Analysis

  • max time kernel
    159s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 02:57

General

  • Target

    NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe

  • Size

    1.4MB

  • MD5

    5e2ccb97d6bf2f8bedd6d473079c33b0

  • SHA1

    699314bf74a661917771308e7cd6d6b618af2827

  • SHA256

    6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

  • SHA512

    0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5e2ccb97d6bf2f8bedd6d473079c33b0.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3844
    • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5504
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db891c56-9be3-4948-8d71-ef50d2690d66.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5672
        • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe
          "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5360
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\749528d9-d491-47f5-aee3-c6ad106a9dbe.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5376
            • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe
              "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe"
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2700
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb357d0b-eebf-485b-97b5-712a2ed5cbba.vbs"
                7⤵
                  PID:2924
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d425b5-178e-4d9b-8bfe-4349d79ee7f3.vbs"
                  7⤵
                    PID:3964
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b419a1a-9570-4208-b185-6f2eab245d33.vbs"
                5⤵
                  PID:5308
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229c264e-eaa2-4747-8101-d27050df70c4.vbs"
              3⤵
                PID:5600
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4492
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4860
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:544
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3112
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2324
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:868
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1508
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4184
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3336
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1192
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:952
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4892
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2404
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3992
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3504
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5008
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:884
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:404
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4348
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\odt\sysmon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1556
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4576
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\upfc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3868
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\upfc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4656
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\upfc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3528
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1348

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe

                  Filesize

                  1.4MB

                  MD5

                  1ecfae0fc756d98d3d8892e610af1e21

                  SHA1

                  4a6a2ff7d044f4ae1dac43c4b116cc6adb8bebbc

                  SHA256

                  532d50a9c11b17415c6d1ff2fadec8513962fa60811815179425319ef510f7ee

                  SHA512

                  c3b12bb1c537e931e822a60319568abc740193b8ea4861451c2636c5ccc727e0e484ba89e56f1cef4689d8c578300e097142e676eb3a39979de54bab03cc4439

                • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\StartMenuExperienceHost.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\ProgramData\upfc.exe

                  Filesize

                  1.4MB

                  MD5

                  aaf836b48a20837229d669d91b1e6c37

                  SHA1

                  9aa0ba258afc28939a271e6a809bfc95645287a3

                  SHA256

                  66afac73bf70cb149180ebc2b44269998eded52254c01f707e41c4b39181ea38

                  SHA512

                  407b6b5de69618c1c4b1abaecb7f77bdc360fa60323c7ccdd5724cd30bd584df3e0fe61779335bc55f561e527957e5a380693e6045d4c4c200c1f72d23a482f2

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

                  Filesize

                  1KB

                  MD5

                  9b0256da3bf9a5303141361b3da59823

                  SHA1

                  d73f34951777136c444eb2c98394f62912ebcdac

                  SHA256

                  96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e

                  SHA512

                  9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  17fbfbe3f04595e251287a6bfcdc35de

                  SHA1

                  b576aabfd5e6d5799d487011506ed1ae70688987

                  SHA256

                  2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

                  SHA512

                  449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  17fbfbe3f04595e251287a6bfcdc35de

                  SHA1

                  b576aabfd5e6d5799d487011506ed1ae70688987

                  SHA256

                  2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

                  SHA512

                  449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  17fbfbe3f04595e251287a6bfcdc35de

                  SHA1

                  b576aabfd5e6d5799d487011506ed1ae70688987

                  SHA256

                  2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

                  SHA512

                  449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  17fbfbe3f04595e251287a6bfcdc35de

                  SHA1

                  b576aabfd5e6d5799d487011506ed1ae70688987

                  SHA256

                  2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

                  SHA512

                  449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  17fbfbe3f04595e251287a6bfcdc35de

                  SHA1

                  b576aabfd5e6d5799d487011506ed1ae70688987

                  SHA256

                  2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

                  SHA512

                  449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  17fbfbe3f04595e251287a6bfcdc35de

                  SHA1

                  b576aabfd5e6d5799d487011506ed1ae70688987

                  SHA256

                  2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

                  SHA512

                  449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  e8ce785f8ccc6d202d56fefc59764945

                  SHA1

                  ca032c62ddc5e0f26d84eff9895eb87f14e15960

                  SHA256

                  d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

                  SHA512

                  66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  22fbec4acba323d04079a263526cef3c

                  SHA1

                  eb8dd0042c6a3f20087a7d2391eaf48121f98740

                  SHA256

                  020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                  SHA512

                  fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                • C:\Users\Admin\AppData\Local\Temp\229c264e-eaa2-4747-8101-d27050df70c4.vbs

                  Filesize

                  545B

                  MD5

                  6e9bbd2f1a1bc765611caddb63c92e67

                  SHA1

                  ef4d626338e16d1e891e9cd347d16f9547c9da64

                  SHA256

                  c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc

                  SHA512

                  27746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d

                • C:\Users\Admin\AppData\Local\Temp\3b419a1a-9570-4208-b185-6f2eab245d33.vbs

                  Filesize

                  545B

                  MD5

                  6e9bbd2f1a1bc765611caddb63c92e67

                  SHA1

                  ef4d626338e16d1e891e9cd347d16f9547c9da64

                  SHA256

                  c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc

                  SHA512

                  27746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d

                • C:\Users\Admin\AppData\Local\Temp\3b419a1a-9570-4208-b185-6f2eab245d33.vbs

                  Filesize

                  545B

                  MD5

                  6e9bbd2f1a1bc765611caddb63c92e67

                  SHA1

                  ef4d626338e16d1e891e9cd347d16f9547c9da64

                  SHA256

                  c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc

                  SHA512

                  27746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d

                • C:\Users\Admin\AppData\Local\Temp\749528d9-d491-47f5-aee3-c6ad106a9dbe.vbs

                  Filesize

                  769B

                  MD5

                  842cd4719713fc8a4042cbae3ffa046e

                  SHA1

                  34242f42686f484dbfd549fc471c81890630db60

                  SHA256

                  668a5a3c5df19c798475cd5aee11d05331bd9b8617affc2e9a4fcc1d28f0bfd8

                  SHA512

                  ea9a5d90dd8eac04f3dfb1761ded5caeefd299322fcbd32ff487070a49707b120762d2a769447be846691eba8968107813622bd7b6a73453ba60713a69e81fbd

                • C:\Users\Admin\AppData\Local\Temp\95d425b5-178e-4d9b-8bfe-4349d79ee7f3.vbs

                  Filesize

                  545B

                  MD5

                  6e9bbd2f1a1bc765611caddb63c92e67

                  SHA1

                  ef4d626338e16d1e891e9cd347d16f9547c9da64

                  SHA256

                  c1ba202b6a6afda021cc4430128734e9e3dc1033da43357644f341a55d2607dc

                  SHA512

                  27746d25faaada6f8e797501838f2e5cded0efeca93379db2589a14ae442e0e947d7a0c6d21193dfed5361d3680f928988cde31e1f8a10172c62903283fe011d

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjhaba41.zte.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Users\Admin\AppData\Local\Temp\ab41a0df16d92f4034711e456d4c313a7ac7a831.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Users\Admin\AppData\Local\Temp\db891c56-9be3-4948-8d71-ef50d2690d66.vbs

                  Filesize

                  769B

                  MD5

                  1dfc292a98891f836f589fe53d139f74

                  SHA1

                  806b3f6a003e0519594d1c60b0ba6fdcdca4746a

                  SHA256

                  1d953e61f09dc1489bce5da7708092eb983f163f185144f57f754812189f74a8

                  SHA512

                  69f3ec7ea0b13d13dcf80cc77c62b96f97a3c7df20dc043396a13eacb99b59d1119eeb4b759d31c63379209b51cd99c396aa1572aa70e1faac11c66bd6dc781f

                • C:\Users\Admin\AppData\Local\Temp\eb357d0b-eebf-485b-97b5-712a2ed5cbba.vbs

                  Filesize

                  769B

                  MD5

                  a86c25657d7182ff4e92546a5c26ba03

                  SHA1

                  fd8960561484d309747d731e3f47241aa0b4ead1

                  SHA256

                  7cdad492f7ab3baa12cc31b72611986a63d8e18b65dace5979d7e1c964a02f69

                  SHA512

                  18738c0a0da53c640bcfbae970fb34dc3ee11d4588e97222a8ce908d5a586b83381ebf46a0833847541c15077f5542d5c8059933b7c9c613b173603107aaa558

                • C:\Windows\Resources\Ease of Access Themes\System.exe

                  Filesize

                  1.4MB

                  MD5

                  5e2ccb97d6bf2f8bedd6d473079c33b0

                  SHA1

                  699314bf74a661917771308e7cd6d6b618af2827

                  SHA256

                  6f594600a76bb7e0d64a33f97d8fe61db21cce7084db83bd6e624150dd0aabf3

                  SHA512

                  0f2dd039b746d157a65998328e4b599678904fb871d53f1a5d175671f2f1abae353d187d866a6b9240b3c81d77bb1a53527d32f7a9028be3e57290e7d05def93

                • C:\Windows\Resources\Ease of Access Themes\System.exe

                  Filesize

                  1.4MB

                  MD5

                  9c3caf358a154b0ad16b39bc268e8fa0

                  SHA1

                  5aed72c786c54abf6437dbfd3929ad633bd7b940

                  SHA256

                  a521c3be86728c55f9aac6c330dbd704dc1927beb312236f34b0cb5482295d96

                  SHA512

                  44dad40780500dd6b2705979d66058e82c04fce82e425f0a1b8e0841be37e7038fc15c0d14db99851b6bf1602a7f25a9941b3097b52350efb303f508ac12765a

                • C:\odt\sysmon.exe

                  Filesize

                  1.4MB

                  MD5

                  eb54b734dce6b99765cfb815d9de9bb2

                  SHA1

                  5ab3d016e9c75fc465c3c742503a3b06e44bef85

                  SHA256

                  502bd19b4632ec42df5ca0c541b0b02d7aeefc302d41c8d4b35e8c5d084cc87f

                  SHA512

                  725af1e9bbbcfcca5b76a9f8cfd903edf962c9399143249728ce904ec5a1822af1572ad24fee83ad16c358054c65aaa944ed59be7f87b7b76163a3d0709a6f58

                • memory/1012-369-0x000001891F870000-0x000001891F880000-memory.dmp

                  Filesize

                  64KB

                • memory/1012-366-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1756-380-0x00000282D93C0000-0x00000282D93D0000-memory.dmp

                  Filesize

                  64KB

                • memory/1756-379-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1816-377-0x000001FC5A320000-0x000001FC5A330000-memory.dmp

                  Filesize

                  64KB

                • memory/1816-375-0x000001FC5A320000-0x000001FC5A330000-memory.dmp

                  Filesize

                  64KB

                • memory/1816-373-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1848-374-0x00000286A8B80000-0x00000286A8B90000-memory.dmp

                  Filesize

                  64KB

                • memory/1848-372-0x00000286A8B80000-0x00000286A8B90000-memory.dmp

                  Filesize

                  64KB

                • memory/1848-371-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1848-382-0x00000286A8B80000-0x00000286A8B90000-memory.dmp

                  Filesize

                  64KB

                • memory/2268-376-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2268-378-0x000001FBF5F40000-0x000001FBF5F50000-memory.dmp

                  Filesize

                  64KB

                • memory/2424-24-0x000000001BB00000-0x000000001BB08000-memory.dmp

                  Filesize

                  32KB

                • memory/2424-235-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2424-1-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2424-2-0x000000001BB90000-0x000000001BBA0000-memory.dmp

                  Filesize

                  64KB

                • memory/2424-3-0x0000000002FE0000-0x0000000002FEE000-memory.dmp

                  Filesize

                  56KB

                • memory/2424-4-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

                  Filesize

                  32KB

                • memory/2424-5-0x000000001B8D0000-0x000000001B8EC000-memory.dmp

                  Filesize

                  112KB

                • memory/2424-367-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2424-6-0x000000001B940000-0x000000001B990000-memory.dmp

                  Filesize

                  320KB

                • memory/2424-7-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

                  Filesize

                  32KB

                • memory/2424-8-0x000000001B900000-0x000000001B910000-memory.dmp

                  Filesize

                  64KB

                • memory/2424-9-0x000000001B910000-0x000000001B926000-memory.dmp

                  Filesize

                  88KB

                • memory/2424-10-0x000000001B930000-0x000000001B940000-memory.dmp

                  Filesize

                  64KB

                • memory/2424-11-0x000000001BAA0000-0x000000001BAAA000-memory.dmp

                  Filesize

                  40KB

                • memory/2424-12-0x000000001BAB0000-0x000000001BABC000-memory.dmp

                  Filesize

                  48KB

                • memory/2424-19-0x0000000002FA0000-0x0000000002FAE000-memory.dmp

                  Filesize

                  56KB

                • memory/2424-13-0x000000001BAC0000-0x000000001BACC000-memory.dmp

                  Filesize

                  48KB

                • memory/2424-128-0x000000001C880000-0x000000001C980000-memory.dmp

                  Filesize

                  1024KB

                • memory/2424-51-0x000000001BB90000-0x000000001BBA0000-memory.dmp

                  Filesize

                  64KB

                • memory/2424-29-0x000000001BB90000-0x000000001BBA0000-memory.dmp

                  Filesize

                  64KB

                • memory/2424-26-0x000000001BB70000-0x000000001BB7C000-memory.dmp

                  Filesize

                  48KB

                • memory/2424-14-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

                  Filesize

                  32KB

                • memory/2424-25-0x000000001BB10000-0x000000001BB1A000-memory.dmp

                  Filesize

                  40KB

                • memory/2424-15-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

                  Filesize

                  48KB

                • memory/2424-16-0x000000001BB20000-0x000000001BB28000-memory.dmp

                  Filesize

                  32KB

                • memory/2424-18-0x000000001BB90000-0x000000001BBA0000-memory.dmp

                  Filesize

                  64KB

                • memory/2424-20-0x000000001BB90000-0x000000001BBA0000-memory.dmp

                  Filesize

                  64KB

                • memory/2424-0-0x0000000000B50000-0x0000000000CBC000-memory.dmp

                  Filesize

                  1.4MB

                • memory/2424-23-0x000000001BAF0000-0x000000001BAFC000-memory.dmp

                  Filesize

                  48KB

                • memory/2424-22-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

                  Filesize

                  56KB

                • memory/2424-21-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

                  Filesize

                  32KB

                • memory/2424-17-0x0000000002F90000-0x0000000002F9A000-memory.dmp

                  Filesize

                  40KB

                • memory/2700-247-0x000001F7B6DB0000-0x000001F7B6DC0000-memory.dmp

                  Filesize

                  64KB

                • memory/2700-236-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2700-248-0x000001F7B6DB0000-0x000001F7B6DC0000-memory.dmp

                  Filesize

                  64KB

                • memory/2972-337-0x000001F441110000-0x000001F441120000-memory.dmp

                  Filesize

                  64KB

                • memory/2972-333-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3456-385-0x000001AD79810000-0x000001AD79820000-memory.dmp

                  Filesize

                  64KB

                • memory/3456-234-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3456-243-0x000001AD799E0000-0x000001AD79A02000-memory.dmp

                  Filesize

                  136KB

                • memory/3816-368-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3816-370-0x00000166E9A90000-0x00000166E9AA0000-memory.dmp

                  Filesize

                  64KB

                • memory/3844-261-0x0000021D759F0000-0x0000021D75A00000-memory.dmp

                  Filesize

                  64KB

                • memory/3844-386-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3844-276-0x0000021D759F0000-0x0000021D75A00000-memory.dmp

                  Filesize

                  64KB

                • memory/4532-249-0x00007FF9993F0000-0x00007FF999EB1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4532-259-0x0000024CF10C0000-0x0000024CF10D0000-memory.dmp

                  Filesize

                  64KB

                • memory/4532-260-0x0000024CF10C0000-0x0000024CF10D0000-memory.dmp

                  Filesize

                  64KB

                • memory/4644-381-0x000001EEB3EC0000-0x000001EEB3ED0000-memory.dmp

                  Filesize

                  64KB

                • memory/4644-384-0x000001EEB3EC0000-0x000001EEB3ED0000-memory.dmp

                  Filesize

                  64KB

                • memory/5504-383-0x000000001BF40000-0x000000001BF50000-memory.dmp

                  Filesize

                  64KB