Overview

overview

10

Static

static

3

f0e26d840e...f7.exe

windows7-x64

10

f0e26d840e...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

  • Size

    4.9MB

  • MD5

    06f186fc55f38b20a7273da22fe0007a

  • SHA1

    3eae6dd2aec4dcd82864b9fbe446e85ea603784b

  • SHA256

    f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7

  • SHA512

    05ea938925775b835e347265e255372c0c2deee1d68b356836c85b93f5751fced8ca8d758ebdc745c0274c53c9c350e63cc2a8624b99aa345438b2963b2a1f37

  • SSDEEP

    49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Colibri family
    colibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 45 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 48 IoCs
  • Checks whether UAC is enabled 1 TTPs 30 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 45 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
    "C:\Users\Admin\AppData\Local\Temp\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3468
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xwyb0BsBsO.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2756
        • C:\Recovery\WindowsRE\Idle.exe
          "C:\Recovery\WindowsRE\Idle.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3824
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5830075c-0507-443d-a276-4d9514600d8b.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2856
            • C:\Recovery\WindowsRE\Idle.exe
              C:\Recovery\WindowsRE\Idle.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3320
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57443aad-d8fc-4c7d-8a0b-8b36f00c7694.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1756
                • C:\Recovery\WindowsRE\Idle.exe
                  C:\Recovery\WindowsRE\Idle.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:4076
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dc509dc-3186-49a7-ae0a-7305eadbac67.vbs"
                    8⤵
                      PID:3960
                      • C:\Recovery\WindowsRE\Idle.exe
                        C:\Recovery\WindowsRE\Idle.exe
                        9⤵
                        • UAC bypass
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2540
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a25cc03-ff10-45a8-98c4-9b76f3dd7427.vbs"
                          10⤵
                            PID:4220
                            • C:\Recovery\WindowsRE\Idle.exe
                              C:\Recovery\WindowsRE\Idle.exe
                              11⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:3224
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80474a23-eb1c-4499-8a10-753c0477db1e.vbs"
                                12⤵
                                  PID:916
                                  • C:\Recovery\WindowsRE\Idle.exe
                                    C:\Recovery\WindowsRE\Idle.exe
                                    13⤵
                                    • UAC bypass
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2600
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b9ac389-bbe2-44d6-be13-b6d6eda30379.vbs"
                                      14⤵
                                        PID:3956
                                        • C:\Recovery\WindowsRE\Idle.exe
                                          C:\Recovery\WindowsRE\Idle.exe
                                          15⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:1044
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39a49aa0-d473-4350-bf78-e04025022f8a.vbs"
                                            16⤵
                                              PID:2336
                                              • C:\Recovery\WindowsRE\Idle.exe
                                                C:\Recovery\WindowsRE\Idle.exe
                                                17⤵
                                                • UAC bypass
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:3592
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd369ba0-8673-43e1-a2e3-11e5c5f8bd65.vbs"
                                                  18⤵
                                                    PID:4616
                                                    • C:\Recovery\WindowsRE\Idle.exe
                                                      C:\Recovery\WindowsRE\Idle.exe
                                                      19⤵
                                                      • UAC bypass
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:3392
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76239330-6d35-423c-b909-6da3b6c81b79.vbs"
                                                        20⤵
                                                          PID:2756
                                                          • C:\Recovery\WindowsRE\Idle.exe
                                                            C:\Recovery\WindowsRE\Idle.exe
                                                            21⤵
                                                            • UAC bypass
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:2408
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b7c5aeb-b984-4e9e-b894-fddc34fafc71.vbs"
                                                              22⤵
                                                                PID:1220
                                                                • C:\Recovery\WindowsRE\Idle.exe
                                                                  C:\Recovery\WindowsRE\Idle.exe
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:3480
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95f96e06-f50e-4dec-b591-a042c3a9fc6e.vbs"
                                                                    24⤵
                                                                      PID:3464
                                                                      • C:\Recovery\WindowsRE\Idle.exe
                                                                        C:\Recovery\WindowsRE\Idle.exe
                                                                        25⤵
                                                                        • UAC bypass
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Modifies registry class
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:4892
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f9480c7-78d2-4e37-af91-e729ad9ec079.vbs"
                                                                          26⤵
                                                                            PID:3572
                                                                            • C:\Recovery\WindowsRE\Idle.exe
                                                                              C:\Recovery\WindowsRE\Idle.exe
                                                                              27⤵
                                                                              • UAC bypass
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Checks whether UAC is enabled
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • System policy modification
                                                                              PID:2168
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3fbde14-11fd-40a6-b299-1d80909437e1.vbs"
                                                                                28⤵
                                                                                  PID:4488
                                                                                  • C:\Recovery\WindowsRE\Idle.exe
                                                                                    C:\Recovery\WindowsRE\Idle.exe
                                                                                    29⤵
                                                                                    • UAC bypass
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Checks whether UAC is enabled
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • System policy modification
                                                                                    PID:944
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\499558e6-6bc0-49c7-9f16-8b408a020876.vbs"
                                                                                      30⤵
                                                                                        PID:980
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229fa1d6-f149-45af-a43b-694b6cc94c96.vbs"
                                                                                        30⤵
                                                                                          PID:1608
                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpCD0A.tmp.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpCD0A.tmp.exe"
                                                                                          30⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2220
                                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpCD0A.tmp.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpCD0A.tmp.exe"
                                                                                            31⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:1276
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82bbc7eb-08ae-4f9a-8533-b843d5f20df6.vbs"
                                                                                      28⤵
                                                                                        PID:4652
                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe"
                                                                                        28⤵
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:2180
                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe"
                                                                                          29⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2356
                                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe"
                                                                                            30⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:4852
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a47db060-a831-4f58-bd56-2080e2a500eb.vbs"
                                                                                    26⤵
                                                                                      PID:440
                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp811D.tmp.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp811D.tmp.exe"
                                                                                      26⤵
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:3180
                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp811D.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp811D.tmp.exe"
                                                                                        27⤵
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:2868
                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp811D.tmp.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp811D.tmp.exe"
                                                                                          28⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:3012
                                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp811D.tmp.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp811D.tmp.exe"
                                                                                            29⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:3064
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58167827-61e6-4aa1-a995-6f6842600f68.vbs"
                                                                                  24⤵
                                                                                    PID:1348
                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmp.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2344
                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmp.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp64CB.tmp.exe"
                                                                                      25⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:3028
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afcbba59-9f45-447c-8ac7-b41dd6e7f9aa.vbs"
                                                                                22⤵
                                                                                  PID:2228
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp2159.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp2159.tmp.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3888
                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp2159.tmp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp2159.tmp.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:3836
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4607f17e-891a-448c-a143-0f6d138854f6.vbs"
                                                                              20⤵
                                                                                PID:544
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmpF112.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmpF112.tmp.exe"
                                                                                20⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3448
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmpF112.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpF112.tmp.exe"
                                                                                  21⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:1448
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0258e453-952f-4246-9281-1abb6f4676e0.vbs"
                                                                            18⤵
                                                                              PID:1432
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpD58B.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpD58B.tmp.exe"
                                                                              18⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:3204
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmpD58B.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmpD58B.tmp.exe"
                                                                                19⤵
                                                                                • Executes dropped EXE
                                                                                PID:3904
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b10c979-3f83-49ab-8757-cbcab9d5fba9.vbs"
                                                                          16⤵
                                                                            PID:4036
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpA505.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpA505.tmp.exe"
                                                                            16⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4952
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpA505.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpA505.tmp.exe"
                                                                              17⤵
                                                                              • Executes dropped EXE
                                                                              PID:2792
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff72fc72-bbf7-4569-8afe-a2ddcf821ccd.vbs"
                                                                        14⤵
                                                                          PID:692
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp751B.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp751B.tmp.exe"
                                                                          14⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1712
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp751B.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp751B.tmp.exe"
                                                                            15⤵
                                                                            • Executes dropped EXE
                                                                            PID:4960
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38540769-2dbc-4dfa-a170-73a04a033b6f.vbs"
                                                                      12⤵
                                                                        PID:3004
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp5762.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp5762.tmp.exe"
                                                                        12⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1220
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp5762.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp5762.tmp.exe"
                                                                          13⤵
                                                                          • Executes dropped EXE
                                                                          PID:3044
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9374e067-1a99-49cf-ab1b-0efad2d72a5c.vbs"
                                                                    10⤵
                                                                      PID:4016
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp274A.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp274A.tmp.exe"
                                                                      10⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:620
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp274A.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp274A.tmp.exe"
                                                                        11⤵
                                                                        • Executes dropped EXE
                                                                        PID:4112
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bda288c4-4c6f-4f6b-a7ee-9e68e838d4d8.vbs"
                                                                  8⤵
                                                                    PID:2088
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpB07.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmpB07.tmp.exe"
                                                                    8⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5036
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpB07.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpB07.tmp.exe"
                                                                      9⤵
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:5108
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpB07.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpB07.tmp.exe"
                                                                        10⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2624
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpB07.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpB07.tmp.exe"
                                                                          11⤵
                                                                          • Executes dropped EXE
                                                                          PID:3404
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d063032-ada2-4942-8580-06fa90ea871b.vbs"
                                                                6⤵
                                                                  PID:456
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpEDAC.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpEDAC.tmp.exe"
                                                                  6⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:3904
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpEDAC.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmpEDAC.tmp.exe"
                                                                    7⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:3984
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpEDAC.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpEDAC.tmp.exe"
                                                                      8⤵
                                                                      • Executes dropped EXE
                                                                      PID:4912
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18d6a13b-a1f4-430f-9dd4-ea9e3e888ea9.vbs"
                                                              4⤵
                                                                PID:2372
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpD15A.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpD15A.tmp.exe"
                                                                4⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:4744
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpD15A.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpD15A.tmp.exe"
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  PID:760
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3016
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2872
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2368
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3304
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:4812
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:3720

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Recovery\WindowsRE\StartMenuExperienceHost.exe
                                                          Filesize

                                                          4.9MB

                                                          MD5

                                                          06f186fc55f38b20a7273da22fe0007a

                                                          SHA1

                                                          3eae6dd2aec4dcd82864b9fbe446e85ea603784b

                                                          SHA256

                                                          f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7

                                                          SHA512

                                                          05ea938925775b835e347265e255372c0c2deee1d68b356836c85b93f5751fced8ca8d758ebdc745c0274c53c9c350e63cc2a8624b99aa345438b2963b2a1f37

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log
                                                          Filesize

                                                          1KB

                                                          MD5

                                                          4a667f150a4d1d02f53a9f24d89d53d1

                                                          SHA1

                                                          306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                          SHA256

                                                          414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                          SHA512

                                                          4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                          Filesize

                                                          2KB

                                                          MD5

                                                          d85ba6ff808d9e5444a4b369f5bc2730

                                                          SHA1

                                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                                          SHA256

                                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                          SHA512

                                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Filesize

                                                          944B

                                                          MD5

                                                          d28a889fd956d5cb3accfbaf1143eb6f

                                                          SHA1

                                                          157ba54b365341f8ff06707d996b3635da8446f7

                                                          SHA256

                                                          21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                          SHA512

                                                          0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Filesize

                                                          944B

                                                          MD5

                                                          2e907f77659a6601fcc408274894da2e

                                                          SHA1

                                                          9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                          SHA256

                                                          385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                          SHA512

                                                          34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Filesize

                                                          944B

                                                          MD5

                                                          bd5940f08d0be56e65e5f2aaf47c538e

                                                          SHA1

                                                          d7e31b87866e5e383ab5499da64aba50f03e8443

                                                          SHA256

                                                          2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                          SHA512

                                                          c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Filesize

                                                          944B

                                                          MD5

                                                          3a6bad9528f8e23fb5c77fbd81fa28e8

                                                          SHA1

                                                          f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                          SHA256

                                                          986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                          SHA512

                                                          846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Filesize

                                                          944B

                                                          MD5

                                                          59d97011e091004eaffb9816aa0b9abd

                                                          SHA1

                                                          1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                          SHA256

                                                          18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                          SHA512

                                                          d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\18d6a13b-a1f4-430f-9dd4-ea9e3e888ea9.vbs
                                                          Filesize

                                                          482B

                                                          MD5

                                                          11f1172fac2a38230e1feb5b2845a843

                                                          SHA1

                                                          50ad29dacca77151b239c8e73abd3a74e35fb237

                                                          SHA256

                                                          56cd20337bbbeefdf49bb162f2b09f96a6ced9cee2182477ea31b80d54d01a35

                                                          SHA512

                                                          a06da5d6f7e90034f6e01b0a3f09bda175800d60eabbd9ca5570fca0aead2b849bb96482ac37053cf8f605f2e68398ea86aea0b0be267db2ce8a9180e2d00f1b

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\1b9ac389-bbe2-44d6-be13-b6d6eda30379.vbs
                                                          Filesize

                                                          706B

                                                          MD5

                                                          4e0d42fd0de304e9837d1e27c9805ff4

                                                          SHA1

                                                          d13498af3ce14d12be5c9e29cd38578f05efe10a

                                                          SHA256

                                                          aa97b53be479cd5b2b29a3121e5f583cc908415cdc4ec9c04911274b727f8214

                                                          SHA512

                                                          6df35b7c7ef46591aa0df2c4654510bf0a1f45dc8f37b47c8dec08cdfb33495d41b4b3b8c3881a6322d27f66e3fc4370afbb417cc1fdda1a10b497dfc39ad486

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\2a25cc03-ff10-45a8-98c4-9b76f3dd7427.vbs
                                                          Filesize

                                                          706B

                                                          MD5

                                                          738af3fdb403c0698a8e41c358d058c1

                                                          SHA1

                                                          9d3b0334a34230f120cb85a45d0b384da73b58d0

                                                          SHA256

                                                          d16ec8efa5cdcec149c0e5d38d45229f9b90782064dd10985b51b7256999a2e4

                                                          SHA512

                                                          a753581421eea8ce43d19f82779611a460fb19f6e29239f0999e715996e69a1d9edbf6155965f66c8f9a65e197b7c3c2e1ea8faf912e1c7acb6b143fbfa10e92

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\39a49aa0-d473-4350-bf78-e04025022f8a.vbs
                                                          Filesize

                                                          706B

                                                          MD5

                                                          be5f330cf1fd2f75ada9ddc457e641a3

                                                          SHA1

                                                          6394ffed8a9459de1457d7ca22838c31cc14960b

                                                          SHA256

                                                          371aae9a43bab3c66c656f7eadba459efd054ed57e93d480cbf5c9c7cb75b8e4

                                                          SHA512

                                                          26bea1c337d87dc28350c73b6ebee49593ed7ded4abd31d2b0a06dde6a846a95201b6e2832a9ac7c3ddfeacc2bb3c825d85867a7f544db20f3588d978320123a

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\57443aad-d8fc-4c7d-8a0b-8b36f00c7694.vbs
                                                          Filesize

                                                          706B

                                                          MD5

                                                          8dc3e262f6e8febea73ff164f89116ab

                                                          SHA1

                                                          975ab7c5031f12d851d27db9a4e1b5dc627f8b41

                                                          SHA256

                                                          6ef7a8a12851dd44f0ca6c693f26e486c45356dc55a56be9cb144b5500b79fa3

                                                          SHA512

                                                          d0fe8fd4d4c10d0e1b9ffb284860f036c4a78f09a48f16e9b2d7a6b0892bef4abcc677f9559a8507d1ba888d375a94c26ce94c5de9291ff66bbd4260379db2b4

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\5830075c-0507-443d-a276-4d9514600d8b.vbs
                                                          Filesize

                                                          706B

                                                          MD5

                                                          e5593d9f28739ad91aeb7570481fc883

                                                          SHA1

                                                          519d3fc8238b37b446bc4327cfd73d9cc6c47efc

                                                          SHA256

                                                          e8454455d8eabcd1cfafdfcceb06a53c635b9c070eb49658db51854dd1c68202

                                                          SHA512

                                                          eb95140cd4e62af98ef2a5fca08aeb4a010b6d39ed72ffa75f45349cf1e62a80cd25a7f79f77047ee17423bd8126e616eb201aa1796e47c14c10c6a92d89b4a0

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\7dc509dc-3186-49a7-ae0a-7305eadbac67.vbs
                                                          Filesize

                                                          706B

                                                          MD5

                                                          ce9ce001a7898cab7bf1910aeaf878a4

                                                          SHA1

                                                          80121ddd04a7913214585304c0df4f48d4bb3928

                                                          SHA256

                                                          37d41152587734ce19a6537c76cfd1119495c40e21e6935ba09fa90c63371d90

                                                          SHA512

                                                          929891702c4759ef124d60c80a13aa37d2bb90cfbea6919333f5fa14a4a2a2b678dc91b1305ebbf5967ad898255c41a56ee3baaa970784241fb0749cb9e58f0e

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\80474a23-eb1c-4499-8a10-753c0477db1e.vbs
                                                          Filesize

                                                          706B

                                                          MD5

                                                          7d1a76a4bae013f67815695335c321c0

                                                          SHA1

                                                          da33d892c9c925c02c76c4326cfd93c47041fa2c

                                                          SHA256

                                                          518d079417c41e271285764de6aaecb52737061490a652d0ffdecf31c75ac09e

                                                          SHA512

                                                          a1c6fe879c7e4c5bd5cc075a469fa80b9bb0f69d09733f999a7fbf27a5c5204281b1876a9c89cf6f5c8e3806a450ac3f033128235b407e1aaf57527f01188873

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\Xwyb0BsBsO.bat
                                                          Filesize

                                                          195B

                                                          MD5

                                                          e62dcd2208bd9e3b53825eef6c7ae32f

                                                          SHA1

                                                          6d8882549276212c4fe179808927c2f3caba3656

                                                          SHA256

                                                          cbb30913ef8aa809add3cbd8abb4d4aac507e3a79baafadce8475907bb835232

                                                          SHA512

                                                          35eb28ac347a319723bd96d56d317facc621698d7d01775735049d6822432af11253a96a627b51f126c740a3f3477959f8272888b845e7e2e1c605490e329c39

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dgljdpxv.zah.ps1
                                                          Filesize

                                                          60B

                                                          MD5

                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                          SHA1

                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                          SHA256

                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                          SHA512

                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\tmpD15A.tmp.exe
                                                          Filesize

                                                          75KB

                                                          MD5

                                                          e0a68b98992c1699876f818a22b5b907

                                                          SHA1

                                                          d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                          SHA256

                                                          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                          SHA512

                                                          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                          Download Submit

                                                        • memory/760-192-0x0000000000400000-0x0000000000407000-memory.dmp

                                                          Filesize

                                                          28KB

                                                          Download

                                                        • memory/1044-344-0x000000001CB00000-0x000000001CC02000-memory.dmp

                                                          Filesize

                                                          1.0MB

                                                          Download

                                                        • memory/1312-5-0x000000001B490000-0x000000001B4E0000-memory.dmp

                                                          Filesize

                                                          320KB

                                                          Download

                                                        • memory/1312-16-0x000000001B670000-0x000000001B678000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/1312-45-0x00007FFCBBE70000-0x00007FFCBC931000-memory.dmp

                                                          Filesize

                                                          10.8MB

                                                          Download

                                                        • memory/1312-11-0x000000001B630000-0x000000001B642000-memory.dmp

                                                          Filesize

                                                          72KB

                                                          Download

                                                        • memory/1312-10-0x000000001B4E0000-0x000000001B4EA000-memory.dmp

                                                          Filesize

                                                          40KB

                                                          Download

                                                        • memory/1312-8-0x000000001B460000-0x000000001B476000-memory.dmp

                                                          Filesize

                                                          88KB

                                                          Download

                                                        • memory/1312-9-0x000000001B480000-0x000000001B490000-memory.dmp

                                                          Filesize

                                                          64KB

                                                          Download

                                                        • memory/1312-6-0x000000001B440000-0x000000001B448000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/1312-7-0x000000001B450000-0x000000001B460000-memory.dmp

                                                          Filesize

                                                          64KB

                                                          Download

                                                        • memory/1312-12-0x000000001C1C0000-0x000000001C6E8000-memory.dmp

                                                          Filesize

                                                          5.2MB

                                                          Download

                                                        • memory/1312-13-0x000000001B640000-0x000000001B64A000-memory.dmp

                                                          Filesize

                                                          40KB

                                                          Download

                                                        • memory/1312-17-0x000000001BC90000-0x000000001BC98000-memory.dmp

                                                          Filesize

                                                          32KB

                                                          Download

                                                        • memory/1312-18-0x000000001BDA0000-0x000000001BDAC000-memory.dmp

                                                          Filesize

                                                          48KB

                                                          Download

                                                        • memory/1312-4-0x0000000002740000-0x000000000275C000-memory.dmp

                                                          Filesize

                                                          112KB

                                                          Download

                                                        • memory/1312-0-0x00007FFCBBE73000-0x00007FFCBBE75000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/1312-14-0x000000001B650000-0x000000001B65E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                          Download

                                                        • memory/1312-3-0x000000001B500000-0x000000001B62E000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                          Download

                                                        • memory/1312-15-0x000000001B660000-0x000000001B66E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                          Download

                                                        • memory/1312-1-0x0000000000200000-0x00000000006F4000-memory.dmp

                                                          Filesize

                                                          5.0MB

                                                          Download

                                                        • memory/1312-2-0x00007FFCBBE70000-0x00007FFCBC931000-memory.dmp

                                                          Filesize

                                                          10.8MB

                                                          Download

                                                        • memory/2408-396-0x000000001D2E0000-0x000000001D3E2000-memory.dmp

                                                          Filesize

                                                          1.0MB

                                                          Download

                                                        • memory/2408-397-0x000000001D2E0000-0x000000001D3E2000-memory.dmp

                                                          Filesize

                                                          1.0MB

                                                          Download

                                                        • memory/2600-321-0x000000001C610000-0x000000001C712000-memory.dmp

                                                          Filesize

                                                          1.0MB

                                                          Download

                                                        • memory/3224-297-0x000000001CC50000-0x000000001CD52000-memory.dmp

                                                          Filesize

                                                          1.0MB

                                                          Download

                                                        • memory/3392-379-0x000000001D080000-0x000000001D182000-memory.dmp

                                                          Filesize

                                                          1.0MB

                                                          Download

                                                        • memory/3480-414-0x000000001CA30000-0x000000001CB32000-memory.dmp

                                                          Filesize

                                                          1.0MB

                                                          Download

                                                        • memory/3592-345-0x000000001B550000-0x000000001B562000-memory.dmp

                                                          Filesize

                                                          72KB

                                                          Download

                                                        • memory/3592-362-0x000000001BF60000-0x000000001C062000-memory.dmp

                                                          Filesize

                                                          1.0MB

                                                          Download

                                                        • memory/4632-70-0x00000273385B0000-0x00000273385D2000-memory.dmp

                                                          Filesize

                                                          136KB

                                                          Download