Overview

overview

10

Static

static

3

4a4ea3bb2e...1N.exe

windows7-x64

10

4a4ea3bb2e...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe

  • Size

    4.9MB

  • MD5

    d49f3eca938ef9afc22ab37348e7c3d0

  • SHA1

    bbb92df0748401881fd5d2cddd8022130a735971

  • SHA256

    4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351

  • SHA512

    97890bcf4071bee21d6e9f7e891a4cbfcba15e41672646a6122cbc986e404d6aa3b5ddd5af19c1becfd7c9865cda5654a3324470dfc89f517bf13b28b7dede68

  • SSDEEP

    49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Colibri family
    colibri
  • DcRat 25 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 39 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 12 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
    "C:\Users\Admin\AppData\Local\Temp\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1560
    • C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:460
          • C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp.exe"
            5⤵
            • Executes dropped EXE
            PID:972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3988
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1456
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VEid32eq5K.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3408
        • C:\Users\Admin\AppData\Local\Temp\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
          "C:\Users\Admin\AppData\Local\Temp\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4236
          • C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4956
            • C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.exe
              "C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3296
              • C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.exe
                "C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.exe"
                6⤵
                • Executes dropped EXE
                PID:1456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2272
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2536
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eujHkJhPHq.bat"
            4⤵
              PID:4136
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                5⤵
                  PID:5376
                • C:\Users\Admin\3D Objects\dllhost.exe
                  "C:\Users\Admin\3D Objects\dllhost.exe"
                  5⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:5840
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37350d5f-d005-4405-b23a-13c3e5ed1394.vbs"
                    6⤵
                      PID:6024
                      • C:\Users\Admin\3D Objects\dllhost.exe
                        "C:\Users\Admin\3D Objects\dllhost.exe"
                        7⤵
                        • UAC bypass
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:1360
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0cf67e7-64b9-4214-a245-b5ce87577c7f.vbs"
                          8⤵
                            PID:4580
                            • C:\Users\Admin\3D Objects\dllhost.exe
                              "C:\Users\Admin\3D Objects\dllhost.exe"
                              9⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:264
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a578bd1b-a599-4cd4-9364-2c37438b6f4d.vbs"
                                10⤵
                                  PID:2060
                                  • C:\Users\Admin\3D Objects\dllhost.exe
                                    "C:\Users\Admin\3D Objects\dllhost.exe"
                                    11⤵
                                    • UAC bypass
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Modifies registry class
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:5808
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eec92c1a-0db1-4661-81c6-a9a4eaae2a1e.vbs"
                                      12⤵
                                        PID:1288
                                        • C:\Users\Admin\3D Objects\dllhost.exe
                                          "C:\Users\Admin\3D Objects\dllhost.exe"
                                          13⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:5264
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0beb607-a72d-4b3f-8442-6fb2ecd0b34a.vbs"
                                            14⤵
                                              PID:1640
                                              • C:\Users\Admin\3D Objects\dllhost.exe
                                                "C:\Users\Admin\3D Objects\dllhost.exe"
                                                15⤵
                                                • UAC bypass
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:5428
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\544b424c-ecc1-4843-876c-69ed6f6eb1f5.vbs"
                                                  16⤵
                                                    PID:1360
                                                    • C:\Users\Admin\3D Objects\dllhost.exe
                                                      "C:\Users\Admin\3D Objects\dllhost.exe"
                                                      17⤵
                                                      • UAC bypass
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:5320
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a98a0b8-dfa9-4c70-911d-633ac1f932f9.vbs"
                                                        18⤵
                                                          PID:2076
                                                          • C:\Users\Admin\3D Objects\dllhost.exe
                                                            "C:\Users\Admin\3D Objects\dllhost.exe"
                                                            19⤵
                                                            • UAC bypass
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Modifies registry class
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:1764
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00b76397-985d-4ef7-9896-1befe92b5596.vbs"
                                                              20⤵
                                                                PID:4456
                                                                • C:\Users\Admin\3D Objects\dllhost.exe
                                                                  "C:\Users\Admin\3D Objects\dllhost.exe"
                                                                  21⤵
                                                                  • UAC bypass
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Modifies registry class
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:3488
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8f86795-7f08-48e3-bb51-370e68b7d362.vbs"
                                                                    22⤵
                                                                      PID:5900
                                                                      • C:\Users\Admin\3D Objects\dllhost.exe
                                                                        "C:\Users\Admin\3D Objects\dllhost.exe"
                                                                        23⤵
                                                                        • UAC bypass
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Modifies registry class
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:5788
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a485f932-12d2-4b71-abb0-7873b64b4242.vbs"
                                                                          24⤵
                                                                            PID:2520
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acbd7900-7b08-4ee7-bcbb-da5387d8776c.vbs"
                                                                            24⤵
                                                                              PID:5848
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp7342.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp7342.tmp.exe"
                                                                              24⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4540
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp7342.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp7342.tmp.exe"
                                                                                25⤵
                                                                                • Executes dropped EXE
                                                                                PID:2096
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecb1a693-8cc2-4bce-91c3-fb12b7965921.vbs"
                                                                          22⤵
                                                                            PID:5880
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5264
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4300
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe"
                                                                                24⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:5188
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp424F.tmp.exe"
                                                                                  25⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:5504
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9aa95a8-cf99-49cc-986c-3bd7ee6dbe6c.vbs"
                                                                        20⤵
                                                                          PID:2100
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp25CE.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp25CE.tmp.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:3620
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp25CE.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp25CE.tmp.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            PID:756
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9e0f224-e428-4c9f-b8fd-aab6deb26530.vbs"
                                                                      18⤵
                                                                        PID:2228
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp8A1.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp8A1.tmp.exe"
                                                                        18⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:916
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp8A1.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp8A1.tmp.exe"
                                                                          19⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1456
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp8A1.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp8A1.tmp.exe"
                                                                            20⤵
                                                                            • Executes dropped EXE
                                                                            PID:3964
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5809852-d88e-49fa-b359-df91e581206c.vbs"
                                                                    16⤵
                                                                      PID:1788
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpD7AE.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpD7AE.tmp.exe"
                                                                      16⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:1088
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpD7AE.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpD7AE.tmp.exe"
                                                                        17⤵
                                                                        • Executes dropped EXE
                                                                        PID:3952
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e25e5029-aa83-4d12-a10d-8ad38bb4a135.vbs"
                                                                  14⤵
                                                                    PID:6036
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db45f703-15b0-43a6-98f1-25cbd851eb5d.vbs"
                                                                12⤵
                                                                  PID:5968
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp8596.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp8596.tmp.exe"
                                                                  12⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:6136
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp8596.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp8596.tmp.exe"
                                                                    13⤵
                                                                    • Executes dropped EXE
                                                                    PID:4780
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5b87ac0-e8a8-4b0f-9a38-3da9d5323c48.vbs"
                                                              10⤵
                                                                PID:5640
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp677F.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp677F.tmp.exe"
                                                                10⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4496
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp677F.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp677F.tmp.exe"
                                                                  11⤵
                                                                  • Executes dropped EXE
                                                                  PID:5552
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b5bd107-35d5-4b1f-8db7-da61fadc5384.vbs"
                                                            8⤵
                                                              PID:1544
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp4A52.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp4A52.tmp.exe"
                                                              8⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:444
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp4A52.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp4A52.tmp.exe"
                                                                9⤵
                                                                • Executes dropped EXE
                                                                PID:4328
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e3e2939-d151-4803-975c-a457296008b3.vbs"
                                                          6⤵
                                                            PID:6072
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp16A0.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp16A0.tmp.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2384
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp16A0.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp16A0.tmp.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              PID:1556
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3728
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3284
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2812
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\dwm.exe'" /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1184
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Templates\dwm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5020
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\dwm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4808
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1732
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1768
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:572
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4384
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4672
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1588
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\lsass.exe'" /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:312
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2060
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3264
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\images\WmiPrvSE.exe'" /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4428
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\WmiPrvSE.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3952
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\WmiPrvSE.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1788
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4868
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1544
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1652
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:208
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:444
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • DcRat
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4348

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\ProgramData\SoftwareDistribution\fontdrvhost.exe
                                                  Filesize

                                                  4.9MB

                                                  MD5

                                                  d49f3eca938ef9afc22ab37348e7c3d0

                                                  SHA1

                                                  bbb92df0748401881fd5d2cddd8022130a735971

                                                  SHA256

                                                  4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351

                                                  SHA512

                                                  97890bcf4071bee21d6e9f7e891a4cbfcba15e41672646a6122cbc986e404d6aa3b5ddd5af19c1becfd7c9865cda5654a3324470dfc89f517bf13b28b7dede68

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe.log
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  bbb951a34b516b66451218a3ec3b0ae1

                                                  SHA1

                                                  7393835a2476ae655916e0a9687eeaba3ee876e9

                                                  SHA256

                                                  eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

                                                  SHA512

                                                  63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  4a667f150a4d1d02f53a9f24d89d53d1

                                                  SHA1

                                                  306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                  SHA256

                                                  414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                  SHA512

                                                  4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                  SHA1

                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                  SHA256

                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                  SHA512

                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  d28a889fd956d5cb3accfbaf1143eb6f

                                                  SHA1

                                                  157ba54b365341f8ff06707d996b3635da8446f7

                                                  SHA256

                                                  21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                  SHA512

                                                  0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  bd5940f08d0be56e65e5f2aaf47c538e

                                                  SHA1

                                                  d7e31b87866e5e383ab5499da64aba50f03e8443

                                                  SHA256

                                                  2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                  SHA512

                                                  c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  cadef9abd087803c630df65264a6c81c

                                                  SHA1

                                                  babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                  SHA256

                                                  cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                  SHA512

                                                  7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  3a6bad9528f8e23fb5c77fbd81fa28e8

                                                  SHA1

                                                  f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                  SHA256

                                                  986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                  SHA512

                                                  846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  59d97011e091004eaffb9816aa0b9abd

                                                  SHA1

                                                  1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                  SHA256

                                                  18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                  SHA512

                                                  d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  e59140d6693b6a0f6a8617b45bdef9fe

                                                  SHA1

                                                  7157a22b2533d10fe8ed91d2c5782b44c79bbcde

                                                  SHA256

                                                  baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

                                                  SHA512

                                                  117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  3c625954a51c4bbd8141206b00f6fc0a

                                                  SHA1

                                                  4128cb2f9d2984844e303e2e330e448334e5c273

                                                  SHA256

                                                  952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

                                                  SHA512

                                                  3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  caae66b2d6030f85188e48e4ea3a9fa6

                                                  SHA1

                                                  108425bd97144fa0f92ff7b2109fec293d14a461

                                                  SHA256

                                                  a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d

                                                  SHA512

                                                  189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  a9a7f35c006bbf5da72f9cb250ffbddb

                                                  SHA1

                                                  458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

                                                  SHA256

                                                  a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

                                                  SHA512

                                                  d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  17e45724e81fad9d4f4eda74fe6b349e

                                                  SHA1

                                                  0ef309ee5638e1055c0f0fe7cd693a5643a1e4a3

                                                  SHA256

                                                  444084a5dd84f5aeaa084a27da160ea4501574fbb27da9d7aab3c6c5b3269eb6

                                                  SHA512

                                                  c1b0dd77c2ae9c15843b3bac8de6874609ebeffa5e10e552b364340c51bde690ac563c132dbc14f93e68d3a7939ea840fa687eb1bd603d646acf88a3430b6e45

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  272dc716c99407615cc54be63824cd1e

                                                  SHA1

                                                  6aeeeee0a254473427af394b161c1020cf74ec0a

                                                  SHA256

                                                  0e772f1d15426881d1c79b319c8d52919383d1c1b861d1893a94c0e8bd472f06

                                                  SHA512

                                                  5a32034ea515f358ef4ec2e2f198fdc0dd0c5900645c4a8e8e1da7922ee19836d735ee726ce7d60b3015ab7abc10ebec2602fec24dca4f4e0798db2a7bf5aaf2

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  bf3651a8682259b5e292b98289271f76

                                                  SHA1

                                                  4694a32734c377985dafbd15e26b9a129f1e4a45

                                                  SHA256

                                                  5ffc07abea05b9bb523e511ed75995488a22e3dd54fddc50b62b8336bd57c575

                                                  SHA512

                                                  d9cd369fc710131f0f24c3add83a923625831b1bfb4fba0da83dd71fa41a4ed5a0f0e00755f3cf8ae2aef4aa498c353348c51c167f7d6a2af834f07c78b33896

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\37350d5f-d005-4405-b23a-13c3e5ed1394.vbs
                                                  Filesize

                                                  713B

                                                  MD5

                                                  ebbd045a57c0192f5eef3a8bb4f19c32

                                                  SHA1

                                                  fdd7d0a2f960495d58c638400f356e37ef62b1cc

                                                  SHA256

                                                  c959416d762c49b8e298111271f53fec88ecccc89c1680e2b503d4e8e9a2a6e2

                                                  SHA512

                                                  ff26fb8d01cf6b69ca77b6f3f7beb159a017420584c115bf34c7fc6d89c6f5747e3e9c8e84ed4650e2441c36960270d46228a4bb3b16aecdfda3a28342480568

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\4e3e2939-d151-4803-975c-a457296008b3.vbs
                                                  Filesize

                                                  489B

                                                  MD5

                                                  bb9688614d48b724d7ba5cec374a7ed4

                                                  SHA1

                                                  92795350d06fffdfcc00370de0bd25a082bf2333

                                                  SHA256

                                                  9198fbd5b6addb49e1d3e9fb50968e9ccdef8463906ab5eb3463243acb202e99

                                                  SHA512

                                                  b0ea833ac524509ff507a7b4f7b6334680b7d10f49e20c8b1d4a31dd97d46d48f2b940fd70785e1de751666525ebfa6660bd576644f2f663282282881bb6cfed

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\VEid32eq5K.bat
                                                  Filesize

                                                  268B

                                                  MD5

                                                  9ba843314a54bb2bf2854a6db7567cf1

                                                  SHA1

                                                  16d32606c0d0f37eeedac515d4a35306e5c7baa0

                                                  SHA256

                                                  c608491efe0df61c574eb4c3a765ced78ee019b8989225aba3434fe29cbacfc6

                                                  SHA512

                                                  20703500f3823ff0782648165935e5debf60a43d1d802faa29282a269b5b4924aaf139fe9a32374cbd87715976f8eba9539a3b918512a0b74562f7e4135cba7e

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klpxd30u.vdi.ps1
                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\a578bd1b-a599-4cd4-9364-2c37438b6f4d.vbs
                                                  Filesize

                                                  712B

                                                  MD5

                                                  fceaee80bf2d2fad386943f654ed8e39

                                                  SHA1

                                                  6136a8b8c2955499f7af4718ea90adc4b82ac294

                                                  SHA256

                                                  81fe5fa3583ff28554d472d05bf6e291a1fd2dbf0612f489ce511781d7b41ba1

                                                  SHA512

                                                  3a87af19c991246b1298ba4b5a853255031cac60245a182c16700b172f320556830f41f83b6fce65f886c0d4315e042e1248b99cd2b029c919c31ab8ddeb5ee0

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\e0cf67e7-64b9-4214-a245-b5ce87577c7f.vbs
                                                  Filesize

                                                  713B

                                                  MD5

                                                  0d327290c7cd6048859b82b6aae700b8

                                                  SHA1

                                                  53773375ec7fa25c9b652486a91ea56f2db6566b

                                                  SHA256

                                                  bc7fd4b719c59c15f48f8a04ed14c8f7f8cd3ed2ef2d334b9127f1acd6ac167d

                                                  SHA512

                                                  f983166d09877b3c73d07636183428173d1e44487730fd24d4963438cfcbfb88402e14002e3237eaf2bdbc132c7734a8e8f38ac8bd1a907e606e80fe074e5b0f

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\eec92c1a-0db1-4661-81c6-a9a4eaae2a1e.vbs
                                                  Filesize

                                                  713B

                                                  MD5

                                                  d32f50d0271dbb7fd2b962188f660534

                                                  SHA1

                                                  144c413ccb6eb665932eb44c3ef2e503af5bfd2c

                                                  SHA256

                                                  9d70b8e2c4214af40dfb38253f4745f11285b967c6117312f62104f20df8c89e

                                                  SHA512

                                                  abab92bb18f32c656a699669d054e3cc47c31bdc5fd94f234360971a844a7203c0f5164dda9f0188fa785bb94879b26d7fa5383ca9075a64209d1e4df7f6bcf5

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\eujHkJhPHq.bat
                                                  Filesize

                                                  202B

                                                  MD5

                                                  ddc9f4b21e7199db52a99d26a4def8cd

                                                  SHA1

                                                  6278ab464dee6e79ea3893dcb0049e9cb2da4199

                                                  SHA256

                                                  dca90cf1d56e1ad32067ba4e174c47d40046c275d5fdc4e911977455061df7da

                                                  SHA512

                                                  c84b60c3e52d75f18241a2a86f8182cd9b3d9c834cb6634017ba6c8adeb9bc39208d51a2a1117217d812b4c9846aa734b3b35242caf7c16c2edb72abe2a854bf

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\tmpC4AB.tmp.exe
                                                  Filesize

                                                  75KB

                                                  MD5

                                                  e0a68b98992c1699876f818a22b5b907

                                                  SHA1

                                                  d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                  SHA256

                                                  2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                  SHA512

                                                  856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                  Download Submit

                                                • memory/972-61-0x0000000000400000-0x0000000000407000-memory.dmp

                                                  Filesize

                                                  28KB

                                                  Download

                                                • memory/1560-11-0x000000001BB90000-0x000000001BBA2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1560-18-0x000000001BC40000-0x000000001BC4C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                  Download

                                                • memory/1560-1-0x00000000001A0000-0x0000000000694000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                  Download

                                                • memory/1560-8-0x000000001B410000-0x000000001B426000-memory.dmp

                                                  Filesize

                                                  88KB

                                                  Download

                                                • memory/1560-10-0x000000001BB80000-0x000000001BB8A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                  Download

                                                • memory/1560-16-0x000000001BC20000-0x000000001BC28000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/1560-13-0x000000001BBA0000-0x000000001BBAA000-memory.dmp

                                                  Filesize

                                                  40KB

                                                  Download

                                                • memory/1560-14-0x000000001BBB0000-0x000000001BBBE000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/1560-15-0x000000001BC10000-0x000000001BC1E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                  Download

                                                • memory/1560-12-0x000000001C140000-0x000000001C668000-memory.dmp

                                                  Filesize

                                                  5.2MB

                                                  Download

                                                • memory/1560-63-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/1560-0-0x00007FFFE0C63000-0x00007FFFE0C65000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/1560-17-0x000000001BC30000-0x000000001BC38000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/1560-9-0x000000001BB70000-0x000000001BB80000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/1560-7-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/1560-6-0x0000000000E90000-0x0000000000E98000-memory.dmp

                                                  Filesize

                                                  32KB

                                                  Download

                                                • memory/1560-5-0x000000001BBC0000-0x000000001BC10000-memory.dmp

                                                  Filesize

                                                  320KB

                                                  Download

                                                • memory/1560-4-0x0000000002800000-0x000000000281C000-memory.dmp

                                                  Filesize

                                                  112KB

                                                  Download

                                                • memory/1560-3-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/1560-2-0x000000001B440000-0x000000001B56E000-memory.dmp

                                                  Filesize

                                                  1.2MB

                                                  Download

                                                • memory/4516-73-0x0000016DDEF50000-0x0000016DDEF72000-memory.dmp

                                                  Filesize

                                                  136KB

                                                  Download