Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 02:56

General

  • Target

    ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe

  • Size

    2.2MB

  • MD5

    8a47ebacc81a5930588692128bc229f8

  • SHA1

    3323a7c3376d19d5db6decb7c0fe2747848f9725

  • SHA256

    ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908

  • SHA512

    d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14

  • SSDEEP

    49152:fHS93gX+fmEb8cbLJFVOy4lnxMPPAKYw1adF:/wNTT2MP4Kpa

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 15 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 17 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 16 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe
    "C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\upfc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\SoftwareDistribution\upfc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\fontdrvhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3096
    • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
      "C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4724
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0351f545-5ef5-438e-976e-8638c387e22b.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
          C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff9fc68a-5537-4993-87c3-c1414412a145.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4028
            • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
              C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1756
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e99529d-7ead-4eb5-a02b-ccfbbb331a62.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3144
                • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                  C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:452
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d4435c6-643b-44bb-a47d-94185b57422e.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4924
                    • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                      C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3860
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7bd1255-7b10-47bb-a3ef-1344ec7ada48.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4380
                        • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                          C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2848
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad6c1669-108d-46c5-89ad-57294091ce76.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3180
                            • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                              C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2744
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\633ca69f-240a-44d9-8f61-2eae9c2d8ef0.vbs"
                                15⤵
                                • Suspicious use of WriteProcessMemory
                                PID:960
                                • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                  C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:1316
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8b98cd4-78d3-4b62-be68-655e618f64f5.vbs"
                                    17⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:632
                                    • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                      C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:3340
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1aefdea1-bd15-48ce-8c94-e03ed473b990.vbs"
                                        19⤵
                                          PID:2172
                                          • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                            C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                            20⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3608
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62224a12-2b17-4ad6-ac8a-773cb2691eac.vbs"
                                              21⤵
                                                PID:3672
                                                • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                  C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                  22⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2572
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf5a918c-536d-4481-b80b-77748e7827bc.vbs"
                                                    23⤵
                                                      PID:3436
                                                      • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                        C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                        24⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:548
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fb53dd9-66c4-4c72-9f8a-76b6d158963f.vbs"
                                                          25⤵
                                                            PID:5008
                                                            • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                              C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                              26⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4524
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40bbc39e-80cd-43b8-b761-8cc84f6fbf0e.vbs"
                                                                27⤵
                                                                  PID:2748
                                                                  • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                                    C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                                    28⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3708
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9ac3e6b-b6ef-47a4-aa9a-030aac171292.vbs"
                                                                      29⤵
                                                                        PID:4560
                                                                        • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                                          C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                                          30⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2012
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7229e023-8505-4b34-9f70-c2f644b6bede.vbs"
                                                                            31⤵
                                                                              PID:3012
                                                                              • C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                                                C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
                                                                                32⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:228
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21847678-6bd4-4321-bcee-c386ebeee3e1.vbs"
                                                                                  33⤵
                                                                                    PID:2128
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6f1db2b-13b0-4ed0-83ad-33a51f87270c.vbs"
                                                                                    33⤵
                                                                                      PID:4220
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68bb6dc3-ea4f-4c11-852d-8174a1605668.vbs"
                                                                                  31⤵
                                                                                    PID:1620
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57983995-7fc2-40b1-aa84-58185cc552be.vbs"
                                                                                29⤵
                                                                                  PID:5076
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffef8f49-f941-469f-97bc-8402dde0e9ea.vbs"
                                                                              27⤵
                                                                                PID:1756
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0333ab8-9ed6-409a-aa0b-5f9920815e51.vbs"
                                                                            25⤵
                                                                              PID:1976
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08b7206b-e08c-453c-85e8-186f9e155015.vbs"
                                                                          23⤵
                                                                            PID:3100
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b09f0430-3221-4884-8055-8dc261939e3f.vbs"
                                                                        21⤵
                                                                          PID:2432
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48c0f184-8fd8-4273-8843-cf17d092e7f0.vbs"
                                                                      19⤵
                                                                        PID:3652
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67c9098c-4b31-4c31-b57b-dcf4eb02e9b4.vbs"
                                                                    17⤵
                                                                      PID:1760
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7101fda6-6084-4a69-98fd-1c2088b9ed86.vbs"
                                                                  15⤵
                                                                    PID:1500
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3013c67-6628-41b2-ad42-14481e46c972.vbs"
                                                                13⤵
                                                                  PID:4068
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\240f518e-d3e0-467e-beed-021756eaf370.vbs"
                                                              11⤵
                                                                PID:1480
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60b90654-6ed7-49ff-bc29-ea38fef6213f.vbs"
                                                            9⤵
                                                              PID:3528
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a5c93ee-959c-42f3-a57e-53e721abbb06.vbs"
                                                          7⤵
                                                            PID:1344
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15512a27-1632-48ae-a87f-7e570874c52c.vbs"
                                                        5⤵
                                                          PID:3736
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73d0f563-2cab-4691-b7b6-8a5373885f38.vbs"
                                                      3⤵
                                                        PID:4344
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:3304
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\upfc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:3612
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:4260
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\upfc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:2188
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PerfLogs\fontdrvhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Creates scheduled task(s)
                                                    PID:4208

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\PerfLogs\fontdrvhost.exe
                                                    Filesize

                                                    2.2MB

                                                    MD5

                                                    8a47ebacc81a5930588692128bc229f8

                                                    SHA1

                                                    3323a7c3376d19d5db6decb7c0fe2747848f9725

                                                    SHA256

                                                    ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908

                                                    SHA512

                                                    d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14

                                                  • C:\ProgramData\SoftwareDistribution\upfc.exe
                                                    Filesize

                                                    2.2MB

                                                    MD5

                                                    890c6979f506268ec4cb03d22e323b54

                                                    SHA1

                                                    dc0e3fd26dc90a0cf9f303634e3b04321f81d2c5

                                                    SHA256

                                                    4d6c0af64ff09fbc2e869a7f78291396de04b08b41f166311cc8cc8222779ab1

                                                    SHA512

                                                    7402617bd6a64c778f22c663cef462a306459f9a28e87f9b543d8960c97fd8258d40a64f5489457c9097afbbe3634436b2eeb3dd92f73c805d88d300b32815f6

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    baf55b95da4a601229647f25dad12878

                                                    SHA1

                                                    abc16954ebfd213733c4493fc1910164d825cac8

                                                    SHA256

                                                    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                    SHA512

                                                    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                    SHA1

                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                    SHA256

                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                    SHA512

                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    6d42b6da621e8df5674e26b799c8e2aa

                                                    SHA1

                                                    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                    SHA256

                                                    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                    SHA512

                                                    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    77d622bb1a5b250869a3238b9bc1402b

                                                    SHA1

                                                    d47f4003c2554b9dfc4c16f22460b331886b191b

                                                    SHA256

                                                    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                    SHA512

                                                    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                  • C:\Users\Admin\AppData\Local\Temp\0351f545-5ef5-438e-976e-8638c387e22b.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    725e8c09310641092c830ac46617df5e

                                                    SHA1

                                                    de4df0b4d84c9fc3d7094b09422f2853f5d3f923

                                                    SHA256

                                                    48a6b2d382f4165077f7918957d8878dab737e1d4aa5dfe8bcb27b4be7ce172b

                                                    SHA512

                                                    39749ad2cc56dce3dee0d2e023e2c7731f822be89f3e32c9179502e156a1b62153d158140c0c9b9629f8a97f4e8e0e8fac96e39596e792438d5d1903d7af70ab

                                                  • C:\Users\Admin\AppData\Local\Temp\1aefdea1-bd15-48ce-8c94-e03ed473b990.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    9b8999a13a2fbb8e4950d5ec378f0102

                                                    SHA1

                                                    b6fa39fe19704fdca0088c5d9c61788d8cfb49e7

                                                    SHA256

                                                    6892841c905fd8cf535274be953b4ad60224d3bd4928b057931786a14f33e6e3

                                                    SHA512

                                                    b740b2d7fd10f0b6fd0ceff34518c17a26388829ba5bab17250f65a7b493e2390c6a4c95e94d1ac4a4b00103f3ec644da2e74c9f52a99a7b0f7dabac8b2ba1b3

                                                  • C:\Users\Admin\AppData\Local\Temp\40bbc39e-80cd-43b8-b761-8cc84f6fbf0e.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    4951fa61a8acd273f00397cf211d6b1a

                                                    SHA1

                                                    638628c37edc6862a6bda76c8a28c1f60edc1318

                                                    SHA256

                                                    2db1c21e2380108512285a1edff99fc2d14f3ce886fa72a84a11d42bf1348277

                                                    SHA512

                                                    0ec45d8e8ee7345c81e4a46c93af03e1e89781d8308e8358b6e8a5ff9ad0c905afb9f6232de4f3a707e90ea7487298fe5f30098ab74c41b2cfef5ae295303865

                                                  • C:\Users\Admin\AppData\Local\Temp\62224a12-2b17-4ad6-ac8a-773cb2691eac.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    08b39de6cda89fddd9c2dc11477b22a5

                                                    SHA1

                                                    ecd87e93a38f79aa678a893e7b19ded7d28bb73d

                                                    SHA256

                                                    dc5b809ce8f3333da5a4d18b71ccef31b43924effeacd63fb5af0687489e4dc2

                                                    SHA512

                                                    e7d65687dc9ecd3a9a02dd9dacaf4aba8387bc8862cbcb2eb723834bef9057154a9faa2bee3addf3d0f04c176bf907922b4cfb05678c50c6001c78261d465752

                                                  • C:\Users\Admin\AppData\Local\Temp\633ca69f-240a-44d9-8f61-2eae9c2d8ef0.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    1184c517a7d1961ce9ffa679eddbb8d4

                                                    SHA1

                                                    51f8ca6d851bb67f18a9c05ea44791469a7e42e6

                                                    SHA256

                                                    75101ecf724b56f305a4b3f296fa44f6e940872550726f4a13e52425f2f81b22

                                                    SHA512

                                                    a0626ea77c4ee469c90be93584c71d0311a05e30d699febd0319dd9e2be3b153347a58e36121a59b97ff65594422c4a226776aeb0f86935b5c330e1ed84f3c48

                                                  • C:\Users\Admin\AppData\Local\Temp\6d4435c6-643b-44bb-a47d-94185b57422e.vbs
                                                    Filesize

                                                    731B

                                                    MD5

                                                    67016f70b2fd0c5c4ab8932ef4411b67

                                                    SHA1

                                                    a93d02dc81809d9bdd236368725e8943ed6882dd

                                                    SHA256

                                                    ed25245c0f29f97a888d1375c2f5dc2e9815bc3819f308a60b886acdc1e31b82

                                                    SHA512

                                                    1c9a38e33de15d04428d0b092d32b6ba97fd05dca18d8ad27108cccf155c5bfd26efa6d7d1c370701ecdcbc108aabf0034e2823de05cf03d1574719a46574896

                                                  • C:\Users\Admin\AppData\Local\Temp\73d0f563-2cab-4691-b7b6-8a5373885f38.vbs
                                                    Filesize

                                                    508B

                                                    MD5

                                                    335cf549b99251e92119cb0e197ebac8

                                                    SHA1

                                                    b465bae1e29ac519998f9f921102e7bcf7414682

                                                    SHA256

                                                    c9d491a34273e31af4b690b5e76e7e0cfc592f9793849954e1b1ac10cb45ede5

                                                    SHA512

                                                    f312e56057b79b86e8a7c50ae5769305c58116146b5203659e0b8d69dbc06bd170c822b47d7a5a1bf615f7dd876579e0a963fbe2492fb943c51fe285ccf1dc1c

                                                  • C:\Users\Admin\AppData\Local\Temp\8e99529d-7ead-4eb5-a02b-ccfbbb331a62.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    a7378dded00637f3f08a8f1393afe3af

                                                    SHA1

                                                    5f2818c64815c4720c079c25938e21391a4a268e

                                                    SHA256

                                                    2e07edcf3499270d85453ca03618c7087310689981e26694a465e7dc03d1e395

                                                    SHA512

                                                    1f955ee0ad13c35382786470cf70f127b88370e261f3b0376f542cb89091c65b1f5ff12da178e094e1d28ceec13be5af6374837adbb6b89b632706190468d1a7

                                                  • C:\Users\Admin\AppData\Local\Temp\8fb53dd9-66c4-4c72-9f8a-76b6d158963f.vbs
                                                    Filesize

                                                    731B

                                                    MD5

                                                    bb1b34d9c1ca05140a24b6eca1e13789

                                                    SHA1

                                                    d6bbd10a38a92bda571e1f282ba480f9cffcb0bc

                                                    SHA256

                                                    dc702559beb57889539dc59a4cc1b796e3c7499a2fa22dc68cd198ce43a06b95

                                                    SHA512

                                                    70d34761f62ddcf209d47bc068f8a144be3708b05234a2f211b255372ef844b6f676954a84d2db77426ff0fdac3bad5cd5ba0ea3b29b6acfec3a9c2058db03cf

                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xogy10xi.aa1.ps1
                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                  • C:\Users\Admin\AppData\Local\Temp\ad6c1669-108d-46c5-89ad-57294091ce76.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    81f1bd5511e61eb83b9c375d04d3b758

                                                    SHA1

                                                    e63154b79b4bef06f1d87daba1170d526660e644

                                                    SHA256

                                                    c6ef3ed8734341b8edd80702949f5740ee4490797cb5af0eb3cad868856dd076

                                                    SHA512

                                                    5895f4e0f40b843a596fa757f29f1247fe2c05abf2a9013c04ad5b9280545f375723f1d6ed3fcdf38315fafa5fdaac8b34558a78beebbc499ccdf6a6db5c8e5c

                                                  • C:\Users\Admin\AppData\Local\Temp\bf5a918c-536d-4481-b80b-77748e7827bc.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    225f1431f16e9d9b76d6903c4b1afd7c

                                                    SHA1

                                                    85856633ec0e8b95aa3caf78a17222393d5adefb

                                                    SHA256

                                                    a1054920614eac0dbc8838099998041e133f2754243de9e6213690b982024eee

                                                    SHA512

                                                    8a212d1a03f3a021b368ca1d1dfff6e76dc2018875d05b32d65c94440d5698b71e23bb00ae3c05f19eacffcf577a9184b89e0bd719924b5c91522ab536008bc2

                                                  • C:\Users\Admin\AppData\Local\Temp\d8b98cd4-78d3-4b62-be68-655e618f64f5.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    705b12ef0604a9384452dc0d413c0525

                                                    SHA1

                                                    616eef306088a7bad188fcc153c51576412345ea

                                                    SHA256

                                                    37934fb2c60d55d813ba968578071147b49a22278e5bf2cc749d6df76a8de7ca

                                                    SHA512

                                                    9ad40281e2b3a434ba85eaaa7a71c5bcb7a14589382601f2106f570288e9a42c7b318272968a8c63296ff5d0e1471f790397cdfbfcee2993c4d76c4e580852b9

                                                  • C:\Users\Admin\AppData\Local\Temp\f7bd1255-7b10-47bb-a3ef-1344ec7ada48.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    80969060b621e75029d471598e533045

                                                    SHA1

                                                    462f00f9bb2a3e6e36d2f5488a0e6d5192bf617e

                                                    SHA256

                                                    907d6a3b485fd535c92adcec9e02c409f56c7d3ab39ea6f1e1537345762a04d6

                                                    SHA512

                                                    83c8b43659ef138d54c5fc9e42adbc8a8e1a480232ca36583f748442c0294ac694af3715c15dcf2040ff7841ba126a1db72402c63498bfbad2639d2c0143e956

                                                  • C:\Users\Admin\AppData\Local\Temp\f9ac3e6b-b6ef-47a4-aa9a-030aac171292.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    fd5666f2c477e4b1e5db0f7409a85e91

                                                    SHA1

                                                    a6bc1301706c1140015a614cb438431f0a633e90

                                                    SHA256

                                                    c713d4fcaa4e3c2abd359d77767ad8bb2c2ca709894a5b27130e947d052a0ccc

                                                    SHA512

                                                    b38b5e1d2a7eda740c0ea0a70942a0c73b90bbd4ea1c026b43ff7306273f3f72f228a9bbbfa8aa1f10b59b1b008cf44024e7a8ca97ac749b55500b27c7347732

                                                  • C:\Users\Admin\AppData\Local\Temp\ff9fc68a-5537-4993-87c3-c1414412a145.vbs
                                                    Filesize

                                                    732B

                                                    MD5

                                                    b28d1c02d33eed47d3c9ce0cea6878f0

                                                    SHA1

                                                    ffdf793160e4c20e274e5cab9e9656e07fb310ee

                                                    SHA256

                                                    a726408c3a645cf2eb5b9ad8bc0701b2fbf72eb668a1e49676dc8272bd8e12cc

                                                    SHA512

                                                    bb49d75054dfeb4e70940fe178524a3f6d76b78a630d71b1af10c427f542267c0ac4f8b49488c1a3c6d085eb00a5e389538b91ae76cf243f862c7a6546d6f769

                                                  • memory/344-11-0x000000001B5E0000-0x000000001B5EC000-memory.dmp
                                                    Filesize

                                                    48KB

                                                  • memory/344-7-0x0000000002BB0000-0x0000000002BBA000-memory.dmp
                                                    Filesize

                                                    40KB

                                                  • memory/344-203-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
                                                    Filesize

                                                    10.8MB

                                                  • memory/344-1-0x0000000000770000-0x00000000009B6000-memory.dmp
                                                    Filesize

                                                    2.3MB

                                                  • memory/344-2-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
                                                    Filesize

                                                    10.8MB

                                                  • memory/344-13-0x000000001B600000-0x000000001B60A000-memory.dmp
                                                    Filesize

                                                    40KB

                                                  • memory/344-12-0x000000001B5F0000-0x000000001B5F8000-memory.dmp
                                                    Filesize

                                                    32KB

                                                  • memory/344-3-0x0000000002A10000-0x0000000002A1C000-memory.dmp
                                                    Filesize

                                                    48KB

                                                  • memory/344-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp
                                                    Filesize

                                                    8KB

                                                  • memory/344-10-0x000000001B5D0000-0x000000001B5DA000-memory.dmp
                                                    Filesize

                                                    40KB

                                                  • memory/344-9-0x0000000002BD0000-0x0000000002BDC000-memory.dmp
                                                    Filesize

                                                    48KB

                                                  • memory/344-4-0x0000000002A20000-0x0000000002A30000-memory.dmp
                                                    Filesize

                                                    64KB

                                                  • memory/344-5-0x0000000002A30000-0x0000000002A86000-memory.dmp
                                                    Filesize

                                                    344KB

                                                  • memory/344-8-0x0000000002BC0000-0x0000000002BCA000-memory.dmp
                                                    Filesize

                                                    40KB

                                                  • memory/344-6-0x0000000002A90000-0x0000000002A98000-memory.dmp
                                                    Filesize

                                                    32KB

                                                  • memory/452-253-0x000000001BDC0000-0x000000001BE16000-memory.dmp
                                                    Filesize

                                                    344KB

                                                  • memory/548-344-0x0000000000E60000-0x0000000000EB6000-memory.dmp
                                                    Filesize

                                                    344KB

                                                  • memory/1316-298-0x00000000017C0000-0x0000000001816000-memory.dmp
                                                    Filesize

                                                    344KB

                                                  • memory/3028-230-0x0000000002DD0000-0x0000000002E26000-memory.dmp
                                                    Filesize

                                                    344KB

                                                  • memory/3096-142-0x000001EF6F8B0000-0x000001EF6F8D2000-memory.dmp
                                                    Filesize

                                                    136KB

                                                  • memory/3340-310-0x0000000002C90000-0x0000000002CE6000-memory.dmp
                                                    Filesize

                                                    344KB

                                                  • memory/3708-367-0x000000001B580000-0x000000001B5D6000-memory.dmp
                                                    Filesize

                                                    344KB

                                                  • memory/4724-217-0x000000001AFE0000-0x000000001B036000-memory.dmp
                                                    Filesize

                                                    344KB