Overview

overview

10

Static

static

3

4a51d27aaa...0N.exe

windows7-x64

10

4a51d27aaa...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a51d27aaaa0bb67872d99147bae13d0N.exe

  • Size

    4.9MB

  • MD5

    4a51d27aaaa0bb67872d99147bae13d0

  • SHA1

    a2b4c8f679911bc03a14e4f9be242ef9b0e4d97d

  • SHA256

    9636a592ea745fc8173b9ec8527f94fc8733ca1157837009ead6ed97293e2d5e

  • SHA512

    e208fb10b57ff8dcec352887ac8221bf348af5dbdae73ab1cd6885edbce26a2e81d96bf6f89bd5e482e30c2016fb73172eb714e3f77bebfe43bbd98bed381b6d

  • SSDEEP

    49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 39 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 11 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 12 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a51d27aaaa0bb67872d99147bae13d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4a51d27aaaa0bb67872d99147bae13d0N.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3736
    • C:\Users\Admin\AppData\Local\Temp\tmpC73C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC73C.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3396
      • C:\Users\Admin\AppData\Local\Temp\tmpC73C.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpC73C.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:3632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f31kVUUl1u.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4556
        • C:\Users\Public\Documents\My Pictures\lsass.exe
          "C:\Users\Public\Documents\My Pictures\lsass.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3404
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47697cc7-b7f6-44f9-a9bd-f3448f89f875.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4888
            • C:\Users\Public\Documents\My Pictures\lsass.exe
              "C:\Users\Public\Documents\My Pictures\lsass.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1088
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a652a2b-af7c-43e9-b019-338b95a5f44e.vbs"
                6⤵
                  PID:1884
                  • C:\Users\Public\Documents\My Pictures\lsass.exe
                    "C:\Users\Public\Documents\My Pictures\lsass.exe"
                    7⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:4196
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89b55a4e-dbdc-40e0-8cb6-8b4018264a88.vbs"
                      8⤵
                        PID:4456
                        • C:\Users\Public\Documents\My Pictures\lsass.exe
                          "C:\Users\Public\Documents\My Pictures\lsass.exe"
                          9⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:2728
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a37edbf-09f9-4126-9e41-cc850959ab42.vbs"
                            10⤵
                              PID:3444
                              • C:\Users\Public\Documents\My Pictures\lsass.exe
                                "C:\Users\Public\Documents\My Pictures\lsass.exe"
                                11⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:3336
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508cecce-bf36-417e-82e6-6afb94eb584c.vbs"
                                  12⤵
                                    PID:4776
                                    • C:\Users\Public\Documents\My Pictures\lsass.exe
                                      "C:\Users\Public\Documents\My Pictures\lsass.exe"
                                      13⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:2252
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\496b2c9a-ee21-4ac0-8b71-a80424eebd8f.vbs"
                                        14⤵
                                          PID:1080
                                          • C:\Users\Public\Documents\My Pictures\lsass.exe
                                            "C:\Users\Public\Documents\My Pictures\lsass.exe"
                                            15⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:4288
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2d05733-fbdc-4f68-92f5-519756dc0601.vbs"
                                              16⤵
                                                PID:556
                                                • C:\Users\Public\Documents\My Pictures\lsass.exe
                                                  "C:\Users\Public\Documents\My Pictures\lsass.exe"
                                                  17⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:2000
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9be3f22d-6ede-40c3-bbe9-733fe1abf8ce.vbs"
                                                    18⤵
                                                      PID:444
                                                      • C:\Users\Public\Documents\My Pictures\lsass.exe
                                                        "C:\Users\Public\Documents\My Pictures\lsass.exe"
                                                        19⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:3360
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9bd2c01-c387-4d1e-9b99-ddc1219db185.vbs"
                                                          20⤵
                                                            PID:4424
                                                            • C:\Users\Public\Documents\My Pictures\lsass.exe
                                                              "C:\Users\Public\Documents\My Pictures\lsass.exe"
                                                              21⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:4208
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7321e4b7-eafa-40a8-8c7f-960f164cec81.vbs"
                                                                22⤵
                                                                  PID:5048
                                                                  • C:\Users\Public\Documents\My Pictures\lsass.exe
                                                                    "C:\Users\Public\Documents\My Pictures\lsass.exe"
                                                                    23⤵
                                                                    • UAC bypass
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:2212
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c021adf6-dced-4fde-a7ab-98f819de0e0b.vbs"
                                                                      24⤵
                                                                        PID:4272
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\175d8cc3-6033-4ca3-a94d-dfd3813cffc4.vbs"
                                                                        24⤵
                                                                          PID:3280
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp810D.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp810D.tmp.exe"
                                                                          24⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3424
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp810D.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp810D.tmp.exe"
                                                                            25⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1572
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp810D.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp810D.tmp.exe"
                                                                              26⤵
                                                                              • Executes dropped EXE
                                                                              PID:1200
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3545eecc-26c0-4d8d-8b66-bf436c0733ef.vbs"
                                                                      22⤵
                                                                        PID:1884
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp4FDB.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp4FDB.tmp.exe"
                                                                        22⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:4332
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp4FDB.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp4FDB.tmp.exe"
                                                                          23⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2180
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp4FDB.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp4FDB.tmp.exe"
                                                                            24⤵
                                                                            • Executes dropped EXE
                                                                            PID:2164
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9a495b9-2129-4d35-94ca-9eb8b9c8ec37.vbs"
                                                                    20⤵
                                                                      PID:2928
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp1EF8.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp1EF8.tmp.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3036
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp1EF8.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp1EF8.tmp.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        PID:1220
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fe40e3b-4666-4195-865a-970160b48d36.vbs"
                                                                  18⤵
                                                                    PID:1924
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bb49d2b-1f3e-4848-86fd-047881545405.vbs"
                                                                16⤵
                                                                  PID:212
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpE421.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpE421.tmp.exe"
                                                                  16⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3312
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpE421.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmpE421.tmp.exe"
                                                                    17⤵
                                                                    • Executes dropped EXE
                                                                    PID:4364
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2d2c8ef-b936-41ed-be9f-f59655760f62.vbs"
                                                              14⤵
                                                                PID:2832
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpC781.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpC781.tmp.exe"
                                                                14⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:3100
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpC781.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpC781.tmp.exe"
                                                                  15⤵
                                                                  • Executes dropped EXE
                                                                  PID:3020
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ccef641-b4b1-4e65-a568-933a06d6141c.vbs"
                                                            12⤵
                                                              PID:3248
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpA8AF.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpA8AF.tmp.exe"
                                                              12⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4348
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpA8AF.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpA8AF.tmp.exe"
                                                                13⤵
                                                                • Executes dropped EXE
                                                                PID:3084
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7e969a3-22c4-4f38-aeed-25d24e5b6a07.vbs"
                                                          10⤵
                                                            PID:1840
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp8AA7.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp8AA7.tmp.exe"
                                                            10⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3132
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp8AA7.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp8AA7.tmp.exe"
                                                              11⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:424
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp8AA7.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp8AA7.tmp.exe"
                                                                12⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:3904
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp8AA7.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp8AA7.tmp.exe"
                                                                  13⤵
                                                                  • Executes dropped EXE
                                                                  PID:1328
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be7e28fc-6005-4d59-8aa5-7e20af847347.vbs"
                                                        8⤵
                                                          PID:4500
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp.exe"
                                                          8⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1936
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp.exe"
                                                            9⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1828
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp.exe"
                                                              10⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:5080
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp.exe"
                                                                11⤵
                                                                • Executes dropped EXE
                                                                PID:1080
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2af6cac-dd35-455f-aabc-9f45576cbdb9.vbs"
                                                      6⤵
                                                        PID:3712
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp265F.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp265F.tmp.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:3472
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp265F.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp265F.tmp.exe"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          PID:1076
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec51668-1e52-491d-b978-8c785f83a540.vbs"
                                                    4⤵
                                                      PID:1296
                                                    • C:\Users\Admin\AppData\Local\Temp\tmpF57C.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmpF57C.tmp.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1392
                                                      • C:\Users\Admin\AppData\Local\Temp\tmpF57C.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmpF57C.tmp.exe"
                                                        5⤵
                                                        • Executes dropped EXE
                                                        PID:2656
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4088
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3124
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2012
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2000
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4876
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3896
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2136
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3356
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3376
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4520
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3336
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1012
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:628
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:436
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4036
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:384
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3424
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3360
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\lsass.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2376
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3392
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Pictures\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1088

                                              Network

                                              MITRE ATT&CK Matrix ATT&CK v13

                                              Initial Access

                                              Execution

                                              Command and Scripting Interpreter

                                              1
                                              T1059

                                              PowerShell

                                              1
                                              T1059.001

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Persistence

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Privilege Escalation

                                              Abuse Elevation Control Mechanism

                                              1
                                              T1548

                                              Bypass User Account Control

                                              1
                                              T1548.002

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Defense Evasion

                                              Abuse Elevation Control Mechanism

                                              1
                                              T1548

                                              Bypass User Account Control

                                              1
                                              T1548.002

                                              Impair Defenses

                                              1
                                              T1562

                                              Disable or Modify Tools

                                              1
                                              T1562.001

                                              Modify Registry

                                              2
                                              T1112

                                              Credential Access

                                              Discovery

                                              Query Registry

                                              2
                                              T1012

                                              System Information Discovery

                                              3
                                              T1082

                                              System Location Discovery

                                              1
                                              T1614

                                              System Language Discovery

                                              1
                                              T1614.001

                                              Lateral Movement

                                              Collection

                                              Exfiltration

                                              Command and Control

                                              Impact

                                              Resource Development

                                              Reconnaissance

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Recovery\WindowsRE\smss.exe
                                                Filesize

                                                4.9MB

                                                MD5

                                                4a51d27aaaa0bb67872d99147bae13d0

                                                SHA1

                                                a2b4c8f679911bc03a14e4f9be242ef9b0e4d97d

                                                SHA256

                                                9636a592ea745fc8173b9ec8527f94fc8733ca1157837009ead6ed97293e2d5e

                                                SHA512

                                                e208fb10b57ff8dcec352887ac8221bf348af5dbdae73ab1cd6885edbce26a2e81d96bf6f89bd5e482e30c2016fb73172eb714e3f77bebfe43bbd98bed381b6d

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log
                                                Filesize

                                                1KB

                                                MD5

                                                4a667f150a4d1d02f53a9f24d89d53d1

                                                SHA1

                                                306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                SHA256

                                                414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                SHA512

                                                4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                Filesize

                                                2KB

                                                MD5

                                                750e4be22a6fdadd7778a388198a9ee3

                                                SHA1

                                                8feb2054d8a3767833dd972535df54f0c3ab6648

                                                SHA256

                                                26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1

                                                SHA512

                                                b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                6c47b3f4e68eebd47e9332eebfd2dd4e

                                                SHA1

                                                67f0b143336d7db7b281ed3de5e877fa87261834

                                                SHA256

                                                8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

                                                SHA512

                                                0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                a8e8360d573a4ff072dcc6f09d992c88

                                                SHA1

                                                3446774433ceaf0b400073914facab11b98b6807

                                                SHA256

                                                bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                                SHA512

                                                4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                3a6bad9528f8e23fb5c77fbd81fa28e8

                                                SHA1

                                                f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                SHA256

                                                986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                SHA512

                                                846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                e243a38635ff9a06c87c2a61a2200656

                                                SHA1

                                                ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                                SHA256

                                                af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                                SHA512

                                                4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\0a37edbf-09f9-4126-9e41-cc850959ab42.vbs
                                                Filesize

                                                723B

                                                MD5

                                                2359a89f6e8b6ae751e959020fb0f93a

                                                SHA1

                                                cb7bb7d5dc10047c109372100e4464d93526f4e2

                                                SHA256

                                                9f73f3766d3bb963ed64290fb907b36461ed28d72a45deea683e89b2080326bf

                                                SHA512

                                                1e8af15b439764df10b03e7850810372baf13cc606ecb7933cdd488850e2b7b9e30e2c3ff354da5fa83eb43756b4de659c9c028d5b23d5ad057c82337ebef515

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\0a652a2b-af7c-43e9-b019-338b95a5f44e.vbs
                                                Filesize

                                                723B

                                                MD5

                                                281776ae4febbdb027b8782159a91e53

                                                SHA1

                                                9ee051dd9f4f90de1b0d806e0832f2b1bd46ca70

                                                SHA256

                                                e0216a1c1c9684691f6bcd161efbb1a231bcf14f41390043b82b35ec61f81a31

                                                SHA512

                                                74d761b26c54370165457e854f927140e1d9c0fbb8164c08e8c5c6031aa61dfb813ff171a1837aa91a2ace772e9b63432b40192c1a0e199f3a8cfb6fd7705a71

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\24ed40838b9f579435a6e745173fddd10a913c70.exe
                                                Filesize

                                                4.9MB

                                                MD5

                                                291aa915328460aa74080047276c613b

                                                SHA1

                                                656eea285c15e7c7cf8bd6691bffcf1b0db693a9

                                                SHA256

                                                f94a2de86db2c6bda5f0354b4e157b1c3fad28ae286989317f652927887c48fb

                                                SHA512

                                                9cf21e2526cb7061e0edfe0a768867a68c10aba3cafe764395f185ab9a00ce474b9a966b70906d7e0d045453638fa43f717b3d584f1a1496451a35cee0dc8588

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\47697cc7-b7f6-44f9-a9bd-f3448f89f875.vbs
                                                Filesize

                                                723B

                                                MD5

                                                b4e6a2f0930521bd912a8e3634743070

                                                SHA1

                                                f8dc77f75affec204cd4e73a594d8903248af908

                                                SHA256

                                                934ff30029149668025c3664761dfffe01e8e9865fbc1941b480cb4e9308fe12

                                                SHA512

                                                27228002734ef0ec0ccd13d06eb5af3a450df2bf02a46f2752b89732edfa323d15087920adc473f0d4653807ad8d98e4105bc37fc9999338b417e2e75887cae3

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\496b2c9a-ee21-4ac0-8b71-a80424eebd8f.vbs
                                                Filesize

                                                723B

                                                MD5

                                                f9306a77e73bcbc01592149c683f70fd

                                                SHA1

                                                d94d61bebe5d910c1071e36583f224aea7df8521

                                                SHA256

                                                6013bc29f6d01e22ba494fb678e69e758f0468e80c55324e6467abf5b6700b1e

                                                SHA512

                                                8f57bba2213833920335b5caa088dadc6e2b18d4b39e8bd583eb92c7c95bda43271b9c9d78d26c58d783d74886c3701aed8eff05b6e0762b922bd77f3e03a69d

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\508cecce-bf36-417e-82e6-6afb94eb584c.vbs
                                                Filesize

                                                723B

                                                MD5

                                                14202f1768666b875c21926d73d59017

                                                SHA1

                                                847ac1217e62c47702ead5e13356964d6604a6d8

                                                SHA256

                                                0a261c15aab068ff3fbb86b2567c537608454e5e558a78e3528b90b32928d320

                                                SHA512

                                                149d32efe0f1618ddb46e71a7a01eb3e03f7085b974f41abded98ffa9c176a4efff5025b5163a18f1265cd8106d785a69424e4ea7568cb1b1c53340e57328038

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\89b55a4e-dbdc-40e0-8cb6-8b4018264a88.vbs
                                                Filesize

                                                723B

                                                MD5

                                                f808eda47097e8220db8be4228553f8d

                                                SHA1

                                                7b47fc0a06af368f90c64fe0ed8bc0da8a751db9

                                                SHA256

                                                108ba4c9de56087c1b21b6ed4b3403fa9799f2f253ec88767d783927741b5eb2

                                                SHA512

                                                d5961e26df594b709d5802b2dca4ab36a5cddf120098a353acd54870d729fb49d5f088b8f59a1f03755e5ce4d0eb7160fd14c99601785496c1f46c048434802b

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\9ec51668-1e52-491d-b978-8c785f83a540.vbs
                                                Filesize

                                                499B

                                                MD5

                                                ad4018cdc0104c07b7eeb4467011093e

                                                SHA1

                                                a285b7ade2e19e7703d7ddae1b0ae3874d5af02d

                                                SHA256

                                                48550c5b3c193aa8e33e59a2d435e8ad15a321f1daf021b3332c75117a0bb1e5

                                                SHA512

                                                d7203ac840cc95c0b4c160777beb75210aeb999a894cd74e255437d85bcf24fe292ce9a193a901979f6f64bfae93f74097c4abab2d5694a231be915c573a048e

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymxyz04y.uy2.ps1
                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\f31kVUUl1u.bat
                                                Filesize

                                                212B

                                                MD5

                                                c2514225eec6e82091a4236c2ccd4b6b

                                                SHA1

                                                e854403da0a376a2bd9b46164c8c96e5286f6d6c

                                                SHA256

                                                207e604c7970c347c25af358c0f3373a4e8b916327f706a168583de5221bb216

                                                SHA512

                                                bcb001b672b5b197ee9f05407e8d99db353334a1f1aea70445ab30a606f98e2dbace53623230bc220fb01406531364cbbb524b84fd26ef2933d25f264e2480f8

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Temp\tmpC73C.tmp.exe
                                                Filesize

                                                75KB

                                                MD5

                                                e0a68b98992c1699876f818a22b5b907

                                                SHA1

                                                d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                SHA256

                                                2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                SHA512

                                                856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                Download Submit
                                              • memory/3632-65-0x0000000000400000-0x0000000000407000-memory.dmp
                                                Filesize

                                                28KB

                                                Download
                                              • memory/3736-5-0x000000001C520000-0x000000001C570000-memory.dmp
                                                Filesize

                                                320KB

                                                Download
                                              • memory/3736-7-0x00000000019E0000-0x00000000019F0000-memory.dmp
                                                Filesize

                                                64KB

                                                Download
                                              • memory/3736-11-0x000000001BEF0000-0x000000001BF02000-memory.dmp
                                                Filesize

                                                72KB

                                                Download
                                              • memory/3736-9-0x0000000001A00000-0x0000000001A10000-memory.dmp
                                                Filesize

                                                64KB

                                                Download
                                              • memory/3736-8-0x000000001BEC0000-0x000000001BED6000-memory.dmp
                                                Filesize

                                                88KB

                                                Download
                                              • memory/3736-17-0x000000001C5A0000-0x000000001C5A8000-memory.dmp
                                                Filesize

                                                32KB

                                                Download
                                              • memory/3736-12-0x000000001CAA0000-0x000000001CFC8000-memory.dmp
                                                Filesize

                                                5.2MB

                                                Download
                                              • memory/3736-15-0x000000001C580000-0x000000001C58E000-memory.dmp
                                                Filesize

                                                56KB

                                                Download
                                              • memory/3736-13-0x000000001BF00000-0x000000001BF0A000-memory.dmp
                                                Filesize

                                                40KB

                                                Download
                                              • memory/3736-14-0x000000001C570000-0x000000001C57E000-memory.dmp
                                                Filesize

                                                56KB

                                                Download
                                              • memory/3736-16-0x000000001C590000-0x000000001C598000-memory.dmp
                                                Filesize

                                                32KB

                                                Download
                                              • memory/3736-1-0x0000000000B10000-0x0000000001004000-memory.dmp
                                                Filesize

                                                5.0MB

                                                Download
                                              • memory/3736-100-0x00007FFC0AED0000-0x00007FFC0B991000-memory.dmp
                                                Filesize

                                                10.8MB

                                                Download
                                              • memory/3736-10-0x000000001BEE0000-0x000000001BEEA000-memory.dmp
                                                Filesize

                                                40KB

                                                Download
                                              • memory/3736-18-0x000000001C5B0000-0x000000001C5BC000-memory.dmp
                                                Filesize

                                                48KB

                                                Download
                                              • memory/3736-6-0x0000000001810000-0x0000000001818000-memory.dmp
                                                Filesize

                                                32KB

                                                Download
                                              • memory/3736-0-0x00007FFC0AED3000-0x00007FFC0AED5000-memory.dmp
                                                Filesize

                                                8KB

                                                Download
                                              • memory/3736-4-0x00000000019C0000-0x00000000019DC000-memory.dmp
                                                Filesize

                                                112KB

                                                Download
                                              • memory/3736-3-0x000000001BD90000-0x000000001BEBE000-memory.dmp
                                                Filesize

                                                1.2MB

                                                Download
                                              • memory/3736-2-0x00007FFC0AED0000-0x00007FFC0B991000-memory.dmp
                                                Filesize

                                                10.8MB

                                                Download
                                              • memory/4696-106-0x000001D96DCA0000-0x000001D96DCC2000-memory.dmp
                                                Filesize

                                                136KB

                                                Download