Analysis
-
max time kernel
136s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
01-07-2024 01:08
General
-
Target
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
-
Size
1.3MB
-
MD5
48c2137034bee9bdfc2c9df1e71e9e04
-
SHA1
573e8453bc08e2b4e8e65b8560d81b150a9acdd8
-
SHA256
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
-
SHA512
5c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247
-
SSDEEP
24576:q0bcg1vqd25Gl35KcbOwGqq+AZbPxtDSk5/FX5vDlIXNQdS:qGy/3dSnEYFJvxS
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 12 IoCs
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
-
System policy modification 1 TTPs 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe"C:\Users\Admin\AppData\Local\Temp\54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\sysmon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\SearchApp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\klY9Ix3jqJ.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caeb6e3b-6eb5-4fc8-8f3e-69bd8d13209e.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074c5ddd-42a3-49df-87ff-91bd104e9488.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd66b1f-faa3-4682-93da-c32b2419f493.vbs"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\164b5621-6ecc-4cad-8a30-1e25d148bc77.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee98694d-0185-434b-973b-0ad3edd5d47d.vbs"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b5c0f29-3bf9-4bb5-b037-31e86775a442.vbs"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Public\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\PLA\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exeFilesize
1.3MB
MD548c2137034bee9bdfc2c9df1e71e9e04
SHA1573e8453bc08e2b4e8e65b8560d81b150a9acdd8
SHA25654559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
SHA5125c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.logFilesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Temp\074c5ddd-42a3-49df-87ff-91bd104e9488.vbsFilesize
739B
MD5bd8e0af0a2a9555efbdab86794e21a2b
SHA183c8576d9df1cbc87a3c50f86d9bf5b3eaceb900
SHA2566090434c974147567a4b2f54d4d10daa5d3fe8b9f3b8a6ba703aa9862ea57355
SHA512c127500c11b95489ff5a67183cdc805ae98bbe04e1940628016a124dcd8200a39a61bafd829d95cacd1bc9995142a8fb27b8727e0182dcfe65ac5f77c0529243
-
C:\Users\Admin\AppData\Local\Temp\164b5621-6ecc-4cad-8a30-1e25d148bc77.vbsFilesize
739B
MD5dac075bda1c5a46d3e95f32a43659bfc
SHA112f59900655b1dc593925fad83328699a4222d1e
SHA2563f636161d4ed74db0d1edd8babd9573786538eee2cbf3b2f40dc35948772962c
SHA512d8f6730e6c599b5e5fce7944258836e650cd318aac742786c95feb95a3a7992af0ef61a6d264b676c89e5f84419c35837be5322b9dc20bf165cedaee3767a60b
-
C:\Users\Admin\AppData\Local\Temp\8b5c0f29-3bf9-4bb5-b037-31e86775a442.vbsFilesize
515B
MD52e3b865fb6fc14e260b0a131553c05c3
SHA1523bd0ad5ff4bd277c49e452b75d09c6e751a9ae
SHA2566431edbfae1c68a64b2b4270f0549eaaac8cac8855e684ef3392dcf9c27b4403
SHA512fd71fd0adfa881eec94c3aabcd7de17c73533190a1500aac9ec848227bcdc8127707b3fe73df6636fe716df7409c295b67845c483986a71f5ffe91d470db2e35
-
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.batFilesize
228B
MD5c1a58d09f8c43317972e47aae7409236
SHA1edde5944ed2d7bce59846fa446b7238028cf4bbd
SHA25649b540a2449071c660d7206893cb2065c75f9bc8d6af3a23925cf8e2a1e6d1ad
SHA512ba86ce429d372ba8adae6cf6f69d853a5511362736925d3edfe5956fd5c1f1959a72a2a0ce9b2eaa09ad74eb147bdfa489a7637bb5707597dd7dc7c1fa82e024
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kuhqypnk.jge.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\caeb6e3b-6eb5-4fc8-8f3e-69bd8d13209e.vbsFilesize
739B
MD515953f6b23cc984a9a1ca67e528e5661
SHA1ea113c560a2e0fc56683de04981efbae5cc2ea15
SHA2569631662c3270ef083345cf031a6d6772000d544f7959dad668b24fe6029b5b5e
SHA512593d9bdf0fbcd515c74113d2833f5df57182ac211feb63fed3dc0071a4b2972f59344dc0c32927b0cde72986ef16393bc90ea9b20d404356893ffbb7a01a157c
-
C:\Users\Admin\AppData\Local\Temp\klY9Ix3jqJ.batFilesize
228B
MD565c6fc8267213c1cc49afe0da36359f0
SHA1f32d0f87be2e9b73796d40d810103cb9abba0d38
SHA2564cd287fd5de84ce7b94432b18d39654682becacab37e4e771a4d7b9d9e28de43
SHA512116ff6979ec5780fbc2340ad11e834979fb6897a60359c6df08aee03dbc51a4a336282ae699dec0aba9b10bccd23f25593fea65f24006436fcfce5282d66ab8f
-
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.batFilesize
228B
MD5faf9d96c99b2777ceec97483b014d336
SHA16db0062a1bb56eff15458f81b452d9b3eb1949ed
SHA256e474ae2c1651e7a671006d7146f033190fa19f0651ebff36e4208190ee9b5483
SHA512a7e63d7d70032e1efb294ea7ac35623613b25818ece4e47fbef6debe3767d05ffa210215e12e52bcb319e0c8300607f0c8e1646632fd4b0fd7e7cc6369366912
-
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.batFilesize
228B
MD580e455d44235c1870dc86b52811c4372
SHA1520a6c7ed5b251c32fe00d1a8baea74095f02832
SHA2563af663032f2e8b6134b60e1ed14211f539adab430dc9e25fdd15f4108d76d20e
SHA51274f8728755e7d0b66d9f59928a6f6524dcbb88e65b4cf49296deb20b0eb4918ab2c9094665fd8015e813b2c2831ad6155a5b48cf01a5ff2bfea90882f5daad49
-
memory/900-138-0x000001D4A73E0000-0x000001D4A752E000-memory.dmpFilesize
1.3MB
-
memory/1448-131-0x000002B5C68B0000-0x000002B5C69FE000-memory.dmpFilesize
1.3MB
-
memory/1584-137-0x000001BB76560000-0x000001BB766AE000-memory.dmpFilesize
1.3MB
-
memory/1744-141-0x0000019D685E0000-0x0000019D6872E000-memory.dmpFilesize
1.3MB
-
memory/1896-156-0x00000219B3BB0000-0x00000219B3CFE000-memory.dmpFilesize
1.3MB
-
memory/2328-144-0x0000018F9FF20000-0x0000018FA006E000-memory.dmpFilesize
1.3MB
-
memory/2456-159-0x0000029AF73A0000-0x0000029AF74EE000-memory.dmpFilesize
1.3MB
-
memory/2920-5-0x0000000002B50000-0x0000000002B58000-memory.dmpFilesize
32KB
-
memory/2920-6-0x000000001B640000-0x000000001B64A000-memory.dmpFilesize
40KB
-
memory/2920-9-0x000000001B670000-0x000000001B67E000-memory.dmpFilesize
56KB
-
memory/2920-11-0x000000001B6E0000-0x000000001B6EA000-memory.dmpFilesize
40KB
-
memory/2920-2-0x00007FFBE39D0000-0x00007FFBE4491000-memory.dmpFilesize
10.8MB
-
memory/2920-3-0x0000000002B30000-0x0000000002B4C000-memory.dmpFilesize
112KB
-
memory/2920-8-0x000000001B660000-0x000000001B66A000-memory.dmpFilesize
40KB
-
memory/2920-0-0x00007FFBE39D3000-0x00007FFBE39D5000-memory.dmpFilesize
8KB
-
memory/2920-12-0x000000001B6F0000-0x000000001B6FC000-memory.dmpFilesize
48KB
-
memory/2920-1-0x00000000008B0000-0x0000000000A06000-memory.dmpFilesize
1.3MB
-
memory/2920-7-0x000000001B650000-0x000000001B65C000-memory.dmpFilesize
48KB
-
memory/2920-10-0x000000001B680000-0x000000001B68E000-memory.dmpFilesize
56KB
-
memory/2920-4-0x000000001B690000-0x000000001B6E0000-memory.dmpFilesize
320KB
-
memory/2920-36-0x00007FFBE39D0000-0x00007FFBE4491000-memory.dmpFilesize
10.8MB
-
memory/3008-42-0x000002C73BAF0000-0x000002C73BB12000-memory.dmpFilesize
136KB
-
memory/3008-153-0x000002C73BD60000-0x000002C73BEAE000-memory.dmpFilesize
1.3MB
-
memory/3844-147-0x00000256FEEC0000-0x00000256FF00E000-memory.dmpFilesize
1.3MB
-
memory/4196-195-0x000000001E330000-0x000000001E49A000-memory.dmpFilesize
1.4MB
-
memory/4596-150-0x000001936AA40000-0x000001936AB8E000-memory.dmpFilesize
1.3MB