Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 06:47

General

  • Target

    NEAS.98a305d83b5bcde92d88eb5f246240c0.exe

  • Size

    1.4MB

  • MD5

    98a305d83b5bcde92d88eb5f246240c0

  • SHA1

    739903e2cb0bb1584fead08bcb41ada2db5bd85f

  • SHA256

    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

  • SHA512

    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • System policy modification 1 TTPs 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4928
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wMDGCgjXWp.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2968
        • C:\odt\RuntimeBroker.exe
          "C:\odt\RuntimeBroker.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5604
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39c3734c-919f-467f-83b6-4dd07532cd75.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5872
            • C:\odt\RuntimeBroker.exe
              C:\odt\RuntimeBroker.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1112
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6841ae9-9577-4b12-acc7-e4c5d442b2b2.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1236
                • C:\odt\RuntimeBroker.exe
                  C:\odt\RuntimeBroker.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:5052
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d3a917f-cb18-441c-a623-952574bfe858.vbs"
                    8⤵
                      PID:3260
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f03dc43-bda4-4e43-b04a-ac51d98cf1f0.vbs"
                      8⤵
                        PID:4584
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e75cd97f-67fe-4efd-90c6-d056866d4fd9.vbs"
                    6⤵
                      PID:3764
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b287959-da34-418f-835c-f36457dc3e1a.vbs"
                  4⤵
                    PID:5920
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1132
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4680
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2436
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1648
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3384
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\backgroundTaskHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:216
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\SearchApp.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2088
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4352
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3576
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:560
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3272
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1480
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "NEAS.98a305d83b5bcde92d88eb5f246240c0N" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1196
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "NEAS.98a305d83b5bcde92d88eb5f246240c0" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2896
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "NEAS.98a305d83b5bcde92d88eb5f246240c0N" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:404
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\System.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1112
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3684
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3260
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:452
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2560
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1136
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2300
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4952
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3000
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchApp.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4768
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2864
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1976
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2996
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4148
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1868
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3284
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3508

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\WindowsPowerShell\NEAS.98a305d83b5bcde92d88eb5f246240c0.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

                    Filesize

                    1KB

                    MD5

                    9b0256da3bf9a5303141361b3da59823

                    SHA1

                    d73f34951777136c444eb2c98394f62912ebcdac

                    SHA256

                    96cbc3f4e49d7ae13cd46e36ebb4819b6db1eabe5db910902638c1a24947208e

                    SHA512

                    9f014fef4b1bb71dbdd1d0bad11bd20437a9801eaa830ab386f901f6b5be374a26f68161d7638ea03483028e9a56bf97023cc24b45356a9c76cb755a53d9c164

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    aaaac7c68d2b7997ed502c26fd9f65c2

                    SHA1

                    7c5a3731300d672bf53c43e2f9e951c745f7fbdf

                    SHA256

                    8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

                    SHA512

                    c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    5f0ddc7f3691c81ee14d17b419ba220d

                    SHA1

                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                    SHA256

                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                    SHA512

                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    5f0ddc7f3691c81ee14d17b419ba220d

                    SHA1

                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                    SHA256

                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                    SHA512

                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    5f0ddc7f3691c81ee14d17b419ba220d

                    SHA1

                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                    SHA256

                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                    SHA512

                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    5f0ddc7f3691c81ee14d17b419ba220d

                    SHA1

                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                    SHA256

                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                    SHA512

                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    5f0ddc7f3691c81ee14d17b419ba220d

                    SHA1

                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                    SHA256

                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                    SHA512

                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    5f0ddc7f3691c81ee14d17b419ba220d

                    SHA1

                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                    SHA256

                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                    SHA512

                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    e243a38635ff9a06c87c2a61a2200656

                    SHA1

                    ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                    SHA256

                    af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                    SHA512

                    4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    9c97a801bb5d6c21c265ab7f283ba83e

                    SHA1

                    7c0a4cb73d63702a2d454268d983e0dcb36a8bf8

                    SHA256

                    69d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7

                    SHA512

                    d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    e8ce785f8ccc6d202d56fefc59764945

                    SHA1

                    ca032c62ddc5e0f26d84eff9895eb87f14e15960

                    SHA256

                    d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

                    SHA512

                    66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    9c97a801bb5d6c21c265ab7f283ba83e

                    SHA1

                    7c0a4cb73d63702a2d454268d983e0dcb36a8bf8

                    SHA256

                    69d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7

                    SHA512

                    d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    e8ce785f8ccc6d202d56fefc59764945

                    SHA1

                    ca032c62ddc5e0f26d84eff9895eb87f14e15960

                    SHA256

                    d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

                    SHA512

                    66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

                  • C:\Users\Admin\AppData\Local\Temp\39c3734c-919f-467f-83b6-4dd07532cd75.vbs

                    Filesize

                    700B

                    MD5

                    c467ff65b187b1eeeb68471b1c175189

                    SHA1

                    dcc16520c068f9564f0aa06a0881d1b7a14c9057

                    SHA256

                    9dc90f3d5cbaea4e90416af70d69acf783ffe09500ea36d7a8a37ced9046ea76

                    SHA512

                    0651d63c0af029f270f93010079e5f642328f94aff292a1400fa6c35808a9df7fe9bab677e9d711a5960088944109461d29e507c5bd6756e8b1ed0e528acd340

                  • C:\Users\Admin\AppData\Local\Temp\3b287959-da34-418f-835c-f36457dc3e1a.vbs

                    Filesize

                    476B

                    MD5

                    22f5348b6ea434796666f39301c55d3a

                    SHA1

                    598f002e948d94de366fd33be64b1e04273e94ac

                    SHA256

                    8aefba68bbbf5b455026bc25301887fe4333b6cef83a7d422dbe35f686678196

                    SHA512

                    62ba5cc99317fcc387cedbc057408d6f2c7b9ce17fff06abd591cce6520def3afe845fce982626f5590c67313584f4fc1c8a960fa52a1cbc806d173c290d108a

                  • C:\Users\Admin\AppData\Local\Temp\838c2240ceaf51f4e1ea10f1e48c3a2d1612e317.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\Users\Admin\AppData\Local\Temp\838c2240ceaf51f4e1ea10f1e48c3a2d1612e317.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\Users\Admin\AppData\Local\Temp\8f03dc43-bda4-4e43-b04a-ac51d98cf1f0.vbs

                    Filesize

                    476B

                    MD5

                    22f5348b6ea434796666f39301c55d3a

                    SHA1

                    598f002e948d94de366fd33be64b1e04273e94ac

                    SHA256

                    8aefba68bbbf5b455026bc25301887fe4333b6cef83a7d422dbe35f686678196

                    SHA512

                    62ba5cc99317fcc387cedbc057408d6f2c7b9ce17fff06abd591cce6520def3afe845fce982626f5590c67313584f4fc1c8a960fa52a1cbc806d173c290d108a

                  • C:\Users\Admin\AppData\Local\Temp\9d3a917f-cb18-441c-a623-952574bfe858.vbs

                    Filesize

                    700B

                    MD5

                    8f7e10ae22e86c76a761bfb118a7a950

                    SHA1

                    32067ecc873803e6f9b5ed2aec24dfdd25032727

                    SHA256

                    df5846f665c668a5a81c975c846f07f9957c85c6498cb2f44923563e2380a2cb

                    SHA512

                    180b386caf723bbb08ef2530c8700f574468bbf3c8763f173ac994a8bde2e6de014e29b786d77b6ad151edda8a5897d861a9333aa6d40e2c12cbe2a78d31792f

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovskrcxn.hm1.ps1

                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  • C:\Users\Admin\AppData\Local\Temp\d6841ae9-9577-4b12-acc7-e4c5d442b2b2.vbs

                    Filesize

                    700B

                    MD5

                    9b326998535447de043175bb78c2f4c2

                    SHA1

                    004e1bff2db8a761d374a0637e92fa746f6e20f1

                    SHA256

                    55e78b1224cb859da1a97daae15566e317985fc224fdf9a09de491a2d1d48ed6

                    SHA512

                    5c05bef7c6e5132d5d417b71f05768938caf9974324c75573888f0c1e682abb1a8c92e223294def3d76fa7ee0012f818a16dbd603294552e36660e9c4fd9f066

                  • C:\Users\Admin\AppData\Local\Temp\e75cd97f-67fe-4efd-90c6-d056866d4fd9.vbs

                    Filesize

                    476B

                    MD5

                    22f5348b6ea434796666f39301c55d3a

                    SHA1

                    598f002e948d94de366fd33be64b1e04273e94ac

                    SHA256

                    8aefba68bbbf5b455026bc25301887fe4333b6cef83a7d422dbe35f686678196

                    SHA512

                    62ba5cc99317fcc387cedbc057408d6f2c7b9ce17fff06abd591cce6520def3afe845fce982626f5590c67313584f4fc1c8a960fa52a1cbc806d173c290d108a

                  • C:\Users\Admin\AppData\Local\Temp\e75cd97f-67fe-4efd-90c6-d056866d4fd9.vbs

                    Filesize

                    476B

                    MD5

                    22f5348b6ea434796666f39301c55d3a

                    SHA1

                    598f002e948d94de366fd33be64b1e04273e94ac

                    SHA256

                    8aefba68bbbf5b455026bc25301887fe4333b6cef83a7d422dbe35f686678196

                    SHA512

                    62ba5cc99317fcc387cedbc057408d6f2c7b9ce17fff06abd591cce6520def3afe845fce982626f5590c67313584f4fc1c8a960fa52a1cbc806d173c290d108a

                  • C:\Users\Admin\AppData\Local\Temp\wMDGCgjXWp.bat

                    Filesize

                    189B

                    MD5

                    a21f17d02b1def5d55ac6adcd882cd7f

                    SHA1

                    0fb81d02696237f0fa603bbb2ca8390e6c680477

                    SHA256

                    8607fb3334b59f1529aa369674faacacf8b00150d71680eecc1151bd1b9c9856

                    SHA512

                    733e65b193fd522da74c688d239ac4aa06d32cede82e2a0220f89858975b9681d3d31251dedd1c01e245b7644ac547e9da0803e82c07c4e928b5809cdf6c230f

                  • C:\odt\RuntimeBroker.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\odt\RuntimeBroker.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\odt\RuntimeBroker.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • C:\odt\RuntimeBroker.exe

                    Filesize

                    1.4MB

                    MD5

                    98a305d83b5bcde92d88eb5f246240c0

                    SHA1

                    739903e2cb0bb1584fead08bcb41ada2db5bd85f

                    SHA256

                    d3b55401e08b14d4789e0940cb28c43024a7e9f2e743f87bd83a4619a4eef300

                    SHA512

                    cf69a0e74b8984f93282cae3465451eae18f05fa47b0712282fad98c56289fabb7adc91e268a4c84ea6504552107d624ee00980b8b47ea2e8971071a59128b0e

                  • memory/576-331-0x00000135C69B0000-0x00000135C69C0000-memory.dmp

                    Filesize

                    64KB

                  • memory/576-208-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/736-195-0x0000012F367B0000-0x0000012F367C0000-memory.dmp

                    Filesize

                    64KB

                  • memory/736-196-0x0000012F367B0000-0x0000012F367C0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1412-313-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1412-314-0x0000016BC7940000-0x0000016BC7950000-memory.dmp

                    Filesize

                    64KB

                  • memory/1412-316-0x0000016BC7940000-0x0000016BC7950000-memory.dmp

                    Filesize

                    64KB

                  • memory/2300-323-0x0000015C22990000-0x0000015C229A0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2300-321-0x0000015C22990000-0x0000015C229A0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2300-319-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2524-332-0x000002812C8A0000-0x000002812C8B0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2524-322-0x000002812C8A0000-0x000002812C8B0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2524-320-0x000002812C8A0000-0x000002812C8B0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2524-318-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2896-328-0x00000273F0090000-0x00000273F00A0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2896-317-0x00000273F0090000-0x00000273F00A0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2896-315-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3892-18-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3892-13-0x00000000023D0000-0x00000000023DC000-memory.dmp

                    Filesize

                    48KB

                  • memory/3892-115-0x000000001C1A0000-0x000000001C2A0000-memory.dmp

                    Filesize

                    1024KB

                  • memory/3892-1-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3892-2-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3892-189-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3892-3-0x0000000002310000-0x000000000231E000-memory.dmp

                    Filesize

                    56KB

                  • memory/3892-4-0x0000000002320000-0x0000000002328000-memory.dmp

                    Filesize

                    32KB

                  • memory/3892-5-0x0000000002330000-0x000000000234C000-memory.dmp

                    Filesize

                    112KB

                  • memory/3892-6-0x00000000023E0000-0x0000000002430000-memory.dmp

                    Filesize

                    320KB

                  • memory/3892-7-0x0000000002350000-0x0000000002358000-memory.dmp

                    Filesize

                    32KB

                  • memory/3892-8-0x0000000002360000-0x0000000002370000-memory.dmp

                    Filesize

                    64KB

                  • memory/3892-9-0x0000000002390000-0x00000000023A6000-memory.dmp

                    Filesize

                    88KB

                  • memory/3892-10-0x0000000002370000-0x0000000002380000-memory.dmp

                    Filesize

                    64KB

                  • memory/3892-11-0x00000000023B0000-0x00000000023BA000-memory.dmp

                    Filesize

                    40KB

                  • memory/3892-12-0x00000000023C0000-0x00000000023CC000-memory.dmp

                    Filesize

                    48KB

                  • memory/3892-0-0x0000000000090000-0x00000000001FC000-memory.dmp

                    Filesize

                    1.4MB

                  • memory/3892-14-0x0000000002430000-0x0000000002438000-memory.dmp

                    Filesize

                    32KB

                  • memory/3892-34-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3892-193-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3892-29-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3892-26-0x00000000022D0000-0x00000000022DC000-memory.dmp

                    Filesize

                    48KB

                  • memory/3892-25-0x000000001B6F0000-0x000000001B6FA000-memory.dmp

                    Filesize

                    40KB

                  • memory/3892-24-0x000000001B6E0000-0x000000001B6E8000-memory.dmp

                    Filesize

                    32KB

                  • memory/3892-23-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

                    Filesize

                    48KB

                  • memory/3892-22-0x000000001B6C0000-0x000000001B6CE000-memory.dmp

                    Filesize

                    56KB

                  • memory/3892-21-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

                    Filesize

                    32KB

                  • memory/3892-17-0x000000001AF80000-0x000000001AF8A000-memory.dmp

                    Filesize

                    40KB

                  • memory/3892-19-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3892-20-0x000000001AF90000-0x000000001AF9E000-memory.dmp

                    Filesize

                    56KB

                  • memory/3892-15-0x0000000002440000-0x000000000244C000-memory.dmp

                    Filesize

                    48KB

                  • memory/3892-16-0x000000001AF70000-0x000000001AF78000-memory.dmp

                    Filesize

                    32KB

                  • memory/4452-219-0x000001F593FE0000-0x000001F593FF0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4452-326-0x000001F593FE0000-0x000001F593FF0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4452-218-0x000001F593FE0000-0x000001F593FF0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4552-329-0x000001F8015D0000-0x000001F8015E0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4552-197-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4808-302-0x000001F6ECAB0000-0x000001F6ECAC0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4808-301-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4928-330-0x0000024F9A8E0000-0x0000024F9A8F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4928-325-0x0000024F9A8E0000-0x0000024F9A8F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4928-324-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4940-192-0x0000022B22210000-0x0000022B22220000-memory.dmp

                    Filesize

                    64KB

                  • memory/4940-191-0x00007FF86B010000-0x00007FF86BAD1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4940-207-0x0000022B22320000-0x0000022B22342000-memory.dmp

                    Filesize

                    136KB

                  • memory/4940-327-0x0000022B22210000-0x0000022B22220000-memory.dmp

                    Filesize

                    64KB

                  • memory/4940-194-0x0000022B22210000-0x0000022B22220000-memory.dmp

                    Filesize

                    64KB