Analysis

  • max time kernel
    158s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 03:19

General

  • Target

    NEAS.0e28ad7c051feab83c13d21b648a8d60.exe

  • Size

    1.4MB

  • MD5

    0e28ad7c051feab83c13d21b648a8d60

  • SHA1

    ed5e0a9db6860af386c099452870856b649d2841

  • SHA256

    8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

  • SHA512

    68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.0e28ad7c051feab83c13d21b648a8d60.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fc7N4hi3mv.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:6084
        • C:\Users\Admin\SendTo\sihost.exe
          "C:\Users\Admin\SendTo\sihost.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5352
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f95379a0-7df4-4338-a6b1-eac709e1129f.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Users\Admin\SendTo\sihost.exe
              C:\Users\Admin\SendTo\sihost.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3368
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf555f34-dc56-430f-9bdf-9b836bfb9c85.vbs"
                6⤵
                  PID:5780
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f3f8b9c-963e-4aba-be7c-ff74ae25a3b2.vbs"
                  6⤵
                    PID:4456
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5297db2e-7162-4182-b6b3-533eefe8682b.vbs"
                4⤵
                  PID:1740
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3332
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4752
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\odt\winlogon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4360
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1320
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1632
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3408
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2556
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3992
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4552
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3148
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2240
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:676
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\appcompat\Programs\taskhostw.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3316
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4476
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\Programs\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4996
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3996
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1244
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1000
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\upfc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1280
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:944
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\upfc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3484
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\sihost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3096
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:384
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\sihost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1740

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backgroundTaskHost.exe

                  Filesize

                  1.4MB

                  MD5

                  0e28ad7c051feab83c13d21b648a8d60

                  SHA1

                  ed5e0a9db6860af386c099452870856b649d2841

                  SHA256

                  8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

                  SHA512

                  68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

                  Filesize

                  1KB

                  MD5

                  9b0256da3bf9a5303141361b3da59823

                  SHA1

                  d73f34951777136c444eb2c98394f62912ebcdac

                  SHA256

                  96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e

                  SHA512

                  9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  60804e808a88131a5452fed692914a8e

                  SHA1

                  fdb74669923b31d573787fe024dbd701fa21bb5b

                  SHA256

                  064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

                  SHA512

                  d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  60804e808a88131a5452fed692914a8e

                  SHA1

                  fdb74669923b31d573787fe024dbd701fa21bb5b

                  SHA256

                  064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

                  SHA512

                  d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  377c375f814a335a131901ed5d5eca44

                  SHA1

                  9919811b18b4f8153541b332232ae88eec42f9f7

                  SHA256

                  7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

                  SHA512

                  c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  ae96ca6d5f605116d027b60ee601dbf8

                  SHA1

                  227fd9141f215138fb1bf85391accfc97a691d47

                  SHA256

                  30e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf

                  SHA512

                  03a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  ae96ca6d5f605116d027b60ee601dbf8

                  SHA1

                  227fd9141f215138fb1bf85391accfc97a691d47

                  SHA256

                  30e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf

                  SHA512

                  03a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  ae96ca6d5f605116d027b60ee601dbf8

                  SHA1

                  227fd9141f215138fb1bf85391accfc97a691d47

                  SHA256

                  30e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf

                  SHA512

                  03a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  ae96ca6d5f605116d027b60ee601dbf8

                  SHA1

                  227fd9141f215138fb1bf85391accfc97a691d47

                  SHA256

                  30e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf

                  SHA512

                  03a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  60804e808a88131a5452fed692914a8e

                  SHA1

                  fdb74669923b31d573787fe024dbd701fa21bb5b

                  SHA256

                  064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

                  SHA512

                  d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  c2ce5f364d6f19da44a34ce23f13e28b

                  SHA1

                  a7fc544cc9e62c759c0b0aeaecf324d7196a127e

                  SHA256

                  443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

                  SHA512

                  fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  293a5e452e148112857e22e746feff34

                  SHA1

                  7a5018bf98a3e38970809531288a7e3efb979532

                  SHA256

                  05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

                  SHA512

                  7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  293a5e452e148112857e22e746feff34

                  SHA1

                  7a5018bf98a3e38970809531288a7e3efb979532

                  SHA256

                  05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

                  SHA512

                  7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

                • C:\Users\Admin\AppData\Local\Temp\3eaab76534dabca3ac8a3b02468784da6a9bb0af.exe

                  Filesize

                  1.4MB

                  MD5

                  0e28ad7c051feab83c13d21b648a8d60

                  SHA1

                  ed5e0a9db6860af386c099452870856b649d2841

                  SHA256

                  8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

                  SHA512

                  68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

                • C:\Users\Admin\AppData\Local\Temp\4f3f8b9c-963e-4aba-be7c-ff74ae25a3b2.vbs

                  Filesize

                  484B

                  MD5

                  4bf89bb07d666d8672f1d91a7ad976c2

                  SHA1

                  d0a64fef9c06d3ec7a4b7193382f7ac1361e4244

                  SHA256

                  85f7e3865f825b6a92651036c451d5ee065fc1972490a2c63264bcda84d30134

                  SHA512

                  10fb57da9f1a69b1c4122c734a7422ce2c40b750f60a729e41ebbaa0b043ea8396af3290e0565802a8d18d750cc1839ac7de8ab60020a5253d05581951e4ff07

                • C:\Users\Admin\AppData\Local\Temp\4f3f8b9c-963e-4aba-be7c-ff74ae25a3b2.vbs

                  Filesize

                  484B

                  MD5

                  4bf89bb07d666d8672f1d91a7ad976c2

                  SHA1

                  d0a64fef9c06d3ec7a4b7193382f7ac1361e4244

                  SHA256

                  85f7e3865f825b6a92651036c451d5ee065fc1972490a2c63264bcda84d30134

                  SHA512

                  10fb57da9f1a69b1c4122c734a7422ce2c40b750f60a729e41ebbaa0b043ea8396af3290e0565802a8d18d750cc1839ac7de8ab60020a5253d05581951e4ff07

                • C:\Users\Admin\AppData\Local\Temp\5297db2e-7162-4182-b6b3-533eefe8682b.vbs

                  Filesize

                  484B

                  MD5

                  4bf89bb07d666d8672f1d91a7ad976c2

                  SHA1

                  d0a64fef9c06d3ec7a4b7193382f7ac1361e4244

                  SHA256

                  85f7e3865f825b6a92651036c451d5ee065fc1972490a2c63264bcda84d30134

                  SHA512

                  10fb57da9f1a69b1c4122c734a7422ce2c40b750f60a729e41ebbaa0b043ea8396af3290e0565802a8d18d750cc1839ac7de8ab60020a5253d05581951e4ff07

                • C:\Users\Admin\AppData\Local\Temp\Fc7N4hi3mv.bat

                  Filesize

                  197B

                  MD5

                  e0a107d4ea3d8827855411fdcf4dbfc3

                  SHA1

                  63eb45dfee77fe6a36e104d334a67fd50e00c71c

                  SHA256

                  f11de31a51c7359af43c5b1a84f8dc381426e6f9da8485b3b325ab24a6e28280

                  SHA512

                  e8afc9baafe27d505d8b3a6a881d4dd5f5a90c1dd74c3af538287a0fbf55cba714969986e8260565495deb9ccf83e2c215678b2ce72013746fced16ea7123a0d

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_esrr0rd3.w52.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Users\Admin\AppData\Local\Temp\bf555f34-dc56-430f-9bdf-9b836bfb9c85.vbs

                  Filesize

                  708B

                  MD5

                  846fb61165a9464fb7e0dc0a5ce0fced

                  SHA1

                  5b2a514345c1e3c0da12d639b0b3a9c123fa6883

                  SHA256

                  7ec7ed10a399e90e050d7c229c2b6abaebc8a16441b9be088f3bf3a7fdd477ff

                  SHA512

                  cd9feec6729d02e9deac256087872caba5c32ce9c7518bfb2761877b84972c39649ad44d037ab8b17453fe4a8d2963a5a8d51dcf69f2f70dc3525dbe67f00de8

                • C:\Users\Admin\AppData\Local\Temp\f95379a0-7df4-4338-a6b1-eac709e1129f.vbs

                  Filesize

                  708B

                  MD5

                  19e510f875e0fde82eaaf54180eb6948

                  SHA1

                  07de5685ffbf644b9ff84e28cff07a36533bfc54

                  SHA256

                  8f6f641a09462214d2cd6aa4897058abf3ac39b56cfbe6d037aa8005711ce351

                  SHA512

                  cb4cb31958e2351e324a1ffface45bc4ea043a9ba42694b7391f51b78f1b26010bc688ae9be4f8e54a5b66e574a135a086561b9a9748d195f06802ee16a9774b

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe

                  Filesize

                  1.4MB

                  MD5

                  0e28ad7c051feab83c13d21b648a8d60

                  SHA1

                  ed5e0a9db6860af386c099452870856b649d2841

                  SHA256

                  8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

                  SHA512

                  68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe

                  Filesize

                  1.4MB

                  MD5

                  0e28ad7c051feab83c13d21b648a8d60

                  SHA1

                  ed5e0a9db6860af386c099452870856b649d2841

                  SHA256

                  8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

                  SHA512

                  68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

                • C:\Users\Admin\SendTo\sihost.exe

                  Filesize

                  1.4MB

                  MD5

                  0e28ad7c051feab83c13d21b648a8d60

                  SHA1

                  ed5e0a9db6860af386c099452870856b649d2841

                  SHA256

                  8732e9d6d834f3adf742d2af0c5692adefbbe6d68a03bc059a460b1857dd8bd6

                  SHA512

                  68031aee98c0f0cff3a7d067fadd8b8835c35e0ff8f31e15c6a744492ea046d7cd7647c4690523c62781994520dc46b3d6f4d068ba87ec8cd50332758fa13bda

                • memory/396-220-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/396-289-0x000001E2BF1D0000-0x000001E2BF1E0000-memory.dmp

                  Filesize

                  64KB

                • memory/524-170-0x0000021C9F9B0000-0x0000021C9F9C0000-memory.dmp

                  Filesize

                  64KB

                • memory/524-302-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/524-307-0x0000021C9F9B0000-0x0000021C9F9C0000-memory.dmp

                  Filesize

                  64KB

                • memory/524-181-0x0000021C87340000-0x0000021C87362000-memory.dmp

                  Filesize

                  136KB

                • memory/524-171-0x0000021C9F9B0000-0x0000021C9F9C0000-memory.dmp

                  Filesize

                  64KB

                • memory/752-303-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/752-309-0x000002013B7D0000-0x000002013B7E0000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-293-0x0000024C3DFB0000-0x0000024C3DFC0000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-291-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/1552-308-0x000002CD42790000-0x000002CD427A0000-memory.dmp

                  Filesize

                  64KB

                • memory/1552-173-0x000002CD42790000-0x000002CD427A0000-memory.dmp

                  Filesize

                  64KB

                • memory/1552-169-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2180-296-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2596-290-0x0000020AA3EF0000-0x0000020AA3F00000-memory.dmp

                  Filesize

                  64KB

                • memory/2596-261-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3400-299-0x00000219D78A0000-0x00000219D78B0000-memory.dmp

                  Filesize

                  64KB

                • memory/3400-298-0x00000219D78A0000-0x00000219D78B0000-memory.dmp

                  Filesize

                  64KB

                • memory/3400-297-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3440-13-0x000000001B710000-0x000000001B71C000-memory.dmp

                  Filesize

                  48KB

                • memory/3440-174-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3440-2-0x000000001B730000-0x000000001B740000-memory.dmp

                  Filesize

                  64KB

                • memory/3440-64-0x000000001B730000-0x000000001B740000-memory.dmp

                  Filesize

                  64KB

                • memory/3440-31-0x000000001B730000-0x000000001B740000-memory.dmp

                  Filesize

                  64KB

                • memory/3440-1-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3440-3-0x0000000001240000-0x000000000124E000-memory.dmp

                  Filesize

                  56KB

                • memory/3440-4-0x0000000002B40000-0x0000000002B48000-memory.dmp

                  Filesize

                  32KB

                • memory/3440-5-0x0000000002B50000-0x0000000002B6C000-memory.dmp

                  Filesize

                  112KB

                • memory/3440-6-0x000000001B6A0000-0x000000001B6F0000-memory.dmp

                  Filesize

                  320KB

                • memory/3440-7-0x0000000002B70000-0x0000000002B78000-memory.dmp

                  Filesize

                  32KB

                • memory/3440-8-0x0000000002B80000-0x0000000002B90000-memory.dmp

                  Filesize

                  64KB

                • memory/3440-9-0x0000000002B90000-0x0000000002BA6000-memory.dmp

                  Filesize

                  88KB

                • memory/3440-26-0x0000000002B30000-0x0000000002B3C000-memory.dmp

                  Filesize

                  48KB

                • memory/3440-25-0x0000000002B20000-0x0000000002B2A000-memory.dmp

                  Filesize

                  40KB

                • memory/3440-10-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

                  Filesize

                  64KB

                • memory/3440-11-0x000000001B6F0000-0x000000001B6FA000-memory.dmp

                  Filesize

                  40KB

                • memory/3440-12-0x000000001B700000-0x000000001B70C000-memory.dmp

                  Filesize

                  48KB

                • memory/3440-24-0x0000000002B10000-0x0000000002B18000-memory.dmp

                  Filesize

                  32KB

                • memory/3440-23-0x0000000002B00000-0x0000000002B0C000-memory.dmp

                  Filesize

                  48KB

                • memory/3440-14-0x000000001B720000-0x000000001B728000-memory.dmp

                  Filesize

                  32KB

                • memory/3440-0-0x00000000008B0000-0x0000000000A1C000-memory.dmp

                  Filesize

                  1.4MB

                • memory/3440-19-0x000000001BEB0000-0x000000001BEBA000-memory.dmp

                  Filesize

                  40KB

                • memory/3440-20-0x000000001BEC0000-0x000000001BECE000-memory.dmp

                  Filesize

                  56KB

                • memory/3440-21-0x000000001BED0000-0x000000001BED8000-memory.dmp

                  Filesize

                  32KB

                • memory/3440-22-0x000000001BEE0000-0x000000001BEEE000-memory.dmp

                  Filesize

                  56KB

                • memory/3440-17-0x000000001B730000-0x000000001B740000-memory.dmp

                  Filesize

                  64KB

                • memory/3440-18-0x000000001B730000-0x000000001B740000-memory.dmp

                  Filesize

                  64KB

                • memory/3440-16-0x000000001BE60000-0x000000001BE68000-memory.dmp

                  Filesize

                  32KB

                • memory/3440-15-0x000000001BC50000-0x000000001BC5C000-memory.dmp

                  Filesize

                  48KB

                • memory/3484-294-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3484-295-0x0000025DAE630000-0x0000025DAE640000-memory.dmp

                  Filesize

                  64KB

                • memory/3996-168-0x000002922A7E0000-0x000002922A7F0000-memory.dmp

                  Filesize

                  64KB

                • memory/3996-167-0x000002922A7E0000-0x000002922A7F0000-memory.dmp

                  Filesize

                  64KB

                • memory/3996-166-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/3996-305-0x000002922A7E0000-0x000002922A7F0000-memory.dmp

                  Filesize

                  64KB

                • memory/4880-183-0x00000230210A0000-0x00000230210B0000-memory.dmp

                  Filesize

                  64KB

                • memory/4880-180-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4880-182-0x00000230210A0000-0x00000230210B0000-memory.dmp

                  Filesize

                  64KB

                • memory/4880-306-0x00000230210A0000-0x00000230210B0000-memory.dmp

                  Filesize

                  64KB

                • memory/4996-310-0x00000265DFA20000-0x00000265DFA30000-memory.dmp

                  Filesize

                  64KB

                • memory/4996-300-0x00000265DFA20000-0x00000265DFA30000-memory.dmp

                  Filesize

                  64KB

                • memory/4996-301-0x00000265DFA20000-0x00000265DFA30000-memory.dmp

                  Filesize

                  64KB

                • memory/4996-304-0x00007FFDF69B0000-0x00007FFDF7471000-memory.dmp

                  Filesize

                  10.8MB