Overview

overview

10

Static

static

3

037a85041f...bN.exe

windows7-x64

10

037a85041f...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 22:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe

  • Size

    4.9MB

  • MD5

    10f3103c215eedcf2d565af9f05bab30

  • SHA1

    72bb830358a487788941037e0ad611b528480736

  • SHA256

    037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9b

  • SHA512

    9134c6da84497f9be241df7ecb15e0285eaff148f191a432690d3fdac844824bee5ca02076255097bd807622b1cbee9fd27b85f34969b1efc6b003d794b2f82e

  • SSDEEP

    49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • DcRat 41 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 42 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 33 IoCs
  • Checks whether UAC is enabled 1 TTPs 28 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 9 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 42 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
    "C:\Users\Admin\AppData\Local\Temp\037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4944
    • C:\Users\Admin\AppData\Local\Temp\tmpBE61.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBE61.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Users\Admin\AppData\Local\Temp\tmpBE61.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpBE61.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:4028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4620
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MZYQImRpZ2.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3188
        • C:\Users\Admin\AppData\Local\Temp\037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe
          "C:\Users\Admin\AppData\Local\Temp\037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4240
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
            "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
            4⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4344
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a169a1fd-3137-421c-9789-589114e7c965.vbs"
              5⤵
                PID:3824
                • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                  "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                  6⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:2260
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\190ebbe5-e4cd-4bbd-ac72-f79f0200c16a.vbs"
                    7⤵
                      PID:4932
                      • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                        "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                        8⤵
                        • UAC bypass
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:964
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e7072f1-b6c4-459f-af53-2ccc25d92f47.vbs"
                          9⤵
                            PID:3680
                            • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                              "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                              10⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1780
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce425cc3-5e87-4d84-a17e-323e638f24ae.vbs"
                                11⤵
                                  PID:4972
                                  • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                                    "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                                    12⤵
                                    • UAC bypass
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Modifies registry class
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:4564
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c9a212b-f8f3-419d-9399-b8d344fa2975.vbs"
                                      13⤵
                                        PID:1548
                                        • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                                          "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                                          14⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2712
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c505978-b831-4d62-a175-11df145f0815.vbs"
                                            15⤵
                                              PID:4368
                                              • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                                                "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                                                16⤵
                                                • UAC bypass
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:3016
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b39d3af-84d0-4f37-9764-d58877dfebc9.vbs"
                                                  17⤵
                                                    PID:3968
                                                    • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                                                      "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                                                      18⤵
                                                      • UAC bypass
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:2868
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a98bbd67-8714-46b0-9ae1-92c60ba2ab40.vbs"
                                                        19⤵
                                                          PID:3360
                                                          • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                                                            "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                                                            20⤵
                                                            • UAC bypass
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Modifies registry class
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:640
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d391ff00-c167-435f-8655-06944b1c15b7.vbs"
                                                              21⤵
                                                                PID:3144
                                                                • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                                                                  "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                                                                  22⤵
                                                                  • UAC bypass
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Modifies registry class
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:876
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f315a18-cfbb-42eb-a45d-b5194f3000f6.vbs"
                                                                    23⤵
                                                                      PID:2888
                                                                      • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                                                                        "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                                                                        24⤵
                                                                        • UAC bypass
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Modifies registry class
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:2780
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ab727da-4eeb-4676-b23b-d09003862300.vbs"
                                                                          25⤵
                                                                            PID:4828
                                                                            • C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe
                                                                              "C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe"
                                                                              26⤵
                                                                              • UAC bypass
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Checks whether UAC is enabled
                                                                              • Modifies registry class
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • System policy modification
                                                                              PID:1048
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f65f653f-e3da-4fe5-9846-f45eb3aae0e8.vbs"
                                                                                27⤵
                                                                                  PID:2584
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8f1297d-8ec5-4eca-ab61-8114881f4f41.vbs"
                                                                                  27⤵
                                                                                    PID:4972
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81d0c7ea-d6ad-4e63-98cd-23f9489b645d.vbs"
                                                                                25⤵
                                                                                  PID:3016
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp6A78.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp6A78.tmp.exe"
                                                                                  25⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1492
                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp6A78.tmp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp6A78.tmp.exe"
                                                                                    26⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:3728
                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp6A78.tmp.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp6A78.tmp.exe"
                                                                                      27⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:1908
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f08105cc-4e0e-4627-9665-f14efe073725.vbs"
                                                                              23⤵
                                                                                PID:388
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp4F30.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp4F30.tmp.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:376
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp4F30.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp4F30.tmp.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:1216
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e30289a4-bc85-4222-87fd-14eafb3f66fd.vbs"
                                                                            21⤵
                                                                              PID:3212
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp2021.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp2021.tmp.exe"
                                                                              21⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1244
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp2021.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp2021.tmp.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                PID:4536
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f74bedb-0e8e-4b22-b2ec-de6519ea06e0.vbs"
                                                                          19⤵
                                                                            PID:212
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp517.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp517.tmp.exe"
                                                                            19⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2836
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp517.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp517.tmp.exe"
                                                                              20⤵
                                                                              • Executes dropped EXE
                                                                              PID:1564
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c61034d-cb49-492c-b05f-491420b322e7.vbs"
                                                                        17⤵
                                                                          PID:3544
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpD4EF.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpD4EF.tmp.exe"
                                                                          17⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2812
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpD4EF.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpD4EF.tmp.exe"
                                                                            18⤵
                                                                            • Executes dropped EXE
                                                                            PID:1804
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cfd8adc-ee50-4f53-ab7c-4a36f5ba4f90.vbs"
                                                                      15⤵
                                                                        PID:4944
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bd31a06-9a5a-4b8e-981c-06091265f411.vbs"
                                                                    13⤵
                                                                      PID:3220
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp9C5A.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp9C5A.tmp.exe"
                                                                      13⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3272
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp9C5A.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp9C5A.tmp.exe"
                                                                        14⤵
                                                                        • Executes dropped EXE
                                                                        PID:4344
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\832101d3-2b3d-4c31-afad-3e1cb7e795d2.vbs"
                                                                  11⤵
                                                                    PID:4836
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b9b70e8-4ee4-4446-8532-408c225c4ec0.vbs"
                                                                9⤵
                                                                  PID:1980
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp4FB1.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp4FB1.tmp.exe"
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2348
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp4FB1.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp4FB1.tmp.exe"
                                                                    10⤵
                                                                    • Executes dropped EXE
                                                                    PID:4576
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac59b8b-9b78-433a-94cb-c49f1bb19bd8.vbs"
                                                              7⤵
                                                                PID:224
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a1d46be-01e7-45e0-8234-503dac5d0495.vbs"
                                                            5⤵
                                                              PID:3536
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp25C.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp25C.tmp.exe"
                                                              5⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4960
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp25C.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp25C.tmp.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4252
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp25C.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp25C.tmp.exe"
                                                                  7⤵
                                                                  • Executes dropped EXE
                                                                  PID:1140
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2288
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4356
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2480
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2772
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2272
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4852
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Oracle\Idle.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3284
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Idle.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1588
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Oracle\Idle.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3296
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2032
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3180
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3552
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3040
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2784
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4288
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2468
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2744
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2464
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Temp\smss.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4612
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\smss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1016
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Temp\smss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:864
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1200
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4152
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\unsecapp.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2916
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:5032
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4868
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4796
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1448
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1688
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4948
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Pictures\Saved Pictures\WmiPrvSE.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3508
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2108
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\Saved Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2068
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4544
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2296
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3580

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9bN.exe.log
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      bbb951a34b516b66451218a3ec3b0ae1

                                                      SHA1

                                                      7393835a2476ae655916e0a9687eeaba3ee876e9

                                                      SHA256

                                                      eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

                                                      SHA512

                                                      63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      4a667f150a4d1d02f53a9f24d89d53d1

                                                      SHA1

                                                      306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                      SHA256

                                                      414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                      SHA512

                                                      4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                      Filesize

                                                      2KB

                                                      MD5

                                                      d85ba6ff808d9e5444a4b369f5bc2730

                                                      SHA1

                                                      31aa9d96590fff6981b315e0b391b575e4c0804a

                                                      SHA256

                                                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                      SHA512

                                                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      6d3e9c29fe44e90aae6ed30ccf799ca8

                                                      SHA1

                                                      c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                      SHA256

                                                      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                      SHA512

                                                      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      6d42b6da621e8df5674e26b799c8e2aa

                                                      SHA1

                                                      ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                      SHA256

                                                      5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                      SHA512

                                                      53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      2e907f77659a6601fcc408274894da2e

                                                      SHA1

                                                      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                      SHA256

                                                      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                      SHA512

                                                      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      62623d22bd9e037191765d5083ce16a3

                                                      SHA1

                                                      4a07da6872672f715a4780513d95ed8ddeefd259

                                                      SHA256

                                                      95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                      SHA512

                                                      9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      3a6bad9528f8e23fb5c77fbd81fa28e8

                                                      SHA1

                                                      f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                      SHA256

                                                      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                      SHA512

                                                      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      cadef9abd087803c630df65264a6c81c

                                                      SHA1

                                                      babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                      SHA256

                                                      cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                      SHA512

                                                      7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      624e41a75a6dfd62039973dbbfdbe622

                                                      SHA1

                                                      f791e4cc85d6ae7039acef57a9025b173d7e963b

                                                      SHA256

                                                      ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1

                                                      SHA512

                                                      a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      ca5f066b9f9fe5524bc68022defc0152

                                                      SHA1

                                                      36002bf06b2e5d6e2e0e19d3d7274f11e0c5cec2

                                                      SHA256

                                                      2020884668619f82b26cf38f827e154af76652f36ba1ddd41a6b93eb585d4f43

                                                      SHA512

                                                      a39310d4e931f133be3f894c50bf557b229adf9fbd9e0cefd47a072a7fbe2aeb1b593fb37e3d699b1c45d06ef62a6e02d39e383701e9936a95bf9968a747388f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      9078a011b49db705765cff4b845368b0

                                                      SHA1

                                                      533576940a2780b894e1ae46b17d2f4224051b77

                                                      SHA256

                                                      c89240e395a581db1b44d204e2bcbd5b0e7f636ac72585d8257e6b901f5a3615

                                                      SHA512

                                                      48e0896fc4818bb7e3f250c5cad70d5e4ce71d3f6a8d2d17d8becc36050c1de2a270fde8dea5bb3462f1e7f5eaf074053390934f26d0186113215a1c4e92dd1e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      8a472eee36517de6c61ad86cbba675fd

                                                      SHA1

                                                      4bc55912d71ede8247330d35522ab562ce2b6ffa

                                                      SHA256

                                                      44501bf07f00f632837f23296dbaf9cdf73818abf14a4688090ea2fb8932028f

                                                      SHA512

                                                      40c0d2af8e9186c12d7d7d813a46045ea24bf85e03a875a25395899d57026725dd2269c5228302cd34a3e22b9c87e516d8232fec88a740f138873742f11a53de

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      3c625954a51c4bbd8141206b00f6fc0a

                                                      SHA1

                                                      4128cb2f9d2984844e303e2e330e448334e5c273

                                                      SHA256

                                                      952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

                                                      SHA512

                                                      3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\190ebbe5-e4cd-4bbd-ac72-f79f0200c16a.vbs
                                                      Filesize

                                                      743B

                                                      MD5

                                                      e9eb5a400c4e280c3a5301671d4bf203

                                                      SHA1

                                                      55cd0e1dbfa6f3e810edfe75721caa2692816c91

                                                      SHA256

                                                      33c6319f06c930960e359a1b61b7a35ab833967cd3afb0b2ca5f23b1fc64e0cb

                                                      SHA512

                                                      fda476e5de47b4396ea435bc853a6be1d8f6d75d6b72b84d4130a52384543beebd45eceae3c566b88ee58fe1b01f4ce162ad7d077cf5eff7bd0d7e322933a925

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\3e7072f1-b6c4-459f-af53-2ccc25d92f47.vbs
                                                      Filesize

                                                      742B

                                                      MD5

                                                      6ee8b47a209dd78a4bfd9b1b473bbc56

                                                      SHA1

                                                      edd3473da828383088678a4537e8df9af30efc29

                                                      SHA256

                                                      890b360438db70d9fbd730e485f8529fc2b1c2a5403632a5f6a6e973cb9aa523

                                                      SHA512

                                                      40cedd5b7985d171eaa26ca578bd550accc391b03fa8cc31589c2dc4de51d2fac28a82b24b40355f9ba9dd382714113182bd4b446a7ba4f3364e7ff76310e76c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\4c505978-b831-4d62-a175-11df145f0815.vbs
                                                      Filesize

                                                      743B

                                                      MD5

                                                      fe6544831c259465bced3a24090fcac5

                                                      SHA1

                                                      2726568c5a0f8a3edd044799b1ad637ba6d6f42c

                                                      SHA256

                                                      f97321fdda5d4ae339cdf95723295a095162187aa1fbe8170934ea0cd3cbaec4

                                                      SHA512

                                                      4009a867befb696411fbdd2bf963188429fa88f272ff551a8882fe27423c81aa35a3ebc1273c186b40e7e2df983a52b2fde8c6fcb58446d19d34e61d8127a36a

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\8a1d46be-01e7-45e0-8234-503dac5d0495.vbs
                                                      Filesize

                                                      519B

                                                      MD5

                                                      b4244de75e216c685654cce748b33f4a

                                                      SHA1

                                                      470240a733cf9848736f149a713c6b86b117c048

                                                      SHA256

                                                      29be2a2b1e11be72c067064cdb8c345a1bf19e95919a1907e92e09d330d1e7cb

                                                      SHA512

                                                      6ff9a5bcaa6d97a0cb05ce4a728d8bbb0caf33c9e1ba113e2aa215d996cba00c76d6ad65ac8f443b614b562eeaf92daad1550e9d472d2271b661f0454b783d75

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\9c9a212b-f8f3-419d-9399-b8d344fa2975.vbs
                                                      Filesize

                                                      743B

                                                      MD5

                                                      41254975cc17b3ce0d739db3006aefc8

                                                      SHA1

                                                      b42c76a69c6af538aa0edaebcbd286663e3bf221

                                                      SHA256

                                                      7e7688fd3eadc2db3e2775b7fea90d97e26f40e829bddb97b36d06a9b5b14cac

                                                      SHA512

                                                      85b80cf7415335d0cdaa9239bf629acde8859c6f5efa0eff4c3309a87570b2881526771d11cb71385f5ec8f2197300546cf144988b5f1ad1a79aa5b7e1c0c891

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\MZYQImRpZ2.bat
                                                      Filesize

                                                      268B

                                                      MD5

                                                      fdbc24470be01b76413ee8a5d21a8e18

                                                      SHA1

                                                      65d4424f27edf853f404083b1b7d5c6f7dc93cfe

                                                      SHA256

                                                      0c5ff4bba5d69d8990f866b83c1e7abe872cbc08da8f01ca303f660243d4d7be

                                                      SHA512

                                                      0a882646d9ac33fd0255a823bd0169b8219e2ac60573122509cefe903e3d3f8a3a88052856da02921d6a71feed4173ca06b4d2ca22edda7970d3a69a95516279

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3lcteffu.ndz.ps1
                                                      Filesize

                                                      60B

                                                      MD5

                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                      SHA1

                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                      SHA256

                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                      SHA512

                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\a169a1fd-3137-421c-9789-589114e7c965.vbs
                                                      Filesize

                                                      743B

                                                      MD5

                                                      64a76d679e0163ec44c121b960611602

                                                      SHA1

                                                      86e7bebd064c053d92213da83d53bc32a1040557

                                                      SHA256

                                                      3642a3a1b8755cca2bd8a34d0a02c349169ed896fe88c4cb4c61540fd327558b

                                                      SHA512

                                                      d03aaf6be7b7bba78449a4d5f50ad5f5676a635effa9d95bcc6f4d43536641c20115662fecbace10e243947e016f129d7145de783e5e3e8d65c545aea77bbcdd

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\ce425cc3-5e87-4d84-a17e-323e638f24ae.vbs
                                                      Filesize

                                                      743B

                                                      MD5

                                                      2105d8ae5eec39a9d7a7a90e9fbffd94

                                                      SHA1

                                                      2f1f06080a335c472699ee09f3859b7e6f4464c6

                                                      SHA256

                                                      cb808e4f03011e4772a1e22c42a04a43bac2c3464560f951ed9d2941b6660ecf

                                                      SHA512

                                                      fe308257fdeb112106dfd19dfdb7f229000a36df464142c64f7e75dffd4aae439c557896d06929a020fde274504197ca5dafd38e789f535ccbf1e994f4998bd3

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\tmpBE61.tmp.exe
                                                      Filesize

                                                      75KB

                                                      MD5

                                                      e0a68b98992c1699876f818a22b5b907

                                                      SHA1

                                                      d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                      SHA256

                                                      2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                      SHA512

                                                      856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                      Download Submit

                                                    • C:\Users\Default\dwm.exe
                                                      Filesize

                                                      4.9MB

                                                      MD5

                                                      10f3103c215eedcf2d565af9f05bab30

                                                      SHA1

                                                      72bb830358a487788941037e0ad611b528480736

                                                      SHA256

                                                      037a85041f5f4c572978322289ad43a3cef6aefc333304f22732d217c9319e9b

                                                      SHA512

                                                      9134c6da84497f9be241df7ecb15e0285eaff148f191a432690d3fdac844824bee5ca02076255097bd807622b1cbee9fd27b85f34969b1efc6b003d794b2f82e

                                                      Download Submit

                                                    • C:\Users\Default\dwm.exe
                                                      Filesize

                                                      4.9MB

                                                      MD5

                                                      9d7da322f7ec7cfe313ddc59cc20c464

                                                      SHA1

                                                      948de849977a7ad6f5632c53127c59312039afe9

                                                      SHA256

                                                      c59ddeb7801205bed458af0525d42123e96d2d5ca767426e6178d0933c178e83

                                                      SHA512

                                                      676ea742b8b36cfd9b4438cf2e3f23ef9210e54fbb77b9973b290fbb0e4a74c69715d15b4999e2f17b7f10b70e32a1c81b9fb441416c1d7bfb11ff0f60b66476

                                                      Download Submit

                                                    • memory/876-594-0x000000001B470000-0x000000001B482000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/964-475-0x000000001BDD0000-0x000000001BDE2000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/3016-544-0x0000000003030000-0x0000000003042000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/4028-71-0x0000000000400000-0x0000000000407000-memory.dmp

                                                      Filesize

                                                      28KB

                                                      Download

                                                    • memory/4040-135-0x0000019175B50000-0x0000019175B72000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download

                                                    • memory/4944-0-0x00007FFAC6D53000-0x00007FFAC6D55000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/4944-125-0x00007FFAC6D50000-0x00007FFAC7811000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                      Download

                                                    • memory/4944-18-0x00000000029A0000-0x00000000029AC000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/4944-17-0x0000000002990000-0x0000000002998000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/4944-16-0x0000000002980000-0x0000000002988000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/4944-13-0x00000000027F0000-0x00000000027FA000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/4944-14-0x0000000002800000-0x000000000280E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/4944-15-0x0000000002970000-0x000000000297E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/4944-12-0x000000001C1F0000-0x000000001C718000-memory.dmp

                                                      Filesize

                                                      5.2MB

                                                      Download

                                                    • memory/4944-11-0x00000000027E0000-0x00000000027F2000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/4944-10-0x00000000027D0000-0x00000000027DA000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/4944-9-0x00000000027C0000-0x00000000027D0000-memory.dmp

                                                      Filesize

                                                      64KB

                                                      Download

                                                    • memory/4944-8-0x00000000027A0000-0x00000000027B6000-memory.dmp

                                                      Filesize

                                                      88KB

                                                      Download

                                                    • memory/4944-7-0x0000000002790000-0x00000000027A0000-memory.dmp

                                                      Filesize

                                                      64KB

                                                      Download

                                                    • memory/4944-6-0x0000000002780000-0x0000000002788000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/4944-5-0x0000000002920000-0x0000000002970000-memory.dmp

                                                      Filesize

                                                      320KB

                                                      Download

                                                    • memory/4944-4-0x0000000002760000-0x000000000277C000-memory.dmp

                                                      Filesize

                                                      112KB

                                                      Download

                                                    • memory/4944-3-0x000000001B530000-0x000000001B65E000-memory.dmp

                                                      Filesize

                                                      1.2MB

                                                      Download

                                                    • memory/4944-2-0x00007FFAC6D50000-0x00007FFAC7811000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                      Download

                                                    • memory/4944-1-0x0000000000140000-0x0000000000634000-memory.dmp

                                                      Filesize

                                                      5.0MB

                                                      Download