Analysis

  • max time kernel
    289s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 14:20

General

  • Target

    DOC- 1000290099433.vbe

  • Size

    11KB

  • MD5

    1ba91d56988897f8677cc18f54ac7e13

  • SHA1

    1a51f7b8534c912b18053ac2371907f095128a93

  • SHA256

    7576b26f5b40500a27c4279db479d482fb453e2dbc24d6b8754a07720c19055f

  • SHA512

    192c23958cd6e863ed205e4bbcddfa2915f197e9f9ca8e1cd66d4b7bcb834794c0012456789aef826622ab63cd589336b187c48f422ffca0b0a1094b59967f2f

  • SSDEEP

    192:l7TZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1ZAkt0pdzea1iydDcgLK:trITlbz3L5UtNGWEYCNsRXX1tedzL1iJ

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOC- 1000290099433.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:2644
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {EA8729FF-7092-4AF8-8190-159E9C418522} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "2600" "1248"
          4⤵
            PID:2724
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1856
          • C:\Windows\system32\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "1856" "1240"
            4⤵
              PID:2000
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
            3⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1432
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "1432" "1240"
              4⤵
                PID:1732
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1696
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "1696" "1240"
                4⤵
                  PID:2192
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1256
                • C:\Windows\system32\wermgr.exe
                  "C:\Windows\system32\wermgr.exe" "-outproc" "1256" "1240"
                  4⤵
                    PID:2124
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1560
                  • C:\Windows\system32\wermgr.exe
                    "C:\Windows\system32\wermgr.exe" "-outproc" "1560" "1244"
                    4⤵
                      PID:1848
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                    3⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1752
                    • C:\Windows\system32\wermgr.exe
                      "C:\Windows\system32\wermgr.exe" "-outproc" "1752" "1248"
                      4⤵
                        PID:1816
                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                      3⤵
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2380
                      • C:\Windows\system32\wermgr.exe
                        "C:\Windows\system32\wermgr.exe" "-outproc" "2380" "1236"
                        4⤵
                          PID:2592
                      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                        3⤵
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1556
                        • C:\Windows\system32\wermgr.exe
                          "C:\Windows\system32\wermgr.exe" "-outproc" "1556" "1248"
                          4⤵
                            PID:1632
                        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                          3⤵
                          • Drops file in System32 directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2100
                          • C:\Windows\system32\wermgr.exe
                            "C:\Windows\system32\wermgr.exe" "-outproc" "2100" "1248"
                            4⤵
                              PID:2312
                          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                            3⤵
                            • Drops file in System32 directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:536
                            • C:\Windows\system32\wermgr.exe
                              "C:\Windows\system32\wermgr.exe" "-outproc" "536" "1248"
                              4⤵
                                PID:1476
                            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                              3⤵
                              • Drops file in System32 directory
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1668
                              • C:\Windows\system32\wermgr.exe
                                "C:\Windows\system32\wermgr.exe" "-outproc" "1668" "1240"
                                4⤵
                                  PID:2736
                              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                3⤵
                                • Drops file in System32 directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2124
                                • C:\Windows\system32\wermgr.exe
                                  "C:\Windows\system32\wermgr.exe" "-outproc" "2124" "1244"
                                  4⤵
                                    PID:1088
                                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                  3⤵
                                  • Drops file in System32 directory
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2240
                                  • C:\Windows\system32\wermgr.exe
                                    "C:\Windows\system32\wermgr.exe" "-outproc" "2240" "1248"
                                    4⤵
                                      PID:1840
                                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                    3⤵
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1228
                                    • C:\Windows\system32\wermgr.exe
                                      "C:\Windows\system32\wermgr.exe" "-outproc" "1228" "1248"
                                      4⤵
                                        PID:2720
                                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                      3⤵
                                      • Drops file in System32 directory
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1336
                                      • C:\Windows\system32\wermgr.exe
                                        "C:\Windows\system32\wermgr.exe" "-outproc" "1336" "1248"
                                        4⤵
                                          PID:3008
                                      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                        3⤵
                                        • Drops file in System32 directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3060
                                        • C:\Windows\system32\wermgr.exe
                                          "C:\Windows\system32\wermgr.exe" "-outproc" "3060" "1252"
                                          4⤵
                                            PID:636
                                        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                          3⤵
                                          • Drops file in System32 directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2416
                                          • C:\Windows\system32\wermgr.exe
                                            "C:\Windows\system32\wermgr.exe" "-outproc" "2416" "1240"
                                            4⤵
                                              PID:1504
                                          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                            3⤵
                                            • Drops file in System32 directory
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:592
                                            • C:\Windows\system32\wermgr.exe
                                              "C:\Windows\system32\wermgr.exe" "-outproc" "592" "1248"
                                              4⤵
                                                PID:2512

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259473072.txt

                                          Filesize

                                          1KB

                                          MD5

                                          d48d03f1a524ee621263fe992806392a

                                          SHA1

                                          7ddcf13cf9cf1cadac93007245f2ab65cfeb8f22

                                          SHA256

                                          1e156a82a83449f7e8ba5e5e90a5e2effc8a8596a86f1e4763d0792367f02845

                                          SHA512

                                          3a1c25dfb52eca79e155f81134b78830f75c74dab70c17f50619646a283e2420a44647097e0931c35a9c73955696d9be1c9986a3933bdccd1a41ab224b4ffd13

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259483826.txt

                                          Filesize

                                          1KB

                                          MD5

                                          55495b5306b704ca287dad7a9b7f5740

                                          SHA1

                                          5c06a934d724e12e91bd408c76eb4114b09a6178

                                          SHA256

                                          eb049d0c7123b3b5650e5b4f242905fbc263b57628c2bdc5a4ef5c82fa3b641c

                                          SHA512

                                          f1bb53d454df96a721f59bccd5b1c9d6e45b7d0cbb301b7c4975ec623ba269914a62f1e6e25039358afcd2ed9062a84449eba3c575108fd43f94e2dc53d964f1

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259502012.txt

                                          Filesize

                                          1KB

                                          MD5

                                          cf6d2c3121277c5a40e47d5857c5c66e

                                          SHA1

                                          253f1c928193094bf237e75348c17b85f41f1f5b

                                          SHA256

                                          b4ced8d3fcf911bd81b4cedd2ce4a3eb900a2fc5248ca17e863fabe26b6d3a71

                                          SHA512

                                          9915b29715e8450ee576173874d8860e1c9f353d9a55aade06e5d781bbe212bdcf0e0a16862b70f4c61fb83910e3f81f19bb4842de01b05582f8b30d73aa5247

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259514569.txt

                                          Filesize

                                          1KB

                                          MD5

                                          c685d61d32fa0fa65124ebe15bde5e38

                                          SHA1

                                          4734fb6d3f16fbb6f0e17cd5a1a2bae3967d29f3

                                          SHA256

                                          128beb9cb47a9b7e3af9c34f8ac80ef0caad17652c997a743e7ac28fdf3a1819

                                          SHA512

                                          044abcc6d01a6736a04ca018003413656a81bba352c2069e158873e83dbc07033cc5f4d04043cf8568ee4f78eac87eb472923dda058393401579a8fe20a5b296

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259532124.txt

                                          Filesize

                                          1KB

                                          MD5

                                          d0117c1633ad7e7ba675887eb021aca9

                                          SHA1

                                          1330f08a050b5097bb2f4f05237e540e46f4dcd4

                                          SHA256

                                          acaa41a760119b0bc3f945dd057014a2c9991a7f27d0276b43c303c1629bb41b

                                          SHA512

                                          62f65d11202b37649c80f0928017d741df82b4269ac5048075a63b5050604984d55bfdb2bf7b0a514b2decf1e596364eea7c943cdd6dfc1bfcac290239d6e68c

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259545987.txt

                                          Filesize

                                          1KB

                                          MD5

                                          f4392ac8f1751bf4e697488a45741663

                                          SHA1

                                          13b9be47a129f50f401f1181e3879e5293fa557f

                                          SHA256

                                          b23513ba4ccb89e71c0e34372e40f096cdfa08e5c42fa5fc63ea3549308abe32

                                          SHA512

                                          0cff6133932e0505285333d8171e0262f313b24f92e3ac33bf9ce6e17aeddc3abb5868bdf866e2a49b27f0dd8682c65ceee296224f02394b841e30f5813dfca0

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259563038.txt

                                          Filesize

                                          1KB

                                          MD5

                                          0e8f2d0e2c5a623195215bc9cafa282f

                                          SHA1

                                          1d4d5407a32951b8c54eccb440b8e0da717dc3e6

                                          SHA256

                                          9213ad6bb2905cff3d7bc6eef4befe01a3a254d87161221b591f7874f849339c

                                          SHA512

                                          57dadd1cc5704845b26aca49369613d16bef4ad0de023b81a7643b3382eb4a2ee8348df87459cb6e47021d38ed7018f1ebb7b10593d82d7083dc05f0cbcc02e6

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259579260.txt

                                          Filesize

                                          1KB

                                          MD5

                                          159a4d3875f7b25bbb8fcfb78308bad4

                                          SHA1

                                          44fa6cca031c2b14f0f910fa2dc543cd343bbd93

                                          SHA256

                                          eea69b35a658fba12e155581ec71e301cd7bd7fe999e6688bd670d1cce0c3bc4

                                          SHA512

                                          ff87ae5aae7c79b38ac87ddda060e48fd0c5c5fea0928e4c7844e8d57283ea5502b3e983e7eeeaf08366041c1e501866bc9e3a689d5455781ec22d3d05ab1813

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259590488.txt

                                          Filesize

                                          1KB

                                          MD5

                                          fd2f2287f2ee5c0764d71871e5d75d6b

                                          SHA1

                                          4517a0976297fdae7a687576f0d84bfbea87bcea

                                          SHA256

                                          a581a6a1cae1a223b895bc243afa4c9ac44f6ee53eb80ac563cdbfea9bba0c0b

                                          SHA512

                                          c362eb2a39f0500f96fec2a9299e2701619f0146293a077d193466101dc0f56357f9044e3f9b2fc116d003b35a0b516c0f0f8817a744089a4c293ac3dea60a06

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259605101.txt

                                          Filesize

                                          1KB

                                          MD5

                                          d595f8e0e972ec3a22044ac76b2eff5f

                                          SHA1

                                          fb8ae32179305cac67dcdc7d4259cf5ec78f7157

                                          SHA256

                                          ca733549d8defdfbe23a5eb99c5b0e75fc167294a6ecf0627f028fe82ef249be

                                          SHA512

                                          2b2d14645671afb14ed9e1f3349f588d202613df5043b061e703a2cbb8dbc09e38785b9185d396e6d4317a936d3efad7ae08028f1c239600fc389c62741a3323

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259622578.txt

                                          Filesize

                                          1KB

                                          MD5

                                          6e246250969c64facffd01566c1b8e2b

                                          SHA1

                                          203222bd2e14764ed3204cf66616a204b5fd41b4

                                          SHA256

                                          44a7ff9c9037af3615e8f45d40f38fb0257278a6031894b0d84eb374be9d7d13

                                          SHA512

                                          386257b603dadd85dfb4deb80fe13ce82a08d5e2c303dd159a1b22e0e08cc864f61b42d0bb42e555f3697dd4f7e80897f856336c02d863f7d905ba78e0cae0c6

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259638891.txt

                                          Filesize

                                          1KB

                                          MD5

                                          124b12c34ae3f8632057bbdd0ccbe95d

                                          SHA1

                                          671142e866280df59ea2dae27283026cf8e3cf86

                                          SHA256

                                          1668d0a91385669db9dab9de0cead39349a81221b3c4a5e10baabd9eb3ec0a99

                                          SHA512

                                          5f60cc50b6351246dd457eae213357b9e3e6335a13c028964eeae98b08be8edfe0efd5a23b199de98ba1ec8798e823d1558b76a6d26c8f3cd44a2d0f6a86a3fa

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259650354.txt

                                          Filesize

                                          1KB

                                          MD5

                                          5abf9e70322086d3bb3c865bdd66329e

                                          SHA1

                                          e6bbcd5180a118e2c49171ad763db50e23e5ecca

                                          SHA256

                                          b90afb6a6ffcde08fb17e26e8e76a1677e6c367041b0faeb27902db3c3400cbb

                                          SHA512

                                          7cf2fedd129755c32677138fbbbf3c0818c3e0d4f37156050e0517803ddf2765c892e867c6b825eda7f663620b1ac6abb81d98052ee531e43433cdc21deffd24

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259670007.txt

                                          Filesize

                                          1KB

                                          MD5

                                          611402005ae51821aee0535a9c2684ff

                                          SHA1

                                          ba61e12d17a93e728b25aa68ff080565cb6a8c9a

                                          SHA256

                                          08edef6da54c20dca0edd29c103aa0cc92e4a120e78617bb241696a79f4f7833

                                          SHA512

                                          910e89cb8335bf3c44f86b6345d7e9e07809c0d8f9503a240a35a16b59e5b0706eb40e1691e346bba876165878fa935a1f86ec9690b0e08127a8220c423dacd6

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259683764.txt

                                          Filesize

                                          1KB

                                          MD5

                                          0c19182f722adc2aff48bc8effd1f663

                                          SHA1

                                          83a9e1079ae6a1ba940b6855cd87b5334b26f8be

                                          SHA256

                                          596fa44dab3e6a6c45ed18df3ff5a7713d22e0c2a4254bf377a1f5366a2b0bde

                                          SHA512

                                          ce47148c87218000ef02bf2ec3a1c10e3d31070314357dc89961d947486cfc24245137128de95278fe2f6f339bcceb54682ee7474dfbd536da998f9d2608cf59

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259696884.txt

                                          Filesize

                                          1KB

                                          MD5

                                          5ff3105eaa1c395e7315b2e8ae8c0adb

                                          SHA1

                                          03638f8108ced6cf1a90d2db27cb587ddbc80c36

                                          SHA256

                                          629ee9ce67b475d93813c98567ad505c1d60ff4dce25b3c34fae442bd21f34bd

                                          SHA512

                                          e3b40a8a66e0bad3596f7729336936edca1dbf9266af1951297e898d624c627c45ff0c6a539440fde52ce7f52c79cb2e2695e9fd5a085802560bb8d8d6a1f2b3

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259714075.txt

                                          Filesize

                                          1KB

                                          MD5

                                          a9885375391f88e125cea076b93e3c86

                                          SHA1

                                          cafa4d771e89160a21b410d77a3d7f1e7f125bf0

                                          SHA256

                                          8170d8708105168831a9955286c53970fad87fc633a8bcb27487ba38498ad557

                                          SHA512

                                          02f9b348c8429c0622ed2489d9ce50b9f83b2da50a7a787205b042ac6c822a349e95f33ed6979186e4fcc62602916a6d8dd64cf6909ee617380a2f2672c0b863

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259730788.txt

                                          Filesize

                                          1KB

                                          MD5

                                          9ead80eb3d7bb83dfd637364f5b25536

                                          SHA1

                                          ea4e54a01a3c6abf9b29bbf4f1a3313593b1bb0c

                                          SHA256

                                          5125e068475af4753192e981de6ea5264b22d994e330323d9010ed2d7f2f7bfa

                                          SHA512

                                          4354da6cd964b5724685bd77670e480b4a2de802d4cbefcb32259238ed0760714b7835fec662434902ff8b6228783e4b6fcbe8416a7563a9eb08b8d7b2d99ad5

                                        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259743041.txt

                                          Filesize

                                          1KB

                                          MD5

                                          4be233088eaec8f92077bab0222c4aaf

                                          SHA1

                                          9fae383e7f99fe89d3076133ae970af9f8dd2570

                                          SHA256

                                          ecdcacabec5766e484449a9d678ae7ec3534019925f2efda4e804d281c807ade

                                          SHA512

                                          2ab5bd3e1ce3133cd05f20481ed3a579d9e1ba0b146934c13409f0e4a8461f99a50c39a6a204b75f75af0481d31fef0d90f0c34756f3e0d91be6ad43c0f355c8

                                        • C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs

                                          Filesize

                                          2KB

                                          MD5

                                          5df9cc7a167a8711770e63f29cc69d16

                                          SHA1

                                          312cc26407eada041f5310a62fd73b99fd03a240

                                          SHA256

                                          ec8a7ee52bf19d91f02f739f67f186a17730ca0bedab940b0b5f75973375a6cf

                                          SHA512

                                          bb7298e112011387cd7f65bd048fecdeb71104963586b423daf271bdfa4809b9b9f113680b9ce177f6139b63e19b805edd827d026cee9a219e442f00d50ad235

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          0cccc76f893acf4de95fdd7541f19349

                                          SHA1

                                          79d41cb8636658cb5d6f0852b07ca5d64f7904b4

                                          SHA256

                                          0eeb2f48337b95c209eabd5be5e4bb495202bc6a96455fe5aab09ef960179d9c

                                          SHA512

                                          a34d65ea8db89198ca313ac421466be7dcdb30c960083bbf2d3accd2b83c5d751627e117c24e658b83862c4889963be6da2d37d9b8e0d6363c57f0d5fa4f84c6

                                        • memory/1856-16-0x000000001B8F0000-0x000000001BBD2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1856-17-0x0000000001E20000-0x0000000001E28000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2600-7-0x0000000002720000-0x0000000002728000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2600-6-0x000000001B5B0000-0x000000001B892000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2600-8-0x0000000002D00000-0x0000000002D0A000-memory.dmp

                                          Filesize

                                          40KB