Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

90ed1454b8...38.exe

windows7-x64

10

90ed1454b8...38.exe

windows10-2004-x64

10

91570920da...cf.exe

windows7-x64

10

91570920da...cf.exe

windows10-2004-x64

7

915c452bf2...b6.exe

windows7-x64

10

915c452bf2...b6.exe

windows10-2004-x64

10

916cd92d3a...38.exe

windows7-x64

10

916cd92d3a...38.exe

windows10-2004-x64

10

916fbe67a7...e3.exe

windows7-x64

10

916fbe67a7...e3.exe

windows10-2004-x64

10

91cce1a9f4...6a.exe

windows7-x64

10

91cce1a9f4...6a.exe

windows10-2004-x64

10

91d2e3f758...f6.exe

windows7-x64

10

91d2e3f758...f6.exe

windows10-2004-x64

10

91d7fa8d89...52.exe

windows7-x64

10

91d7fa8d89...52.exe

windows10-2004-x64

10

91e6d47bd8...cc.exe

windows7-x64

7

91e6d47bd8...cc.exe

windows10-2004-x64

7

92105c7a3b...24.exe

windows7-x64

7

92105c7a3b...24.exe

windows10-2004-x64

7

921421b7f5...09.exe

windows7-x64

10

921421b7f5...09.exe

windows10-2004-x64

10

9221b9eea3...3c.exe

windows7-x64

1

9221b9eea3...3c.exe

windows10-2004-x64

10

92324d5776...05.exe

windows7-x64

1

92324d5776...05.exe

windows10-2004-x64

1

927cd0bd1a...b8.exe

windows7-x64

3

927cd0bd1a...b8.exe

windows10-2004-x64

3

92efd55895...78.exe

windows7-x64

10

92efd55895...78.exe

windows10-2004-x64

10

932a9096cd...eb.exe

windows7-x64

10

932a9096cd...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91d7fa8d891f603b35c77da7fcc4c552.exe

  • Size

    1.1MB

  • MD5

    91d7fa8d891f603b35c77da7fcc4c552

  • SHA1

    1b241b597c2d0b386e42f25e1e22372265ff06c6

  • SHA256

    2ff54b9f6860a5d362ef776360ed7a7f3c4da0f1dfce7493caa631e50c87722c

  • SHA512

    27cb44233fed4fd6aadd8f1100501ced417614a80a3e74bec5e3ff6d9c73bb7ed85b1885dc129a4f633738e489a85aac980b7238abef0ea10bdcb0df59d0a735

  • SSDEEP

    12288:Z49I/nL8TnKZPVHR3E/bS2vkRNJLXseJQdErvNKj6SKm+eAIhu181d6rsPH:ZngTKZ5RU/xG7zsEyEve6SZ+dIe8usv

Score
10/10
dcratdefense_evasionexecutioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 14 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    defense_evasiontrojan
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    defense_evasiontrojan
  • Drops file in System32 directory 23 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 9 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\91d7fa8d891f603b35c77da7fcc4c552.exe
    "C:\Users\Admin\AppData\Local\Temp\91d7fa8d891f603b35c77da7fcc4c552.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\91d7fa8d891f603b35c77da7fcc4c552.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\xpsservices\lsass.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SettingsHandlers_OneCore_PowerAndSleep\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fsavailux\backgroundTaskHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4588_921617627\Idle.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PeerDistCleaner\lsass.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:848
    • C:\Users\Admin\AppData\Local\Temp\91d7fa8d891f603b35c77da7fcc4c552.exe
      "C:\Users\Admin\AppData\Local\Temp\91d7fa8d891f603b35c77da7fcc4c552.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5200
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\91d7fa8d891f603b35c77da7fcc4c552.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3276
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\C_860\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:6080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\setuperr\sysmon.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Packages\unsecapp.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\sppsvc.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4704
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\taskhostw.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5972
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5128
      • C:\PerfLogs\taskhostw.exe
        "C:\PerfLogs\taskhostw.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:5716
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\xpsservices\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5972
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\SettingsHandlers_OneCore_PowerAndSleep\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:6104
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\fsavailux\backgroundTaskHost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4132
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4588_921617627\Idle.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\PeerDistCleaner\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:4748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\C_860\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:924
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\setuperr\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\ProgramData\Packages\unsecapp.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\PerfLogs\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:5268
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\powershell.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe
    Filesize

    1.1MB

    MD5

    391adb2e45884ac29e1940f2fb17bd31

    SHA1

    61bd9de1ce9f1a2c2715885cf688cbaeb09aba27

    SHA256

    8c2818559c8e232dc0b2bc9fb01c5602cd00094976188cc789da1a75ae95b41e

    SHA512

    779ac2e40e5a7b1521cfc19ae84708a314e2fb570260b42324cec732700631e10ef08418d4426375b231e2190b2239623bfd2df143c4fbc6e9219ee6b95f49cf

    Download Submit

  • C:\Program Files\edge_BITS_4588_921617627\Idle.exe
    Filesize

    1.1MB

    MD5

    91d7fa8d891f603b35c77da7fcc4c552

    SHA1

    1b241b597c2d0b386e42f25e1e22372265ff06c6

    SHA256

    2ff54b9f6860a5d362ef776360ed7a7f3c4da0f1dfce7493caa631e50c87722c

    SHA512

    27cb44233fed4fd6aadd8f1100501ced417614a80a3e74bec5e3ff6d9c73bb7ed85b1885dc129a4f633738e489a85aac980b7238abef0ea10bdcb0df59d0a735

    Download Submit

  • C:\Program Files\edge_BITS_4588_921617627\Idle.exe
    Filesize

    1.1MB

    MD5

    512bf63ec057fbf2b109e728efd6abd9

    SHA1

    e742de6352b08429f0894615370c0a9f66689d83

    SHA256

    ecaa0de2c53af0debfabe9ee02651f1ce684f61ccb571d60127b2db743493eef

    SHA512

    1b630a4c24beabc850434519d22c9a3d567f0ddc6aaa59259a3a28773da1972ff45044e14d0519f11fd94658ca4f1922682c2998e7009d607e0f2f8c1e7b1853

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\91d7fa8d891f603b35c77da7fcc4c552.exe.log
    Filesize

    1KB

    MD5

    7f3c0ae41f0d9ae10a8985a2c327b8fb

    SHA1

    d58622bf6b5071beacf3b35bb505bde2000983e3

    SHA256

    519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

    SHA512

    8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    a43e653ffb5ab07940f4bdd9cc8fade4

    SHA1

    af43d04e3427f111b22dc891c5c7ee8a10ac4123

    SHA256

    c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

    SHA512

    62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    0c56ba5098c530bbd1cdb28d50090d39

    SHA1

    ff63178ea722ec2db118c81051bf85544fb6b316

    SHA256

    0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1

    SHA512

    cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    1e3c555747900d8c9652a014303474aa

    SHA1

    1b2057ff00b20996fe74977d7e336be9d4625283

    SHA256

    6a419c7390f12be16e2d1e752539a2a429f41e35ce0381bee1d824571769e2f1

    SHA512

    067ea6a394f54acfc44d64fdf11463a74cb5d6bba3fe253e7625455754c528bd678fd1c679e949e928b7fc11b563c256b0b0e33474f7c58eb0735d7aacd3232d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    93771c301aacc738330a66a7e48b0c1b

    SHA1

    f7d7ac01f1f13620b1642d1638c1d212666abbae

    SHA256

    5512157a9ea31f455e244922910fcdb2b8116288d968b0e5e26c91b266d4de7c

    SHA512

    a51f43e335c8c6da130866115ee6d890f808379548b129e20e563c5ee0234cca186ecde4fd6bc609f0eba6e32b10d080f4f67483461cdd58ef0a60db78324309

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    01fff31a70e26012f37789b179059e32

    SHA1

    555b6f05cce7daf46920df1c01eb5c55dc62c9e6

    SHA256

    adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

    SHA512

    ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    dd1d0b083fedf44b482a028fb70b96e8

    SHA1

    dc9c027937c9f6d52268a1504cbae42a39c8d36a

    SHA256

    cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

    SHA512

    96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    e5663972c1caaba7088048911c758bf3

    SHA1

    3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

    SHA256

    9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

    SHA512

    ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6241752e645f32f10d2c4c813b0c78ea

    SHA1

    0e4c1293a7e64540887313b7d9828a764018d408

    SHA256

    e3a4713b8c982a20293690495261c883dd310996139fd41ace0fec7f3dc73e1f

    SHA512

    ec34c1f9c7faadde864e0f1cca863f24c6af7d46f950160bac9f67f57f9cb2f791abc9fdaac90c2b3264d4a71716f98ad50a2725078b578be779b93726a38312

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bjmzwnp.oct.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\System32\PeerDistCleaner\lsass.exe
    Filesize

    1.1MB

    MD5

    cabe63770220a7593dcfc6488c89e155

    SHA1

    a78888618fe9a52f17f462c060501adc495abca8

    SHA256

    a3e109a6f9abc52e9619901770ab0eeb2dda5b5ac34cfd2e2187be5cd68c229f

    SHA512

    a7a2123d962ef6286582dd8dd8d31f767771790e78aa00e8cd6b94693e797257f46af080db81c269b04472de870517ed5527e1a1cf035f447582a2765561783f

    Download Submit

  • C:\Windows\System32\xpsservices\lsass.exe
    Filesize

    1.1MB

    MD5

    afc11478234c0230396bfe9e310c3b6b

    SHA1

    d65e5f25ee2347edb7985306c60a0437fe11abe3

    SHA256

    cfb72ff6a623948389a568746013925d84bed4cac39c3b4fbbcb4cd00ab8ef14

    SHA512

    6600c2ddcadf2a8cc8116fac8797b3b398b557247b25ffde6f16d99af24e3ce34ba1fd5dde16ff8fec4f072371f68f18d808f60ab110acbfd2991031b4e9363a

    Download Submit

  • memory/1100-108-0x000001F8A13F0000-0x000001F8A1412000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2080-162-0x00007FFC0BE80000-0x00007FFC0C941000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2080-0-0x00007FFC0BE83000-0x00007FFC0BE85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2080-7-0x00000000028F0000-0x00000000028FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2080-5-0x00000000028D0000-0x00000000028DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2080-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2080-4-0x00000000028B0000-0x00000000028BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2080-3-0x00007FFC0BE80000-0x00007FFC0C941000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2080-2-0x00000000028A0000-0x00000000028B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2080-1-0x0000000000740000-0x0000000000856000-memory.dmp

    Filesize

    1.1MB

    Download