Overview

overview

10

Static

static

3

48a3b02137...21.exe

windows7-x64

10

48a3b02137...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe

  • Size

    4.9MB

  • MD5

    9f54373c7eefc48c1d4e8a8b50c3d485

  • SHA1

    c3f2f30da9c44a21b69ef16b647a899aa212d23a

  • SHA256

    48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621

  • SHA512

    e4b8c96114aba0c7dd977e0a4fb6ade31f0503eea87e27de842fc4fa1f531fd49dc8d1ec762ffbc26f3474ccf8bbb7108a56aab9fb8bce6339dcd68bfecfe77b

  • SSDEEP

    49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 42 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 36 IoCs
  • Checks whether UAC is enabled 1 TTPs 28 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 11 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 42 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
    "C:\Users\Admin\AppData\Local\Temp\48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\tmpAC61.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpAC61.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Users\Admin\AppData\Local\Temp\tmpAC61.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpAC61.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:4140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4976
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pPJcA7KtiR.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3940
        • C:\Users\All Users\Desktop\System.exe
          "C:\Users\All Users\Desktop\System.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4652
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\503797f3-30be-45f7-9aed-46523e8f9bc8.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1236
            • C:\Users\All Users\Desktop\System.exe
              "C:\Users\All Users\Desktop\System.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4712
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72d3f55e-7593-47a8-b1ae-4214d1d18e4d.vbs"
                6⤵
                  PID:4672
                  • C:\Users\All Users\Desktop\System.exe
                    "C:\Users\All Users\Desktop\System.exe"
                    7⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:3156
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7022a852-b13f-40cc-ad45-115cef71ba4e.vbs"
                      8⤵
                        PID:2188
                        • C:\Users\All Users\Desktop\System.exe
                          "C:\Users\All Users\Desktop\System.exe"
                          9⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:3976
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e57a0830-7384-451d-9d03-2efa7037a582.vbs"
                            10⤵
                              PID:4192
                              • C:\Users\All Users\Desktop\System.exe
                                "C:\Users\All Users\Desktop\System.exe"
                                11⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:1268
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb78e3ad-7771-4cd1-9ac6-ae699474926c.vbs"
                                  12⤵
                                    PID:2432
                                    • C:\Users\All Users\Desktop\System.exe
                                      "C:\Users\All Users\Desktop\System.exe"
                                      13⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:4752
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cde89357-540d-493a-b02d-d7b96ceb4223.vbs"
                                        14⤵
                                          PID:2516
                                          • C:\Users\All Users\Desktop\System.exe
                                            "C:\Users\All Users\Desktop\System.exe"
                                            15⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:3988
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ec3336b-372a-4d7c-832e-c16262ac41a8.vbs"
                                              16⤵
                                                PID:3280
                                                • C:\Users\All Users\Desktop\System.exe
                                                  "C:\Users\All Users\Desktop\System.exe"
                                                  17⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:4460
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4dcffe0-5b86-4276-a6f7-6ce32d09bff8.vbs"
                                                    18⤵
                                                      PID:3368
                                                      • C:\Users\All Users\Desktop\System.exe
                                                        "C:\Users\All Users\Desktop\System.exe"
                                                        19⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:3608
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0abfc1db-3d19-4558-b3ac-4247c9483e9f.vbs"
                                                          20⤵
                                                            PID:4276
                                                            • C:\Users\All Users\Desktop\System.exe
                                                              "C:\Users\All Users\Desktop\System.exe"
                                                              21⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:1724
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad0e74e5-37af-4731-9d15-e39ced36aa7f.vbs"
                                                                22⤵
                                                                  PID:3820
                                                                  • C:\Users\All Users\Desktop\System.exe
                                                                    "C:\Users\All Users\Desktop\System.exe"
                                                                    23⤵
                                                                    • UAC bypass
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:3356
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bb51211-9cdd-42de-b371-a0fa2e45c8bd.vbs"
                                                                      24⤵
                                                                        PID:212
                                                                        • C:\Users\All Users\Desktop\System.exe
                                                                          "C:\Users\All Users\Desktop\System.exe"
                                                                          25⤵
                                                                          • UAC bypass
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • System policy modification
                                                                          PID:1904
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\347481b4-826b-4da0-9491-5196e7471bdb.vbs"
                                                                            26⤵
                                                                              PID:1364
                                                                              • C:\Users\All Users\Desktop\System.exe
                                                                                "C:\Users\All Users\Desktop\System.exe"
                                                                                27⤵
                                                                                • UAC bypass
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Checks whether UAC is enabled
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                • System policy modification
                                                                                PID:1872
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\923e11cf-7976-4a1e-a4e8-1594158a2f95.vbs"
                                                                                  28⤵
                                                                                    PID:1820
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba4943da-204f-4c2e-a7e3-b05b73cb77d4.vbs"
                                                                                    28⤵
                                                                                      PID:2832
                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpD3C1.tmp.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpD3C1.tmp.exe"
                                                                                      28⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:3088
                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpD3C1.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpD3C1.tmp.exe"
                                                                                        29⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:1600
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a4dd125-ab3c-4347-856f-2258575a83e7.vbs"
                                                                                  26⤵
                                                                                    PID:3056
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f6499d2-bb47-4b10-a2e9-c9a7330fba94.vbs"
                                                                                24⤵
                                                                                  PID:3396
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp8708.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp8708.tmp.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3972
                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp8708.tmp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp8708.tmp.exe"
                                                                                    25⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:4988
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f33d6f33-954c-4817-a127-d027a2029c7f.vbs"
                                                                              22⤵
                                                                                PID:3632
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp56B1.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp56B1.tmp.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3964
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp56B1.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp56B1.tmp.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3640
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5a941f9-054a-4e6c-915f-3f713a55fed4.vbs"
                                                                            20⤵
                                                                              PID:4688
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp2745.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp2745.tmp.exe"
                                                                              20⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1216
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp2745.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp2745.tmp.exe"
                                                                                21⤵
                                                                                • Executes dropped EXE
                                                                                PID:4064
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e11b6497-b60d-496d-a3d9-5f35c4aca94c.vbs"
                                                                          18⤵
                                                                            PID:1636
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpF652.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpF652.tmp.exe"
                                                                            18⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5020
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpF652.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpF652.tmp.exe"
                                                                              19⤵
                                                                              • Executes dropped EXE
                                                                              PID:432
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\432fbd22-0432-4dc9-ad02-c32e8e1b2e62.vbs"
                                                                        16⤵
                                                                          PID:4300
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpC6B6.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpC6B6.tmp.exe"
                                                                          16⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:720
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpC6B6.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpC6B6.tmp.exe"
                                                                            17⤵
                                                                            • Executes dropped EXE
                                                                            PID:4912
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6305cde-7839-4aad-a0a9-9873f103670c.vbs"
                                                                      14⤵
                                                                        PID:868
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe"
                                                                        14⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:828
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe"
                                                                          15⤵
                                                                            PID:1524
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 300
                                                                            15⤵
                                                                            • Program crash
                                                                            PID:4688
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b3da162-7e15-4d94-bf3b-782a1a65ef74.vbs"
                                                                      12⤵
                                                                        PID:2256
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28252fa0-76fc-47b5-b246-98357c39dcc4.vbs"
                                                                    10⤵
                                                                      PID:2004
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe"
                                                                      10⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4792
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe"
                                                                        11⤵
                                                                        • Executes dropped EXE
                                                                        PID:2972
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d574567e-3b05-406b-a795-bae47d181328.vbs"
                                                                  8⤵
                                                                    PID:4296
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp3B2F.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp3B2F.tmp.exe"
                                                                    8⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:3620
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp3B2F.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp3B2F.tmp.exe"
                                                                      9⤵
                                                                      • Executes dropped EXE
                                                                      PID:2708
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dd00543-f52c-423e-9dcf-a56438969c23.vbs"
                                                                6⤵
                                                                  PID:2152
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp990.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp990.tmp.exe"
                                                                  6⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:2780
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp990.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp990.tmp.exe"
                                                                    7⤵
                                                                    • Executes dropped EXE
                                                                    PID:3684
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bc896ec-04bc-412d-a6b4-df3a3e52e1ef.vbs"
                                                              4⤵
                                                                PID:2772
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe"
                                                                4⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:3956
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpD939.tmp.exe"
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  PID:1196
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\taskhostw.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4048
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\taskhostw.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3328
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\taskhostw.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3792
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3492
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2784
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3700
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1820
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1944
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4180
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf26214" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1588
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1268
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf26214" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3088
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\System.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1972
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\System.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1372
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\System.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:216
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\swidtag\csrss.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:624
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4784
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\swidtag\csrss.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4380
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 828 -ip 828
                                                          1⤵
                                                            PID:2460

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            4a667f150a4d1d02f53a9f24d89d53d1

                                                            SHA1

                                                            306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                            SHA256

                                                            414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                            SHA512

                                                            4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            d85ba6ff808d9e5444a4b369f5bc2730

                                                            SHA1

                                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                                            SHA256

                                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                            SHA512

                                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            944B

                                                            MD5

                                                            3a6bad9528f8e23fb5c77fbd81fa28e8

                                                            SHA1

                                                            f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                            SHA256

                                                            986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                            SHA512

                                                            846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            944B

                                                            MD5

                                                            e448fe0d240184c6597a31d3be2ced58

                                                            SHA1

                                                            372b8d8c19246d3e38cd3ba123cc0f56070f03cd

                                                            SHA256

                                                            c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

                                                            SHA512

                                                            0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            944B

                                                            MD5

                                                            28d4235aa2e6d782751f980ceb6e5021

                                                            SHA1

                                                            f5d82d56acd642b9fc4b963f684fd6b78f25a140

                                                            SHA256

                                                            8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

                                                            SHA512

                                                            dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            944B

                                                            MD5

                                                            2e907f77659a6601fcc408274894da2e

                                                            SHA1

                                                            9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                            SHA256

                                                            385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                            SHA512

                                                            34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            944B

                                                            MD5

                                                            a8e8360d573a4ff072dcc6f09d992c88

                                                            SHA1

                                                            3446774433ceaf0b400073914facab11b98b6807

                                                            SHA256

                                                            bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                                                            SHA512

                                                            4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\4bc896ec-04bc-412d-a6b4-df3a3e52e1ef.vbs
                                                            Filesize

                                                            489B

                                                            MD5

                                                            0709d189dbfbdc032ce57a11eb8b8a85

                                                            SHA1

                                                            5ade185aafba5865f3f6f3784ba218fe7f8775af

                                                            SHA256

                                                            13f44adad17c32bfb24f28304fa8a9e8815bd236ef421ac74430a1d0bcdab774

                                                            SHA512

                                                            19d7fa74d21d68f12ac873a4467009e27373c91b4d294949aeca234341d23d31ed29b8616115bdb064717706c9206258d83298735c391c737a5bc3d05f7a74c4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\503797f3-30be-45f7-9aed-46523e8f9bc8.vbs
                                                            Filesize

                                                            713B

                                                            MD5

                                                            5f011826766cc6f9feca2e516a1b3d4d

                                                            SHA1

                                                            e10904300670e21ee354f61c2b75ee2dc4655f6d

                                                            SHA256

                                                            c993998244b04fb70be11273173d03dac982f9705c2d4ddeb3c1a16ead8ef3b3

                                                            SHA512

                                                            28e71197f33db3f530a009c517812ee31908791d094f32d5761e634d154a8de339d527b470264358bcd0e58fd8a782567177b92bd5297578979416cc2b116be8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\7022a852-b13f-40cc-ad45-115cef71ba4e.vbs
                                                            Filesize

                                                            713B

                                                            MD5

                                                            dad6d417093f50e6308aa7c4183b7de7

                                                            SHA1

                                                            7b20ebe2fa95c8331419961f7af526691bf9a0a9

                                                            SHA256

                                                            394e6a832be12d3577e6805b898494722c8fb21835b78676ed5e7173c41173a3

                                                            SHA512

                                                            fa14077468bb46e54f7ff966cca2d1332b736b22f8d28f2a53df2ddb562dde0415f62bc68a498f723d7efd7adb247341afd3f91827ec1162b2e2f723d338a31f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\72d3f55e-7593-47a8-b1ae-4214d1d18e4d.vbs
                                                            Filesize

                                                            713B

                                                            MD5

                                                            51237d25c1643af1127f3c5d0933e8be

                                                            SHA1

                                                            b063cb269d25f3d1a81e606171cb3b27cc887616

                                                            SHA256

                                                            69b9c007312fbffe0082b023fd545f01ea047c84ff94b0fcbf1da5c4c1d9ee9a

                                                            SHA512

                                                            3cc3c039cc53974546dff504cbb2566d9368fab7824654e9bfa16004ae40402533db0f38d12a3a61f212bc62fb68b8495803fc3b37861d40bcf955b3ff24a786

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\8ec3336b-372a-4d7c-832e-c16262ac41a8.vbs
                                                            Filesize

                                                            713B

                                                            MD5

                                                            85a0b5e82384e7492dcc4c4a01b4598d

                                                            SHA1

                                                            7633f329a860047b95075d399e9535643ac52a8c

                                                            SHA256

                                                            96eb2db8b14996b48c4f01255c17341fad3546b0b89a252b68099ed56e6ee2b5

                                                            SHA512

                                                            1244735ef977c06f8474627cbebd713612353b14e5104a3cf7885a6f461670b32f5fefb7d9d4d47fb7a4ce5418216a01ebe32b195bc5a5f7db4b2ba9019ca76d

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edfq1hvc.xk3.ps1
                                                            Filesize

                                                            60B

                                                            MD5

                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                            SHA1

                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                            SHA256

                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                            SHA512

                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\c4dcffe0-5b86-4276-a6f7-6ce32d09bff8.vbs
                                                            Filesize

                                                            713B

                                                            MD5

                                                            5d6ec3fbe0d969d946c55794e0b691b0

                                                            SHA1

                                                            6d0044bc19cd707fc8a4236a74d5e4c28569bcee

                                                            SHA256

                                                            d6a0c7c9a917d3ebfc46a29b57069784449f1e1f308737448ccd3d4504047498

                                                            SHA512

                                                            bdaa074caf0d262e1cde674e6b8c64d9abba7337591f51e5964e228598a3ab8c03ec1bc8103189b016fab56d6f3a60eb992d2ec6f63e8b4c1b08c8a39063c95b

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\cde89357-540d-493a-b02d-d7b96ceb4223.vbs
                                                            Filesize

                                                            713B

                                                            MD5

                                                            4eb8f72567b713fb4b149d6d48e11cb6

                                                            SHA1

                                                            2528923ed3381af069e2921e74077c626d8ff77d

                                                            SHA256

                                                            d44a3f2022ee585686947c430fb61853a9d80d86cf1af12ca654df0a874a5ec7

                                                            SHA512

                                                            b6e80c39cbbd0f03a4eae650487a245c3779506a8c83947e8170d586a75a7531b57eeb14dc247be01d01a08759eb7b37814b770d398fbcf70b7a71cc139a2b96

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\e57a0830-7384-451d-9d03-2efa7037a582.vbs
                                                            Filesize

                                                            713B

                                                            MD5

                                                            c8d64a36a78a783e9ef0b4e9570f9a07

                                                            SHA1

                                                            98c66ec62e0041976ed76f16a3defff030cf429d

                                                            SHA256

                                                            932185d7fbd84260697b3e0e406ffb58e507ea805e4ab7ad6cd974afdea83cc0

                                                            SHA512

                                                            382a5afc80843f89c85985a05c80537285ce1773b332c44bdc92ce30d74704b42f54131df8896ff5ed45df6851c8fd0040fd9c091c0fd1010bac37ec863aefff

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\fb78e3ad-7771-4cd1-9ac6-ae699474926c.vbs
                                                            Filesize

                                                            713B

                                                            MD5

                                                            830f0cb90835bf79a8edc3cd541a629f

                                                            SHA1

                                                            3c56044183f9a4d0074df709970c69e8919590c1

                                                            SHA256

                                                            28fbd629a2ca54725c205e6518e6ce486e2e3ee97d6adc3253f74f87ad34c1e9

                                                            SHA512

                                                            5c2f2d56523199ba5628d4602cf770e31b02f4146a2ba214367b8393892ef39c1b76cf2a09a3c22e3c2a6bd0a85e5ffe5bdc74e061985cc60d4a96fb6a2e4de6

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\pPJcA7KtiR.bat
                                                            Filesize

                                                            202B

                                                            MD5

                                                            bf9f2b0cd220566a769d8f11f6bbecf1

                                                            SHA1

                                                            878d83515bbb00702fcf36061851e9530eae1750

                                                            SHA256

                                                            f20b6672bfd6d91df3184610a9b1ff082ceb539c3f19021cffac4d2832b56ce7

                                                            SHA512

                                                            b0973caf225d4af0fb82ddea9153663de8e243c106440de21970d5958e618d2083509c1b4a81761681f63f2e0ef25cd65e6d8d37e2149cb8055d8b228cb1c44f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpAC61.tmp.exe
                                                            Filesize

                                                            75KB

                                                            MD5

                                                            e0a68b98992c1699876f818a22b5b907

                                                            SHA1

                                                            d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                            SHA256

                                                            2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                            SHA512

                                                            856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                            Download Submit

                                                          • C:\Users\Public\Desktop\System.exe
                                                            Filesize

                                                            4.9MB

                                                            MD5

                                                            9f54373c7eefc48c1d4e8a8b50c3d485

                                                            SHA1

                                                            c3f2f30da9c44a21b69ef16b647a899aa212d23a

                                                            SHA256

                                                            48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621

                                                            SHA512

                                                            e4b8c96114aba0c7dd977e0a4fb6ade31f0503eea87e27de842fc4fa1f531fd49dc8d1ec762ffbc26f3474ccf8bbb7108a56aab9fb8bce6339dcd68bfecfe77b

                                                            Download Submit

                                                          • C:\Users\Public\Desktop\System.exe
                                                            Filesize

                                                            4.9MB

                                                            MD5

                                                            906049af2b48e6276214ec280859f62b

                                                            SHA1

                                                            256ffdf63466a1acf45344eed06c0f7a175abade

                                                            SHA256

                                                            a80eca47fdaf7e5f953f697e553d7b0ffe07a6e7d87ac1edbfbb9a9f273888fb

                                                            SHA512

                                                            3a5da9db756c52a79e111649b8e5c425fc627a59bec69cdef19cf25431bf84ce03af5b735d03df26034bc8b56e948c68e904e8d2cd019998cd8d2e30919cffa1

                                                            Download Submit

                                                          • memory/2336-92-0x000001B2983D0000-0x000001B2983F2000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/3016-91-0x00007FFA20A60000-0x00007FFA21521000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                            Download

                                                          • memory/3016-7-0x0000000003620000-0x0000000003630000-memory.dmp

                                                            Filesize

                                                            64KB

                                                            Download

                                                          • memory/3016-1-0x0000000000E90000-0x0000000001384000-memory.dmp

                                                            Filesize

                                                            5.0MB

                                                            Download

                                                          • memory/3016-17-0x000000001C920000-0x000000001C928000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/3016-18-0x000000001CA30000-0x000000001CA3C000-memory.dmp

                                                            Filesize

                                                            48KB

                                                            Download

                                                          • memory/3016-16-0x000000001C910000-0x000000001C918000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/3016-13-0x000000001C890000-0x000000001C89A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/3016-14-0x000000001C8A0000-0x000000001C8AE000-memory.dmp

                                                            Filesize

                                                            56KB

                                                            Download

                                                          • memory/3016-15-0x000000001C900000-0x000000001C90E000-memory.dmp

                                                            Filesize

                                                            56KB

                                                            Download

                                                          • memory/3016-12-0x000000001CE30000-0x000000001D358000-memory.dmp

                                                            Filesize

                                                            5.2MB

                                                            Download

                                                          • memory/3016-11-0x000000001C880000-0x000000001C892000-memory.dmp

                                                            Filesize

                                                            72KB

                                                            Download

                                                          • memory/3016-2-0x00007FFA20A60000-0x00007FFA21521000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                            Download

                                                          • memory/3016-10-0x000000001C870000-0x000000001C87A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/3016-9-0x000000001C860000-0x000000001C870000-memory.dmp

                                                            Filesize

                                                            64KB

                                                            Download

                                                          • memory/3016-8-0x0000000003630000-0x0000000003646000-memory.dmp

                                                            Filesize

                                                            88KB

                                                            Download

                                                          • memory/3016-6-0x0000000003610000-0x0000000003618000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/3016-0-0x00007FFA20A63000-0x00007FFA20A65000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/3016-5-0x000000001C8B0000-0x000000001C900000-memory.dmp

                                                            Filesize

                                                            320KB

                                                            Download

                                                          • memory/3016-4-0x00000000035F0000-0x000000000360C000-memory.dmp

                                                            Filesize

                                                            112KB

                                                            Download

                                                          • memory/3016-3-0x000000001C130000-0x000000001C25E000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                            Download

                                                          • memory/3988-346-0x000000001C1E0000-0x000000001C1F2000-memory.dmp

                                                            Filesize

                                                            72KB

                                                            Download

                                                          • memory/4140-70-0x0000000000400000-0x0000000000407000-memory.dmp

                                                            Filesize

                                                            28KB

                                                            Download

                                                          • memory/4652-219-0x00000000005A0000-0x0000000000A94000-memory.dmp

                                                            Filesize

                                                            5.0MB

                                                            Download