Overview

overview

10

Static

static

3

67801c6458...7N.exe

windows7-x64

10

67801c6458...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe

  • Size

    4.9MB

  • MD5

    a87a3e93eb8f7ee1a70c9b6204930910

  • SHA1

    d5540d781ad24f6ebd68773fc6581a519d8c44a9

  • SHA256

    67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227

  • SHA512

    d8c2ea8d31db9e5f96113057fd1a43d042ca7988081c8f31ba69aef10af91098eaaa6837504c91886452dba5f4c94ba9d6054375b6044409b1ccc1b74907e19d

  • SSDEEP

    49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Colibri family
    colibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 45 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 51 IoCs
  • Checks whether UAC is enabled 1 TTPs 30 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 15 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 45 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
    "C:\Users\Admin\AppData\Local\Temp\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:316
    • C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe"
          4⤵
          • Executes dropped EXE
          PID:3264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3440
    • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
      "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4836
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7179f2dd-0ac8-4d87-8721-f09429153fc8.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
          "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3328
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a39951c6-c6f4-4022-816e-f179735c8377.vbs"
            5⤵
              PID:2124
              • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • System policy modification
                PID:3316
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2c8c32c-dabe-4dc2-8ee4-bea03b5eb05d.vbs"
                  7⤵
                    PID:4164
                    • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                      "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                      8⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • System policy modification
                      PID:2452
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9deae5aa-9ed1-4f21-ba4c-5dcc77d2a2da.vbs"
                        9⤵
                          PID:60
                          • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                            "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                            10⤵
                            • UAC bypass
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • System policy modification
                            PID:3816
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cad7ea9a-b2f0-4549-b9d7-71a1bda2d36c.vbs"
                              11⤵
                                PID:3620
                                • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                                  "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                                  12⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • System policy modification
                                  PID:1800
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee28e5b0-38cb-477e-8005-39834d87bcf9.vbs"
                                    13⤵
                                      PID:3348
                                      • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                                        "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                                        14⤵
                                        • UAC bypass
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Checks whether UAC is enabled
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • System policy modification
                                        PID:4852
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc396502-957a-4b2d-bf81-aa04a9705655.vbs"
                                          15⤵
                                            PID:4800
                                            • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                                              "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                                              16⤵
                                              • UAC bypass
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • System policy modification
                                              PID:5080
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27b3c8d2-5788-421a-9662-c56b3ef623ac.vbs"
                                                17⤵
                                                  PID:1740
                                                  • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                                                    "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                                                    18⤵
                                                    • UAC bypass
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:4356
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69daae52-5de6-47d7-a9fe-d5249353e498.vbs"
                                                      19⤵
                                                        PID:8
                                                        • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                                                          "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                                                          20⤵
                                                          • UAC bypass
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • System policy modification
                                                          PID:464
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cdd02e3-511b-4bf9-883b-9bfc00f08f3a.vbs"
                                                            21⤵
                                                              PID:3116
                                                              • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                                                                "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                                                                22⤵
                                                                • UAC bypass
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Checks whether UAC is enabled
                                                                • Modifies registry class
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • System policy modification
                                                                PID:2068
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d95200d-690b-445c-b023-92e55382e989.vbs"
                                                                  23⤵
                                                                    PID:3012
                                                                    • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                                                                      "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                                                                      24⤵
                                                                      • UAC bypass
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Checks whether UAC is enabled
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • System policy modification
                                                                      PID:1484
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da8d59e2-853a-4046-be82-a333f6118d86.vbs"
                                                                        25⤵
                                                                          PID:4344
                                                                          • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                                                                            "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                                                                            26⤵
                                                                            • UAC bypass
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Checks whether UAC is enabled
                                                                            • Modifies registry class
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            • System policy modification
                                                                            PID:1200
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\157c22f5-4cf9-4b68-bcf8-c3eac8073c10.vbs"
                                                                              27⤵
                                                                                PID:1632
                                                                                • C:\Program Files\Windows Photo Viewer\SppExtComObj.exe
                                                                                  "C:\Program Files\Windows Photo Viewer\SppExtComObj.exe"
                                                                                  28⤵
                                                                                  • UAC bypass
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Checks whether UAC is enabled
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • System policy modification
                                                                                  PID:3664
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b03c4b19-e130-40c7-9a53-c08847bd2384.vbs"
                                                                                    29⤵
                                                                                      PID:1452
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\943f2072-73ff-4333-b131-addcd335c5be.vbs"
                                                                                      29⤵
                                                                                        PID:1176
                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpC7CB.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpC7CB.tmp.exe"
                                                                                        29⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:4056
                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpC7CB.tmp.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpC7CB.tmp.exe"
                                                                                          30⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:4060
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e2d6304-d4bb-4fea-b6bd-516936a3a60a.vbs"
                                                                                    27⤵
                                                                                      PID:2968
                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp8478.tmp.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp8478.tmp.exe"
                                                                                      27⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:3944
                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp8478.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp8478.tmp.exe"
                                                                                        28⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:4780
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4022c84f-d540-48d9-ac44-14e489440eaf.vbs"
                                                                                  25⤵
                                                                                    PID:4744
                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp5569.tmp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp5569.tmp.exe"
                                                                                    25⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:4420
                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp5569.tmp.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp5569.tmp.exe"
                                                                                      26⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:1480
                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp5569.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp5569.tmp.exe"
                                                                                        27⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:916
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cfe52dd-40ca-48fa-a7e7-92d474639a6f.vbs"
                                                                                23⤵
                                                                                  PID:4356
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp37FE.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp37FE.tmp.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:860
                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp37FE.tmp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp37FE.tmp.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:5096
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3f2e1eb-522b-460e-8584-c925f17f7f51.vbs"
                                                                              21⤵
                                                                                PID:1952
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp8FF.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp8FF.tmp.exe"
                                                                                21⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:924
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp8FF.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp8FF.tmp.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2688
                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp8FF.tmp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp8FF.tmp.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:2272
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fe86f43-c77e-48d1-8801-5b834cc71c6b.vbs"
                                                                            19⤵
                                                                              PID:2292
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpEE05.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpEE05.tmp.exe"
                                                                              19⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:5100
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmpEE05.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmpEE05.tmp.exe"
                                                                                20⤵
                                                                                • Executes dropped EXE
                                                                                PID:3592
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8c3493e-5774-4e43-bc3e-2d3341b0b1fc.vbs"
                                                                          17⤵
                                                                            PID:2800
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpD220.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpD220.tmp.exe"
                                                                            17⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4756
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpD220.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpD220.tmp.exe"
                                                                              18⤵
                                                                              • Executes dropped EXE
                                                                              PID:3524
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de9caece-f178-4d4c-9572-ce4f40de9049.vbs"
                                                                        15⤵
                                                                          PID:2708
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpA16B.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpA16B.tmp.exe"
                                                                          15⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3896
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpA16B.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpA16B.tmp.exe"
                                                                            16⤵
                                                                            • Executes dropped EXE
                                                                            PID:4744
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cae50746-6112-4b0a-896e-2b4d728955fb.vbs"
                                                                      13⤵
                                                                        PID:4220
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp8548.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp8548.tmp.exe"
                                                                        13⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1660
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp8548.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp8548.tmp.exe"
                                                                          14⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2688
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp8548.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp8548.tmp.exe"
                                                                            15⤵
                                                                            • Executes dropped EXE
                                                                            PID:2292
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9de66cf1-398e-4883-9d3e-171b2e941472.vbs"
                                                                    11⤵
                                                                      PID:1488
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp5530.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp5530.tmp.exe"
                                                                      11⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2864
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp5530.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp5530.tmp.exe"
                                                                        12⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:3804
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp5530.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp5530.tmp.exe"
                                                                          13⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:372
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp5530.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp5530.tmp.exe"
                                                                            14⤵
                                                                            • Executes dropped EXE
                                                                            PID:4064
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4f9647f-115a-4d4f-bedc-2dbf6e9cdccf.vbs"
                                                                  9⤵
                                                                    PID:4844
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp249A.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp249A.tmp.exe"
                                                                    9⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2104
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp249A.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp249A.tmp.exe"
                                                                      10⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3776
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp249A.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp249A.tmp.exe"
                                                                        11⤵
                                                                        • Executes dropped EXE
                                                                        PID:2660
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95eda992-2534-4950-858a-dc16bc42107a.vbs"
                                                                7⤵
                                                                  PID:2320
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpF433.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpF433.tmp.exe"
                                                                  7⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2092
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpF433.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmpF433.tmp.exe"
                                                                    8⤵
                                                                    • Executes dropped EXE
                                                                    PID:1208
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aec1c437-16b2-41aa-8062-65839cf323ab.vbs"
                                                              5⤵
                                                                PID:1720
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe"
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:4360
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.exe"
                                                                  6⤵
                                                                  • Executes dropped EXE
                                                                  PID:792
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1d93f0c-0226-424a-a163-71ea356f09be.vbs"
                                                            3⤵
                                                              PID:4316
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpA5A6.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpA5A6.tmp.exe"
                                                              3⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:1136
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpA5A6.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpA5A6.tmp.exe"
                                                                4⤵
                                                                • Executes dropped EXE
                                                                PID:4740
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\sysmon.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3816
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\sysmon.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1608
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\swidtag\sysmon.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:888
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\SppExtComObj.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1900
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\SppExtComObj.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:1088
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\SppExtComObj.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:388
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\sihost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4268
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\es-ES\sihost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3520
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\sihost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:244
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2036
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:320
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3996

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Program Files\dotnet\swidtag\sysmon.exe
                                                          Filesize

                                                          4.9MB

                                                          MD5

                                                          a87a3e93eb8f7ee1a70c9b6204930910

                                                          SHA1

                                                          d5540d781ad24f6ebd68773fc6581a519d8c44a9

                                                          SHA256

                                                          67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227

                                                          SHA512

                                                          d8c2ea8d31db9e5f96113057fd1a43d042ca7988081c8f31ba69aef10af91098eaaa6837504c91886452dba5f4c94ba9d6054375b6044409b1ccc1b74907e19d

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log
                                                          Filesize

                                                          1KB

                                                          MD5

                                                          4a667f150a4d1d02f53a9f24d89d53d1

                                                          SHA1

                                                          306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                          SHA256

                                                          414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                          SHA512

                                                          4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                          Filesize

                                                          2KB

                                                          MD5

                                                          a43e653ffb5ab07940f4bdd9cc8fade4

                                                          SHA1

                                                          af43d04e3427f111b22dc891c5c7ee8a10ac4123

                                                          SHA256

                                                          c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

                                                          SHA512

                                                          62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Filesize

                                                          944B

                                                          MD5

                                                          62623d22bd9e037191765d5083ce16a3

                                                          SHA1

                                                          4a07da6872672f715a4780513d95ed8ddeefd259

                                                          SHA256

                                                          95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                          SHA512

                                                          9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Filesize

                                                          944B

                                                          MD5

                                                          2e907f77659a6601fcc408274894da2e

                                                          SHA1

                                                          9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                          SHA256

                                                          385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                          SHA512

                                                          34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Filesize

                                                          944B

                                                          MD5

                                                          6d42b6da621e8df5674e26b799c8e2aa

                                                          SHA1

                                                          ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                          SHA256

                                                          5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                          SHA512

                                                          53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Filesize

                                                          944B

                                                          MD5

                                                          cadef9abd087803c630df65264a6c81c

                                                          SHA1

                                                          babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                          SHA256

                                                          cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                          SHA512

                                                          7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Filesize

                                                          944B

                                                          MD5

                                                          bd5940f08d0be56e65e5f2aaf47c538e

                                                          SHA1

                                                          d7e31b87866e5e383ab5499da64aba50f03e8443

                                                          SHA256

                                                          2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                          SHA512

                                                          c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\7179f2dd-0ac8-4d87-8721-f09429153fc8.vbs
                                                          Filesize

                                                          730B

                                                          MD5

                                                          d11689662a48a196ba687b06c940fbeb

                                                          SHA1

                                                          50b6b4dc26aeb1253d17dee40de336e7b5622ca3

                                                          SHA256

                                                          da5bc8af3f60026b03baeedea1472d80f4630d4989312e5fd83d4c64c197fca7

                                                          SHA512

                                                          91212b468b83e8d84b72ce00891c8562159faf60149345db195e316f92667f8de4848bd6f85f5297b093a9cb95bd8ed2d57dbf870d19b103d40b6129011b6607

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\9deae5aa-9ed1-4f21-ba4c-5dcc77d2a2da.vbs
                                                          Filesize

                                                          730B

                                                          MD5

                                                          f33706ed949fd94fbf8d01cf201dd1c4

                                                          SHA1

                                                          3b510c1f8d37cdc6cf277a75fdfafb9cfee87d7d

                                                          SHA256

                                                          b6326bd36ef3eae4bb76bd7c3a200054089997661a60b0ac60d119680d5b774f

                                                          SHA512

                                                          15ba10b7aa883d9bc3f1abf71af3990663e0a72f1c62940d1183b57a9593e4240b65ace09fc1c97dfc30ede4aa93c2d6befdcd6459a3556735158f3a53ddc5fb

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y5cwqdub.jo5.ps1
                                                          Filesize

                                                          60B

                                                          MD5

                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                          SHA1

                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                          SHA256

                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                          SHA512

                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\a2c8c32c-dabe-4dc2-8ee4-bea03b5eb05d.vbs
                                                          Filesize

                                                          730B

                                                          MD5

                                                          a694625ee6c2870f6716afb61eeb3a18

                                                          SHA1

                                                          e81ba80bee25c9d88b329e62bd45512dce7b4e35

                                                          SHA256

                                                          3c2bac81611437a5f0989f4d32376fa3fb7bf696cb487d7c213689413ad48420

                                                          SHA512

                                                          122bb81399d20b2543062e6b2ff2666b145c17602f44bd431b3af7663b022bd7898b31643cf1c12519a216977c4cfb865ff592c2eef47bf886fced266a97127a

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\a39951c6-c6f4-4022-816e-f179735c8377.vbs
                                                          Filesize

                                                          730B

                                                          MD5

                                                          23efdf69e6a22a8b4dbf4f0c546ee2eb

                                                          SHA1

                                                          f159d8ae604818b08f36735b77ed2d5b3721b75d

                                                          SHA256

                                                          1e5432f341a6bd34fffa47be59a94e6c449b9400b0ec7f9625d58c416856abc8

                                                          SHA512

                                                          dc3b3ff1a6ada158e83ea0d115025f98e3c0a28742a3aea1e850005fd3f6002ae70ba4d1a3aaf792d7710ad474e882dddf8c6deceb24d351804156ad2cb783b8

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\cad7ea9a-b2f0-4549-b9d7-71a1bda2d36c.vbs
                                                          Filesize

                                                          730B

                                                          MD5

                                                          9f18bf1a9f032a5d7155569d7a796abc

                                                          SHA1

                                                          4428f768f1c7004d51d9324249a53d5beb38f226

                                                          SHA256

                                                          7a05eb5094c2c3d0c6bf9b91aee3b91e26cd19c36c84efa3cedb3b85df867ec7

                                                          SHA512

                                                          6d388f1a4ab219eff83649e089a61608d618257c75016ea1f58feceff4c1aaa2881a932b6c9c487c29fe3c2b3875e20799425b94486d05db3647a3db6dde38f2

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\d1d93f0c-0226-424a-a163-71ea356f09be.vbs
                                                          Filesize

                                                          506B

                                                          MD5

                                                          2c4f47e95b42c4951c6b9c6dbce052b4

                                                          SHA1

                                                          5df37ca59e05e9f7849a6a533f94c01dae061b3a

                                                          SHA256

                                                          4a4834eea5d49d4d7a0507fae9d2a102e5441b6d8cccaed459cb2f711d3e78ae

                                                          SHA512

                                                          d1c1af7da2e3078c327573e7d85c2b4ddfbf2c4228c4cbad7fa0e9f270f4bc229b5e0a468b314a02563b1fa809de28210e13ec27830be15f59afa7d5031ab37e

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\ee28e5b0-38cb-477e-8005-39834d87bcf9.vbs
                                                          Filesize

                                                          730B

                                                          MD5

                                                          d12669047268725f53dd040bb5c54d59

                                                          SHA1

                                                          04535455b3edd13c5213799391d7d120961e33c7

                                                          SHA256

                                                          5119cfbb651e9b52df5141707a0c491de0a6e9ebbb4dacfd06545e6c5f5e1814

                                                          SHA512

                                                          d37182d9339815787ddb91cf615fe1fdd1fca568eae1f3be880868773d16c65052d3a53e8d71b089daaf3577e520d2f4c6f17cd7b8a509b9e691cdcc955d7058

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.exe
                                                          Filesize

                                                          75KB

                                                          MD5

                                                          e0a68b98992c1699876f818a22b5b907

                                                          SHA1

                                                          d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                          SHA256

                                                          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                          SHA512

                                                          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                          Download Submit

                                                        • memory/316-4-0x0000000003630000-0x000000000364C000-memory.dmp

                                                          Filesize

                                                          112KB

                                                          Download

                                                        • memory/316-7-0x0000000003650000-0x0000000003660000-memory.dmp

                                                          Filesize

                                                          64KB

                                                          Download

                                                        • memory/316-18-0x000000001CA80000-0x000000001CA8C000-memory.dmp

                                                          Filesize

                                                          48KB

                                                          Download

                                                        • memory/316-0-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/316-12-0x000000001CFA0000-0x000000001D4C8000-memory.dmp

                                                          Filesize

                                                          5.2MB

                                                          Download

                                                        • memory/316-13-0x000000001C9E0000-0x000000001C9EA000-memory.dmp

                                                          Filesize

                                                          40KB

                                                          Download

                                                        • memory/316-11-0x000000001C9D0000-0x000000001C9E2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                          Download

                                                        • memory/316-234-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

                                                          Filesize

                                                          10.8MB

                                                          Download

                                                        • memory/316-14-0x000000001C9F0000-0x000000001C9FE000-memory.dmp

                                                          Filesize

                                                          56KB

                                                          Download

                                                        • memory/316-15-0x000000001CA00000-0x000000001CA0E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                          Download

                                                        • memory/316-2-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

                                                          Filesize

                                                          10.8MB

                                                          Download

                                                        • memory/316-1-0x0000000000FD0000-0x00000000014C4000-memory.dmp

                                                          Filesize

                                                          5.0MB

                                                          Download

                                                        • memory/316-8-0x0000000003660000-0x0000000003676000-memory.dmp

                                                          Filesize

                                                          88KB

                                                          Download

                                                        • memory/316-9-0x000000001C370000-0x000000001C380000-memory.dmp

                                                          Filesize

                                                          64KB

                                                          Download

                                                        • memory/316-10-0x000000001C380000-0x000000001C38A000-memory.dmp

                                                          Filesize

                                                          40KB

                                                          Download

                                                        • memory/316-6-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/316-16-0x000000001CA10000-0x000000001CA18000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/316-5-0x000000001CA20000-0x000000001CA70000-memory.dmp

                                                          Filesize

                                                          320KB

                                                          Download

                                                        • memory/316-17-0x000000001CA70000-0x000000001CA78000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/316-3-0x000000001C3A0000-0x000000001C4CE000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                          Download

                                                        • memory/1484-491-0x0000000002B80000-0x0000000002B92000-memory.dmp

                                                          Filesize

                                                          72KB

                                                          Download

                                                        • memory/2068-474-0x00000000029A0000-0x00000000029B2000-memory.dmp

                                                          Filesize

                                                          72KB

                                                          Download

                                                        • memory/3264-70-0x0000000000400000-0x0000000000407000-memory.dmp

                                                          Filesize

                                                          28KB

                                                          Download

                                                        • memory/5008-135-0x000001E0D7740000-0x000001E0D7762000-memory.dmp

                                                          Filesize

                                                          136KB

                                                          Download