Overview

overview

10

Static

static

3

443110dabe...0N.exe

windows7-x64

10

443110dabe...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    443110dabe7095bf8afe27bf3dc27f60N.exe

  • Size

    4.9MB

  • MD5

    443110dabe7095bf8afe27bf3dc27f60

  • SHA1

    03554dc5583fd4d38124bf4f65405faadf61543e

  • SHA256

    43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3

  • SHA512

    aca75451bf62ffa71190bcac77606c1dae1edf9813ded3443c2a5f6535a71ee2809bbf3889e31b40cc9dcccf85675e67be9103329e6e7566b157f2b004da5070

  • SSDEEP

    49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 13 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 43 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 12 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\443110dabe7095bf8afe27bf3dc27f60N.exe
    "C:\Users\Admin\AppData\Local\Temp\443110dabe7095bf8afe27bf3dc27f60N.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1188
        • C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:428
          • C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe"
            5⤵
            • Executes dropped EXE
            PID:536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2600
        • C:\Users\Default User\sihost.exe
          "C:\Users\Default User\sihost.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4132
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8db6f8fa-8cd0-4d63-8e4e-2305d4ff3c36.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4640
            • C:\Users\Default User\sihost.exe
              "C:\Users\Default User\sihost.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3536
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32b6c907-9c96-4103-b071-4da97fe46428.vbs"
                6⤵
                  PID:552
                  • C:\Users\Default User\sihost.exe
                    "C:\Users\Default User\sihost.exe"
                    7⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:4556
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e6dbd43-b5bb-4950-971b-c287b0c903f9.vbs"
                      8⤵
                        PID:3268
                        • C:\Users\Default User\sihost.exe
                          "C:\Users\Default User\sihost.exe"
                          9⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:712
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1781e0-c6ef-4c39-89c7-8bbb4a83abb9.vbs"
                            10⤵
                              PID:1712
                              • C:\Users\Default User\sihost.exe
                                "C:\Users\Default User\sihost.exe"
                                11⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:2216
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4188341-f327-4cc1-9c97-d6709a84fc82.vbs"
                                  12⤵
                                    PID:3184
                                    • C:\Users\Default User\sihost.exe
                                      "C:\Users\Default User\sihost.exe"
                                      13⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:3652
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5f3a6c8-5ee7-4e61-b0bf-84799ae87156.vbs"
                                        14⤵
                                          PID:4340
                                          • C:\Users\Default User\sihost.exe
                                            "C:\Users\Default User\sihost.exe"
                                            15⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:4708
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8101b14a-f9de-4462-af3e-a8180a871651.vbs"
                                              16⤵
                                                PID:4584
                                                • C:\Users\Default User\sihost.exe
                                                  "C:\Users\Default User\sihost.exe"
                                                  17⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:3488
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5a618ca-2692-4763-a38f-1c2cf9651010.vbs"
                                                    18⤵
                                                      PID:5016
                                                      • C:\Users\Default User\sihost.exe
                                                        "C:\Users\Default User\sihost.exe"
                                                        19⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:1820
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b176466c-79a4-4b5b-b8fc-b66c558ecc6e.vbs"
                                                          20⤵
                                                            PID:2864
                                                            • C:\Users\Default User\sihost.exe
                                                              "C:\Users\Default User\sihost.exe"
                                                              21⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:1504
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bee86bb2-5482-494c-a869-248d1a44da60.vbs"
                                                                22⤵
                                                                  PID:3392
                                                                  • C:\Users\Default User\sihost.exe
                                                                    "C:\Users\Default User\sihost.exe"
                                                                    23⤵
                                                                    • UAC bypass
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:1788
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa2c216-6c24-4bad-a967-eccf01032b4c.vbs"
                                                                      24⤵
                                                                        PID:3352
                                                                        • C:\Users\Default User\sihost.exe
                                                                          "C:\Users\Default User\sihost.exe"
                                                                          25⤵
                                                                          • UAC bypass
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • System policy modification
                                                                          PID:3664
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf74533b-9f15-428f-8fd1-ae31808bafa9.vbs"
                                                                            26⤵
                                                                              PID:4320
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7ca596e-8b63-4fc6-a5fb-e338218e8215.vbs"
                                                                              26⤵
                                                                                PID:4520
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe"
                                                                                26⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:4488
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe"
                                                                                  27⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3516
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b17a4a77-09d3-49a6-a2b8-f3ecba8c2411.vbs"
                                                                            24⤵
                                                                              PID:2248
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp3CC1.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp3CC1.tmp.exe"
                                                                              24⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3880
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp3CC1.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp3CC1.tmp.exe"
                                                                                25⤵
                                                                                • Executes dropped EXE
                                                                                PID:2216
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f215b62-abf4-441d-a9bc-a1aba033d75e.vbs"
                                                                          22⤵
                                                                            PID:4196
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:536
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3388
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe"
                                                                                24⤵
                                                                                • Executes dropped EXE
                                                                                PID:1368
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f0c8436-49f7-4acc-b358-65b989529b96.vbs"
                                                                        20⤵
                                                                          PID:3648
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpEE82.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpEE82.tmp.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3632
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpEE82.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpEE82.tmp.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            PID:4464
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3bcff55-3f66-4163-ac32-a8bf5ad4ec49.vbs"
                                                                      18⤵
                                                                        PID:3024
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe"
                                                                        18⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2828
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe"
                                                                          19⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2628
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe"
                                                                            20⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1464
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe"
                                                                              21⤵
                                                                              • Executes dropped EXE
                                                                              PID:5112
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c9b29b3-5d1e-42ec-9374-a7fb81fe0eb5.vbs"
                                                                    16⤵
                                                                      PID:4160
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpB64B.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpB64B.tmp.exe"
                                                                      16⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2080
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpB64B.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpB64B.tmp.exe"
                                                                        17⤵
                                                                        • Executes dropped EXE
                                                                        PID:3352
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8308a4f-d02f-4e39-95aa-da52a7dccd37.vbs"
                                                                  14⤵
                                                                    PID:2492
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp8529.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp8529.tmp.exe"
                                                                    14⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:1400
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp8529.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp8529.tmp.exe"
                                                                      15⤵
                                                                      • Executes dropped EXE
                                                                      PID:4700
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c31e641-6c0b-4820-a1a2-3e9a6b7be0bd.vbs"
                                                                12⤵
                                                                  PID:4256
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp65F8.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp65F8.tmp.exe"
                                                                  12⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:5112
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp65F8.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp65F8.tmp.exe"
                                                                    13⤵
                                                                    • Executes dropped EXE
                                                                    PID:4252
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9fd7037-cb5a-42db-a49d-e399798bf213.vbs"
                                                              10⤵
                                                                PID:3524
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe"
                                                                10⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2100
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe"
                                                                  11⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:860
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe"
                                                                    12⤵
                                                                    • Executes dropped EXE
                                                                    PID:4264
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3069fc8b-8b05-429b-8e6d-8f6e29168b2c.vbs"
                                                            8⤵
                                                              PID:3952
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d2e6c1c-ccd9-4e26-8ba8-83cd5f691ba4.vbs"
                                                          6⤵
                                                            PID:64
                                                          • C:\Users\Admin\AppData\Local\Temp\tmpFBA6.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmpFBA6.tmp.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:640
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpFBA6.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpFBA6.tmp.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              PID:4248
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81ad4c7b-4198-4aef-b362-64f220940e57.vbs"
                                                        4⤵
                                                          PID:1288
                                                        • C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe"
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:4748
                                                          • C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe"
                                                            5⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:3524
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe"
                                                              6⤵
                                                              • Executes dropped EXE
                                                              PID:1412
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\dllhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1088
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Performance\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1848
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\dllhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2628
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\lsass.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1332
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\lsass.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4740
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\lsass.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4980
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\backgroundTaskHost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3356
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4208
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4712
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\HomeGroup\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1400
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3596
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\HomeGroup\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:228
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sihost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2580
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4940
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4776
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3052
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:756
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3436
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\services.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4624
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3880
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2232
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4640
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\schemas\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4768
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2100
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3824
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4956
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4944
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\winlogon.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4112
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4912
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\winlogon.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1308

                                                  Network

                                                  MITRE ATT&CK Matrix ATT&CK v13

                                                  Initial Access

                                                  Execution

                                                  Command and Scripting Interpreter

                                                  1
                                                  T1059

                                                  PowerShell

                                                  1
                                                  T1059.001

                                                  Scheduled Task/Job

                                                  1
                                                  T1053

                                                  Scheduled Task

                                                  1
                                                  T1053.005

                                                  Persistence

                                                  Scheduled Task/Job

                                                  1
                                                  T1053

                                                  Scheduled Task

                                                  1
                                                  T1053.005

                                                  Privilege Escalation

                                                  Abuse Elevation Control Mechanism

                                                  1
                                                  T1548

                                                  Bypass User Account Control

                                                  1
                                                  T1548.002

                                                  Scheduled Task/Job

                                                  1
                                                  T1053

                                                  Scheduled Task

                                                  1
                                                  T1053.005

                                                  Defense Evasion

                                                  Abuse Elevation Control Mechanism

                                                  1
                                                  T1548

                                                  Bypass User Account Control

                                                  1
                                                  T1548.002

                                                  Impair Defenses

                                                  1
                                                  T1562

                                                  Disable or Modify Tools

                                                  1
                                                  T1562.001

                                                  Modify Registry

                                                  2
                                                  T1112

                                                  Credential Access

                                                  Discovery

                                                  Query Registry

                                                  2
                                                  T1012

                                                  System Information Discovery

                                                  3
                                                  T1082

                                                  System Location Discovery

                                                  1
                                                  T1614

                                                  System Language Discovery

                                                  1
                                                  T1614.001

                                                  Lateral Movement

                                                  Collection

                                                  Exfiltration

                                                  Command and Control

                                                  Impact

                                                  Resource Development

                                                  Reconnaissance

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                    SHA1

                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                    SHA256

                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                    SHA512

                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    4a667f150a4d1d02f53a9f24d89d53d1

                                                    SHA1

                                                    306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                    SHA256

                                                    414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                    SHA512

                                                    4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    cadef9abd087803c630df65264a6c81c

                                                    SHA1

                                                    babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                    SHA256

                                                    cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                    SHA512

                                                    7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    a8e8360d573a4ff072dcc6f09d992c88

                                                    SHA1

                                                    3446774433ceaf0b400073914facab11b98b6807

                                                    SHA256

                                                    bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                                    SHA512

                                                    4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    e243a38635ff9a06c87c2a61a2200656

                                                    SHA1

                                                    ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                                    SHA256

                                                    af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                                    SHA512

                                                    4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    3a6bad9528f8e23fb5c77fbd81fa28e8

                                                    SHA1

                                                    f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                    SHA256

                                                    986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                    SHA512

                                                    846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    bd5940f08d0be56e65e5f2aaf47c538e

                                                    SHA1

                                                    d7e31b87866e5e383ab5499da64aba50f03e8443

                                                    SHA256

                                                    2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                    SHA512

                                                    c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    d28a889fd956d5cb3accfbaf1143eb6f

                                                    SHA1

                                                    157ba54b365341f8ff06707d996b3635da8446f7

                                                    SHA256

                                                    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                    SHA512

                                                    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\1e6dbd43-b5bb-4950-971b-c287b0c903f9.vbs
                                                    Filesize

                                                    708B

                                                    MD5

                                                    7fd1a29365b85604bd7cb7a6c9c223ce

                                                    SHA1

                                                    fed6ae6e0c736f57fb443415198bd63e41190372

                                                    SHA256

                                                    ed1e3b8d6c4a03710365360d9be0cb2a962cd574433585b7aa7f6ae8b44ed0f0

                                                    SHA512

                                                    c4bd5e09dbed8dbf0f14a061e6a78687506cbb86c7c20adac217dc2673ad12b2c0ec794c5c3212deb75f9bc37f532c9a15d25c2499c0749db1dc3c7aaf2fc6ab

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\32b6c907-9c96-4103-b071-4da97fe46428.vbs
                                                    Filesize

                                                    708B

                                                    MD5

                                                    fc8f3614f5f864f9ee530d46a82b0ce7

                                                    SHA1

                                                    f6c171c7dc080019495327981ac120cb47a5c2e3

                                                    SHA256

                                                    890120cb745220f083a41c892758682389bed28cceb8d9d0513664bbe9f5bd3c

                                                    SHA512

                                                    eb27ed3401c73de88190c02dce6f48eaa8111be35b0f754a68cb2bc068b3c10b8dab456ddc94221af9fd4398557a2f9c762499c4053e5c305417b62443689ade

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\3b1781e0-c6ef-4c39-89c7-8bbb4a83abb9.vbs
                                                    Filesize

                                                    707B

                                                    MD5

                                                    0cf23959eee00121f2a8f1f7cefd3c0b

                                                    SHA1

                                                    e45f29441450051eb1fe4ea748a7d7d1da7bacb5

                                                    SHA256

                                                    ecb0c86781acc66dade808c28dcea18f8652aa7a6270c6ffa8afe3dc3ef4f04d

                                                    SHA512

                                                    bbc31b050dc0653ba014da31fdd6e6659cc70a25550b669486dc38d604d98fd4ecccfb5559c701270d7a085c08d32399e8d65f9adfa9439d27864b22f71314fb

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\8101b14a-f9de-4462-af3e-a8180a871651.vbs
                                                    Filesize

                                                    708B

                                                    MD5

                                                    ab2acc8a6f715aa9743b2cad4fa91e59

                                                    SHA1

                                                    e6b18bd6335f4933816bd51cd79ab4c7a6dfa0bb

                                                    SHA256

                                                    3ac35a2722b8a4760600bb8f217b11df19507f9a9fae276a402ba296efc14db1

                                                    SHA512

                                                    7e093806ecd445c6c76e9b59801078d13ff7bc627ef368fcf9a6d02ed216652d8a70eb83ed06c0cb78afd1276976bf49b37489592971d32d30dfc535d0f80751

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\81ad4c7b-4198-4aef-b362-64f220940e57.vbs
                                                    Filesize

                                                    484B

                                                    MD5

                                                    b2c0b417b2f055fd3adfbc6029956381

                                                    SHA1

                                                    43dfe33cd8ad46bb979c1140b19a7bca8a74b508

                                                    SHA256

                                                    99ed841de01b388bd59ae125443ce0d49ebaea078b03b3778bd3adcca18c6af3

                                                    SHA512

                                                    6f5f741b7eb986db44704efe24b93caf169bfc38e2fbbbe6906c4c850d0c4741180ad31bbcd47008b7edb0dc05e1b3dab951e2d509e8e04a1e20b9c392ce381d

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\8db6f8fa-8cd0-4d63-8e4e-2305d4ff3c36.vbs
                                                    Filesize

                                                    708B

                                                    MD5

                                                    ffde5f4d99ca5856aa8ab10c0fb4218b

                                                    SHA1

                                                    9c15e652551b2313555a3e7984f5dc56e863af59

                                                    SHA256

                                                    2f5b9c07363fdd493d6a43afe3dcf6bdea16d8d75d626d635f85f7af453dacbf

                                                    SHA512

                                                    24af066d4fe199d384f4feca0e7a9358b705bce351c3b6d7c66fce291058e65f9b8488aa63d574bfdc5c0ecf839135481a0f25591a06ecd4fe1f1aeda963c975

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpaoqlfj.qg5.ps1
                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\f4188341-f327-4cc1-9c97-d6709a84fc82.vbs
                                                    Filesize

                                                    708B

                                                    MD5

                                                    6ab71d34cefb2c440b11ce7ab726f716

                                                    SHA1

                                                    d61f0c625f8309a960e91da5b72f94b420e66fd0

                                                    SHA256

                                                    89c28052c9b6cca4db094f71de9c15260f0776b21bd8155cdd11f168825abd03

                                                    SHA512

                                                    fee613abd923b37d8110c316744a20abf067d92fa0b527ff6fc0918e81b0cf061bf9aacd62f9a1b80f230ae3de52fd24c91c2899eef1f3c08207ac1999a16c2c

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\f5f3a6c8-5ee7-4e61-b0bf-84799ae87156.vbs
                                                    Filesize

                                                    708B

                                                    MD5

                                                    48d5c0604c2f7a3ffc30872c8838bd3a

                                                    SHA1

                                                    adef2c576de38a15e8abb068b4cd35d071dc61e1

                                                    SHA256

                                                    f52dc480d0c249631197912078a49047529e3291497f2acb3be03d54da143ac4

                                                    SHA512

                                                    6da28f957e8db1e0fda08d3b073fff08b76afdd4ae2d4e053a2001a5458c4360202418bbe7c3ad81a46e27d14078ba72fe666c30b20e82baa4958dc70af788cb

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe
                                                    Filesize

                                                    75KB

                                                    MD5

                                                    e0a68b98992c1699876f818a22b5b907

                                                    SHA1

                                                    d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                    SHA256

                                                    2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                    SHA512

                                                    856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                    Download Submit
                                                  • C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat
                                                    Filesize

                                                    197B

                                                    MD5

                                                    938003953aa7b9a848d74de8c1f8762e

                                                    SHA1

                                                    97d97c02e675db601366440e6091ff90a6c168b6

                                                    SHA256

                                                    ef1d3c96daa5ee3553a71755075e5d6385f5235fa346a4c9cd7f69726dbcaa86

                                                    SHA512

                                                    b95f9ecbb898425c337c4048c5f47724998e447f8f705b9b1c05dccc6f00a62d2c081e6fdc8864d6826d712d2ff4c7c826749a1f44aa426460279815578c5997

                                                    Download Submit
                                                  • C:\Users\Default\sihost.exe
                                                    Filesize

                                                    4.9MB

                                                    MD5

                                                    443110dabe7095bf8afe27bf3dc27f60

                                                    SHA1

                                                    03554dc5583fd4d38124bf4f65405faadf61543e

                                                    SHA256

                                                    43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3

                                                    SHA512

                                                    aca75451bf62ffa71190bcac77606c1dae1edf9813ded3443c2a5f6535a71ee2809bbf3889e31b40cc9dcccf85675e67be9103329e6e7566b157f2b004da5070

                                                    Download Submit
                                                  • memory/536-77-0x0000000000400000-0x0000000000407000-memory.dmp
                                                    Filesize

                                                    28KB

                                                    Download
                                                  • memory/1504-457-0x0000000003410000-0x0000000003422000-memory.dmp
                                                    Filesize

                                                    72KB

                                                    Download
                                                  • memory/1820-440-0x000000001BAA0000-0x000000001BAB2000-memory.dmp
                                                    Filesize

                                                    72KB

                                                    Download
                                                  • memory/2412-139-0x000001D66C050000-0x000001D66C072000-memory.dmp
                                                    Filesize

                                                    136KB

                                                    Download
                                                  • memory/2944-133-0x00007FF958AF0000-0x00007FF9595B1000-memory.dmp
                                                    Filesize

                                                    10.8MB

                                                    Download
                                                  • memory/2944-10-0x0000000002C90000-0x0000000002C9A000-memory.dmp
                                                    Filesize

                                                    40KB

                                                    Download
                                                  • memory/2944-12-0x000000001C5A0000-0x000000001CAC8000-memory.dmp
                                                    Filesize

                                                    5.2MB

                                                    Download
                                                  • memory/2944-13-0x000000001B7F0000-0x000000001B7FA000-memory.dmp
                                                    Filesize

                                                    40KB

                                                    Download
                                                  • memory/2944-16-0x000000001B820000-0x000000001B828000-memory.dmp
                                                    Filesize

                                                    32KB

                                                    Download
                                                  • memory/2944-17-0x000000001B830000-0x000000001B838000-memory.dmp
                                                    Filesize

                                                    32KB

                                                    Download
                                                  • memory/2944-18-0x000000001B840000-0x000000001B84C000-memory.dmp
                                                    Filesize

                                                    48KB

                                                    Download
                                                  • memory/2944-15-0x000000001B810000-0x000000001B81E000-memory.dmp
                                                    Filesize

                                                    56KB

                                                    Download
                                                  • memory/2944-14-0x000000001B800000-0x000000001B80E000-memory.dmp
                                                    Filesize

                                                    56KB

                                                    Download
                                                  • memory/2944-1-0x00000000004E0000-0x00000000009D4000-memory.dmp
                                                    Filesize

                                                    5.0MB

                                                    Download
                                                  • memory/2944-11-0x0000000002CA0000-0x0000000002CB2000-memory.dmp
                                                    Filesize

                                                    72KB

                                                    Download
                                                  • memory/2944-0-0x00007FF958AF3000-0x00007FF958AF5000-memory.dmp
                                                    Filesize

                                                    8KB

                                                    Download
                                                  • memory/2944-7-0x0000000002C50000-0x0000000002C60000-memory.dmp
                                                    Filesize

                                                    64KB

                                                    Download
                                                  • memory/2944-3-0x000000001B8A0000-0x000000001B9CE000-memory.dmp
                                                    Filesize

                                                    1.2MB

                                                    Download
                                                  • memory/2944-8-0x0000000002C60000-0x0000000002C76000-memory.dmp
                                                    Filesize

                                                    88KB

                                                    Download
                                                  • memory/2944-2-0x00007FF958AF0000-0x00007FF9595B1000-memory.dmp
                                                    Filesize

                                                    10.8MB

                                                    Download
                                                  • memory/2944-9-0x0000000002C80000-0x0000000002C90000-memory.dmp
                                                    Filesize

                                                    64KB

                                                    Download
                                                  • memory/2944-4-0x0000000002C30000-0x0000000002C4C000-memory.dmp
                                                    Filesize

                                                    112KB

                                                    Download
                                                  • memory/2944-6-0x00000000012D0000-0x00000000012D8000-memory.dmp
                                                    Filesize

                                                    32KB

                                                    Download
                                                  • memory/2944-5-0x000000001B7A0000-0x000000001B7F0000-memory.dmp
                                                    Filesize

                                                    320KB

                                                    Download
                                                  • memory/3536-289-0x000000001BBC0000-0x000000001BBD2000-memory.dmp
                                                    Filesize

                                                    72KB

                                                    Download
                                                  • memory/4132-261-0x000000001B700000-0x000000001B712000-memory.dmp
                                                    Filesize

                                                    72KB

                                                    Download
                                                  • memory/4556-313-0x000000001C070000-0x000000001C082000-memory.dmp
                                                    Filesize

                                                    72KB

                                                    Download