085cc4fa52035dc6d3e9ceb856485

              SHA256

              df0d9b2a6f0538cdf02e7f2a69db35dbf92a48fb81fcf58c12f1f0ad2ea13fe2

              SHA512

              ba3a159eca907f8cd6bce2a66b334250e1c6a3b60f14e2cd1ab8dbd0baf33b7b385d834ed1aa3ccb013711cbaf7607d51e7107f1f1783f46595a99a15d5a7d2a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              672e8b21617ca3b368c6c154913fcfff

              SHA1

              cb3dab8c008b5fba2af958ce2c416c01baa6a98b

              SHA256

              b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec

              SHA512

              98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              385f2ec5a61f1814b5b9ab67c2f07a0e

              SHA1

              1426461338ffaf19c90943434470b10ab38347be

              SHA256

              832f227c50733f10c0461f4494219ceb045a9fc45b2a88b07e795a9226b4e6c7

              SHA512

              a9858fa3d7eaca31fba2ed05c7c3a0f3db5bfde5ae20d91bb2f942f2ed39339e7939385441d1377f292c4e72761f98e61e0842fd87f852b99408a391215bd9f2

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              ceb796de20c8360e1e53623d78696e8a

              SHA1

              52e20d1bb718b5e04290816c3c740d8f89265bcb

              SHA256

              cdf217f7e76215d14186a36614f8d2bd6f911869af5c12d98827ec42734ce321

              SHA512

              2d9f010240f49f4ea4537ece426edeccf8f6b1f2013bfb5e5e8412bc54993043e101f205ed5ca93f26d77de3cce1ab7620b7f97792df06d6c803695f9baaf869

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\51788177-7b06-4263-be00-cb1714319a60.vbs
              Filesize

              715B

              MD5

              b30194670cdbc5865d423091bca426ac

              SHA1

              a39a6e6874278f6fcd0fb1715be48c638f5e13ea

              SHA256

              87e83c786c9d1974b1409ad991c7f73809b629ab8f77e1316815aae133389bd5

              SHA512

              d7835bef4495afffc7efd34f671c9ca80b8ffe1d08f2bfd1975a3bd1ba3bb977fca5392bdb2ed7fd0e82fddafdb42d6bd91a3c5365a342f459275a6b7659b48e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\78b1e79a-c363-458c-9120-91ee233342d1.vbs
              Filesize

              491B

              MD5

              e9446b19382e2e547161dd19d1dc1686

              SHA1

              e73ab1409fb588172aa6395d702ac36c6f9a8b2b

              SHA256

              8507e4b8dd759dfc77c9fd56c2130ff71515fcc08e9599b5e7830c9efe687393

              SHA512

              fb5048baed9ddb2ec3dc934e5e9037d7efd7feb2a3422b84791b94145493a1b8aefae8e9d7658198288bfdcb3472ec7350d0521d9afd6d4104f49a37388299e2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\QlUAi7r3gG.bat
              Filesize

              204B

              MD5

              cfae8f061dfc44b86cf72a3daff401ef

              SHA1

              df713409e2ef77d08dcf4054037b4827a3d511ae

              SHA256

              03caa020213cec9f6375affd1f869b4e1c36e6994912a4018e09ecf3f448e45a

              SHA512

              680fb66e5e02c161207531d4d02e679ff713177b051a0dc90c6816e7ef773a84109607485ad90a248f8d7ba92c9414b11614b269d5b030f1949dd9aa6bb916ec

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfnunvlb.tav.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\bb2ead8f-9817-4be7-9a92-4d73cf819c69.vbs
              Filesize

              715B

              MD5

              53f9c05e5e8e9201b61bf59d0f3d6b14

              SHA1

              9f30035cf1e133c07324d98fdadd63d167d86d5b

              SHA256

              f7ee459cf559cb5943702adf18a9b147adc56e28b3c6519f1459aaaccdc28db6

              SHA512

              e3d651a3e18ab768593febef70e9d7aae31c8759abd76051a3e33c490016c36c7753f997f0697f086463115e14670f713f7e630452d04c2f7a3d306060a2c979

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\e3950d6d-a1ac-4877-9677-be4d5e7b39e1.vbs
              Filesize

              715B

              MD5

              a25e5f7d4256ef644cdc9a171a1cfd60

              SHA1

              07cc6066e6c38be1094a87fd18250d0d8cc7087c

              SHA256

              5fae7748a56148b4c1c0526ed04f8068713a72b064c8b51b0fc8469178518a5f

              SHA512

              c1f75e6afbbe7c800c9d9bd1a439b99deceb76e65650700df456e7475d541f97f8106121c87c5a7e40b537902b1607467e20d1b4c9a96251f5071b2928956d97

              Download Submit

            • C:\Users\Default\Desktop\taskhostw.exe
              Filesize

              5.9MB

              MD5

              83305e07d5040647090cc0bac345f718

              SHA1

              b658bb34a73f7a945d37caa70be514ebb1858b89

              SHA256

              4271cbfe40dbbebb946a37f56c455b985ad90bdc450a72a9aef1a29e73a5a0f3

              SHA512

              38435918c8028670eef5cdbcf812b34524e3c3bdf325fb3669eb40da2bd29d79f4c477cd8070bfb33e3cdb672efb8c2bf1fb5ce7588f9b3b32f5d23e6e5a5065

              Download Submit

            • C:\Users\Default\Videos\Registry.exe
              Filesize

              5.9MB

              MD5

              f736c152b3d1812f1142ed0da99e0ac8

              SHA1

              5df819dd9a3c73b64b33950ecfac1c690fa0f03d

              SHA256

              78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246

              SHA512

              a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041

              Download Submit

            • memory/2068-313-0x0000000000FA0000-0x0000000001898000-memory.dmp

              Filesize

              9.0MB

              Download

            • memory/2068-316-0x000000001CFA0000-0x000000001CFF6000-memory.dmp

              Filesize

              344KB

              Download

            • memory/2068-315-0x000000001CF60000-0x000000001CF72000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3528-0-0x00007FFA2E943000-0x00007FFA2E945000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3528-10-0x00000000017E0000-0x00000000017F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3528-31-0x000000001BDD0000-0x000000001BDD8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-29-0x000000001BD50000-0x000000001BD5C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3528-28-0x000000001BD40000-0x000000001BD48000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-27-0x000000001BD30000-0x000000001BD3C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3528-25-0x000000001DAE0000-0x000000001E008000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/3528-22-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-21-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3528-20-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-37-0x000000001BDC0000-0x000000001BDC8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-19-0x000000001BBA0000-0x000000001BBAC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3528-14-0x0000000001820000-0x000000000182C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3528-1-0x0000000000520000-0x0000000000E18000-memory.dmp

              Filesize

              9.0MB

              Download

            • memory/3528-11-0x00000000017F0000-0x0000000001806000-memory.dmp

              Filesize

              88KB

              Download

            • memory/3528-39-0x000000001D7B0000-0x000000001D7B8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-9-0x00000000017D0000-0x00000000017D8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-8-0x00000000030F0000-0x0000000003140000-memory.dmp

              Filesize

              320KB

              Download

            • memory/3528-7-0x00000000017B0000-0x00000000017CC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/3528-6-0x00000000017A0000-0x00000000017A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-4-0x0000000001780000-0x000000000178E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3528-36-0x000000001BDB0000-0x000000001BDBE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3528-32-0x000000001BD70000-0x000000001BD7C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3528-38-0x000000001BDE0000-0x000000001BDEC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3528-13-0x0000000001830000-0x0000000001842000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3528-173-0x00007FFA2E940000-0x00007FFA2F401000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3528-41-0x000000001D7C0000-0x000000001D7CC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3528-40-0x000000001D8C0000-0x000000001D8CA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3528-30-0x000000001BD60000-0x000000001BD6C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3528-26-0x000000001BC10000-0x000000001BC1C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3528-24-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3528-17-0x0000000003160000-0x000000000316A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3528-18-0x0000000003170000-0x00000000031C6000-memory.dmp

              Filesize

              344KB

              Download

            • memory/3528-15-0x0000000003140000-0x0000000003148000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-16-0x0000000003150000-0x0000000003160000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3528-33-0x000000001BD80000-0x000000001BD8A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3528-34-0x000000001BD90000-0x000000001BD9E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3528-35-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-12-0x0000000001810000-0x0000000001818000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3528-5-0x0000000001790000-0x000000000179E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/3528-3-0x00007FFA2E940000-0x00007FFA2F401000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3528-2-0x0000000001490000-0x0000000001491000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5236-163-0x000001C9D5B30000-0x000001C9D5B52000-memory.dmp

              Filesize

              136KB

              Download

            • memory/5824-330-0x000000001D760000-0x000000001D772000-memory.dmp

              Filesize

              72KB

              Download

            • memory/5876-343-0x000000001D160000-0x000000001D172000-memory.dmp

              Filesize

              72KB

              Download