Analysis

  • max time kernel
    135s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2023, 06:52

General

  • Target

    NEAS.ee9c47c40454820e89d46e4b89068090.exe

  • Size

    1.4MB

  • MD5

    ee9c47c40454820e89d46e4b89068090

  • SHA1

    74c981d480a6997b8f6f3ffe6c5ba9b005070f3d

  • SHA256

    1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550

  • SHA512

    36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

  • SSDEEP

    24576:qBBkOlRe8ZcXPuCyRdaN1yV/vELneAcCg8:uOOy8eEa1Jct8

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.ee9c47c40454820e89d46e4b89068090.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RMrapfWgvs.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:5628
        • C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe
          "C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:6032
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\036e8838-67c6-452c-bc1d-dc507c53bc76.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:628
            • C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe
              C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:5880
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7553c8b1-09da-49dd-81ab-26279e174160.vbs"
                6⤵
                  PID:5072
                  • C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe
                    C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe
                    7⤵
                      PID:4020
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e24b7cd5-934f-488b-8620-d87958837994.vbs"
                    6⤵
                      PID:2496
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e2b9e15-e5b0-432d-8a9c-04f04403eb6d.vbs"
                  4⤵
                    PID:6140
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1224
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2316
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\StartMenuExperienceHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4924
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:5104
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2476
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3336
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:892
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:448
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4904
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\odt\OfficeClickToRun.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2856
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3252
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4780
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Settings\TextInputHost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\TextInputHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4712
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Settings\TextInputHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3760
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\odt\SppExtComObj.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3096
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4176
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2724
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1560
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1556
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4304
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4416
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:5092
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1292
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3296
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090" /sc ONLOGON /tr "'C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2760
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3372
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1968
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3908
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:208
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:880
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4972
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4464
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2872
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\Idle.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4648
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\backgroundTaskHost.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:228
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\backgroundTaskHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:936
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\backgroundTaskHost.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3368
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:324
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:4724
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "NEAS.ee9c47c40454820e89d46e4b89068090N" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\NEAS.ee9c47c40454820e89d46e4b89068090.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1488

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Windows Multimedia Platform\System.exe

                    Filesize

                    1.4MB

                    MD5

                    89eb384c3dce5b29fa79213c2833f408

                    SHA1

                    06462692aa4db106d989161a02d66b1788b953c8

                    SHA256

                    b2bf7bbcace0aa60bc5ee9038cacf7554609b4d25942e349753f0485bca95c33

                    SHA512

                    2d0f94039a7c00b6bd468cb106b269885c1b65005c17ff74bcabc1c3d4c145d240e1d483272706fdd3c4e846139a7a80236ebbe9a2ce529f5c09b0707ca6cde9

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NEAS.ee9c47c40454820e89d46e4b89068090.exe.log

                    Filesize

                    1KB

                    MD5

                    c6ecc3bc2cdd7883e4f2039a5a5cf884

                    SHA1

                    20c9dd2a200e4b0390d490a7a76fa184bfc78151

                    SHA256

                    b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d

                    SHA512

                    892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    28d4235aa2e6d782751f980ceb6e5021

                    SHA1

                    f5d82d56acd642b9fc4b963f684fd6b78f25a140

                    SHA256

                    8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

                    SHA512

                    dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    5f0ddc7f3691c81ee14d17b419ba220d

                    SHA1

                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                    SHA256

                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                    SHA512

                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    5f0ddc7f3691c81ee14d17b419ba220d

                    SHA1

                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                    SHA256

                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                    SHA512

                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    5f0ddc7f3691c81ee14d17b419ba220d

                    SHA1

                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                    SHA256

                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                    SHA512

                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    e243a38635ff9a06c87c2a61a2200656

                    SHA1

                    ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                    SHA256

                    af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                    SHA512

                    4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    e243a38635ff9a06c87c2a61a2200656

                    SHA1

                    ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                    SHA256

                    af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                    SHA512

                    4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    e243a38635ff9a06c87c2a61a2200656

                    SHA1

                    ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                    SHA256

                    af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                    SHA512

                    4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    22fbec4acba323d04079a263526cef3c

                    SHA1

                    eb8dd0042c6a3f20087a7d2391eaf48121f98740

                    SHA256

                    020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                    SHA512

                    fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    22fbec4acba323d04079a263526cef3c

                    SHA1

                    eb8dd0042c6a3f20087a7d2391eaf48121f98740

                    SHA256

                    020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

                    SHA512

                    fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

                  • C:\Users\Admin\AppData\Local\Temp\036e8838-67c6-452c-bc1d-dc507c53bc76.vbs

                    Filesize

                    743B

                    MD5

                    3a86baa623c907364d46468d16f82d73

                    SHA1

                    31bbc133d6272f93cebe253de9b10f71512ff78c

                    SHA256

                    246a22003b3b7f900a6d213775f510075655b71a23f38285172184d68854297c

                    SHA512

                    d654a6e85b23821c6439d44ab980d73ff673bb9aa693a35d4101bfdc29772799de41ac8b89f1bb5692092a7d7922296237fbe298a0757b2a5639eb22ef278764

                  • C:\Users\Admin\AppData\Local\Temp\0e2b9e15-e5b0-432d-8a9c-04f04403eb6d.vbs

                    Filesize

                    519B

                    MD5

                    4bc1e889ee0a8952ad2eeca1e8943b8c

                    SHA1

                    de90fa5118c7a16fc2778b541b14aae4b4048c3b

                    SHA256

                    7adceea606f356a75805058f4b1e3a3b5813548411cfef17fa21acc08cdffc7c

                    SHA512

                    d9c16611c4243357f9f906176fcd79452f6164af3ff47c87123269a62371545ba27edf41f3547a4d38fbd0d21faeea5fbaebe0c20c8ce7a5c827ea587f3788ad

                  • C:\Users\Admin\AppData\Local\Temp\20bd9834279b4b2d8393e47fd378a9316c46a09a.exe

                    Filesize

                    1.4MB

                    MD5

                    ee9c47c40454820e89d46e4b89068090

                    SHA1

                    74c981d480a6997b8f6f3ffe6c5ba9b005070f3d

                    SHA256

                    1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550

                    SHA512

                    36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

                  • C:\Users\Admin\AppData\Local\Temp\7553c8b1-09da-49dd-81ab-26279e174160.vbs

                    Filesize

                    743B

                    MD5

                    e64100a6b3234da3614ee9941d8d6613

                    SHA1

                    91ca80a449b9221abff3ad2a694dfc615b15cca5

                    SHA256

                    b24686f84754d8ca1de4e29e41e160ec389b28ca84a8f0bad944074e58238d62

                    SHA512

                    dabf797ad949a428999a1fc13d40b865c7c80eb007e60354ae72316e611f23a421e66c33acd2dfbc7723906cfd28b7009f0d9322363643769fcf466e9a94e136

                  • C:\Users\Admin\AppData\Local\Temp\RMrapfWgvs.bat

                    Filesize

                    232B

                    MD5

                    6729c7a9089e2b36c28c30f79b0bd119

                    SHA1

                    26de799fe2123f7c78402ebd1af7270b5fb4a656

                    SHA256

                    e91c482308d7f82e811f8903cf124a97da9fc89709607613e5c634ea498c99f0

                    SHA512

                    bba1135a4098971654de59a8137a7c06f549eb422fd6f65d72958ebf36038e0ac3cfa139d43c453e988b72ed033c305dd998807349d3d4aab5654c6427713d58

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x0khvrfi.mjw.ps1

                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  • C:\Users\Admin\AppData\Local\Temp\e24b7cd5-934f-488b-8620-d87958837994.vbs

                    Filesize

                    519B

                    MD5

                    4bc1e889ee0a8952ad2eeca1e8943b8c

                    SHA1

                    de90fa5118c7a16fc2778b541b14aae4b4048c3b

                    SHA256

                    7adceea606f356a75805058f4b1e3a3b5813548411cfef17fa21acc08cdffc7c

                    SHA512

                    d9c16611c4243357f9f906176fcd79452f6164af3ff47c87123269a62371545ba27edf41f3547a4d38fbd0d21faeea5fbaebe0c20c8ce7a5c827ea587f3788ad

                  • C:\Users\Admin\AppData\Local\Temp\e24b7cd5-934f-488b-8620-d87958837994.vbs

                    Filesize

                    519B

                    MD5

                    4bc1e889ee0a8952ad2eeca1e8943b8c

                    SHA1

                    de90fa5118c7a16fc2778b541b14aae4b4048c3b

                    SHA256

                    7adceea606f356a75805058f4b1e3a3b5813548411cfef17fa21acc08cdffc7c

                    SHA512

                    d9c16611c4243357f9f906176fcd79452f6164af3ff47c87123269a62371545ba27edf41f3547a4d38fbd0d21faeea5fbaebe0c20c8ce7a5c827ea587f3788ad

                  • C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

                    Filesize

                    1.4MB

                    MD5

                    ee9c47c40454820e89d46e4b89068090

                    SHA1

                    74c981d480a6997b8f6f3ffe6c5ba9b005070f3d

                    SHA256

                    1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550

                    SHA512

                    36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

                  • C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

                    Filesize

                    1.4MB

                    MD5

                    ee9c47c40454820e89d46e4b89068090

                    SHA1

                    74c981d480a6997b8f6f3ffe6c5ba9b005070f3d

                    SHA256

                    1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550

                    SHA512

                    36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

                  • C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

                    Filesize

                    1.4MB

                    MD5

                    ee9c47c40454820e89d46e4b89068090

                    SHA1

                    74c981d480a6997b8f6f3ffe6c5ba9b005070f3d

                    SHA256

                    1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550

                    SHA512

                    36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

                  • C:\Users\Public\Downloads\NEAS.ee9c47c40454820e89d46e4b89068090.exe

                    Filesize

                    894KB

                    MD5

                    cdfe0369bf3b7aee8c060d4a29aabb8f

                    SHA1

                    7305b0f79f605e56f8b379ed92e30dca2eb350fc

                    SHA256

                    bb6944164b5629f184bc014ac0a4584d98353a81b3ddca53c3c3aa3b39b7f275

                    SHA512

                    74958e574011f30459d0f127c9758ab5d3da34396612dd46733bab7cf017d33bad85d089f19329d9a344bacfd5626b07578b3ac0ec61dff420f8f428a35a7f4e

                  • C:\Windows\DiagTrack\Settings\TextInputHost.exe

                    Filesize

                    1.4MB

                    MD5

                    ee9c47c40454820e89d46e4b89068090

                    SHA1

                    74c981d480a6997b8f6f3ffe6c5ba9b005070f3d

                    SHA256

                    1b09e5cee9450e879f4d7891c2dc502b952f897e095fa27514db95410d933550

                    SHA512

                    36d6c66438758f6c11b0d4e44bcf3d677cc760b1ba4235e61c1ba26b2facc99d0e27b018bc07e0f18eee5626b31f6935c90529cbb9661bcb4e65ae9a5d22d399

                  • memory/436-376-0x000001D599FF0000-0x000001D59A000000-memory.dmp

                    Filesize

                    64KB

                  • memory/436-368-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/436-239-0x000001D599FF0000-0x000001D59A000000-memory.dmp

                    Filesize

                    64KB

                  • memory/436-240-0x000001D599FF0000-0x000001D59A000000-memory.dmp

                    Filesize

                    64KB

                  • memory/1436-372-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1436-344-0x0000010ED53A0000-0x0000010ED53B0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1652-371-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2140-16-0x000000001BE40000-0x000000001BE48000-memory.dmp

                    Filesize

                    32KB

                  • memory/2140-13-0x00000000034E0000-0x00000000034EC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2140-22-0x0000000003560000-0x0000000003570000-memory.dmp

                    Filesize

                    64KB

                  • memory/2140-21-0x000000001C5D0000-0x000000001C5DE000-memory.dmp

                    Filesize

                    56KB

                  • memory/2140-242-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2140-229-0x0000000003560000-0x0000000003570000-memory.dmp

                    Filesize

                    64KB

                  • memory/2140-24-0x000000001C5F0000-0x000000001C5F8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2140-19-0x0000000003560000-0x0000000003570000-memory.dmp

                    Filesize

                    64KB

                  • memory/2140-20-0x000000001C5C0000-0x000000001C5C8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2140-18-0x000000001C570000-0x000000001C57E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2140-17-0x000000001BE50000-0x000000001BE5A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2140-0-0x0000000000FE0000-0x000000000114C000-memory.dmp

                    Filesize

                    1.4MB

                  • memory/2140-25-0x000000001C600000-0x000000001C60A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2140-15-0x0000000003550000-0x000000000355C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2140-14-0x00000000034F0000-0x00000000034F8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2140-23-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2140-12-0x00000000034D0000-0x00000000034DC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2140-11-0x00000000034C0000-0x00000000034CA000-memory.dmp

                    Filesize

                    40KB

                  • memory/2140-10-0x00000000034B0000-0x00000000034C0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2140-133-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2140-9-0x0000000003370000-0x0000000003386000-memory.dmp

                    Filesize

                    88KB

                  • memory/2140-8-0x0000000003360000-0x0000000003370000-memory.dmp

                    Filesize

                    64KB

                  • memory/2140-7-0x0000000001A30000-0x0000000001A38000-memory.dmp

                    Filesize

                    32KB

                  • memory/2140-6-0x0000000003500000-0x0000000003550000-memory.dmp

                    Filesize

                    320KB

                  • memory/2140-5-0x0000000001A10000-0x0000000001A2C000-memory.dmp

                    Filesize

                    112KB

                  • memory/2140-52-0x0000000003560000-0x0000000003570000-memory.dmp

                    Filesize

                    64KB

                  • memory/2140-4-0x0000000001A00000-0x0000000001A08000-memory.dmp

                    Filesize

                    32KB

                  • memory/2140-3-0x0000000003350000-0x000000000335E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2140-29-0x0000000003560000-0x0000000003570000-memory.dmp

                    Filesize

                    64KB

                  • memory/2140-26-0x000000001C710000-0x000000001C71C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2140-1-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2140-2-0x0000000003560000-0x0000000003570000-memory.dmp

                    Filesize

                    64KB

                  • memory/2560-255-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2560-375-0x0000023BE3D80000-0x0000023BE3D90000-memory.dmp

                    Filesize

                    64KB

                  • memory/2580-374-0x000002970DCF0000-0x000002970DD00000-memory.dmp

                    Filesize

                    64KB

                  • memory/2580-373-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2692-313-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2692-328-0x000001AD5E300000-0x000001AD5E310000-memory.dmp

                    Filesize

                    64KB

                  • memory/2920-342-0x00000275F6290000-0x00000275F62A0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2920-274-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2920-322-0x00000275F6290000-0x00000275F62A0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3316-366-0x000002C7F6EB0000-0x000002C7F6EC0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3316-365-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3316-367-0x000002C7F6EB0000-0x000002C7F6EC0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3476-369-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3476-241-0x000002696C990000-0x000002696C9A0000-memory.dmp

                    Filesize

                    64KB

                  • memory/3584-245-0x000001C26F420000-0x000001C26F430000-memory.dmp

                    Filesize

                    64KB

                  • memory/3584-377-0x000001C26F420000-0x000001C26F430000-memory.dmp

                    Filesize

                    64KB

                  • memory/3584-244-0x000001C26F420000-0x000001C26F430000-memory.dmp

                    Filesize

                    64KB

                  • memory/3584-243-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4228-256-0x000001A652D00000-0x000001A652D22000-memory.dmp

                    Filesize

                    136KB

                  • memory/4228-238-0x000001A63A4E0000-0x000001A63A4F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4228-237-0x000001A63A4E0000-0x000001A63A4F0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4228-235-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4744-370-0x00007FFA99050000-0x00007FFA99B11000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4744-354-0x000002497FFA0000-0x000002497FFB0000-memory.dmp

                    Filesize

                    64KB

                  • memory/4744-343-0x000002497FFA0000-0x000002497FFB0000-memory.dmp

                    Filesize

                    64KB