Overview

overview

10

Static

static

3

16f636ea86...00.exe

windows7-x64

10

16f636ea86...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe

  • Size

    4.9MB

  • MD5

    d6c32cc92aff05247e665fec5d1ca5ed

  • SHA1

    864e040db2c99477669bbe45261d8d93ebdba021

  • SHA256

    16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00

  • SHA512

    b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96

  • SSDEEP

    49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8O:2

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Colibri family
    colibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 38 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 12 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 12 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe
    "C:\Users\Admin\AppData\Local\Temp\16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3380
    • C:\Users\Admin\AppData\Local\Temp\tmpB0B6.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB0B6.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Users\Admin\AppData\Local\Temp\tmpB0B6.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpB0B6.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:1640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4824
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ormE6XssLV.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3572
        • C:\Recovery\WindowsRE\MusNotification.exe
          "C:\Recovery\WindowsRE\MusNotification.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1112
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\948c3343-6c52-4f09-ac7a-57e1a398901d.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4188
            • C:\Recovery\WindowsRE\MusNotification.exe
              C:\Recovery\WindowsRE\MusNotification.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4612
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\520c9e21-103f-409c-b5f5-7038e980e50d.vbs"
                6⤵
                  PID:1552
                  • C:\Recovery\WindowsRE\MusNotification.exe
                    C:\Recovery\WindowsRE\MusNotification.exe
                    7⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:3464
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2db6a07-59d3-4b1b-bc0d-ab10e2ae74d8.vbs"
                      8⤵
                        PID:4792
                        • C:\Recovery\WindowsRE\MusNotification.exe
                          C:\Recovery\WindowsRE\MusNotification.exe
                          9⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:2896
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61dce134-aa6a-499b-bdfc-a74d5b0ad42c.vbs"
                            10⤵
                              PID:2544
                              • C:\Recovery\WindowsRE\MusNotification.exe
                                C:\Recovery\WindowsRE\MusNotification.exe
                                11⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:4144
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05602ed2-8a80-4193-8cfe-b1a2c414a9c9.vbs"
                                  12⤵
                                    PID:4476
                                    • C:\Recovery\WindowsRE\MusNotification.exe
                                      C:\Recovery\WindowsRE\MusNotification.exe
                                      13⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:1756
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06011895-0ba7-4d4b-bc04-14f65f36d5bb.vbs"
                                        14⤵
                                          PID:3392
                                          • C:\Recovery\WindowsRE\MusNotification.exe
                                            C:\Recovery\WindowsRE\MusNotification.exe
                                            15⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:3068
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6768cd8-48fd-4a68-a1da-5f86ce3af577.vbs"
                                              16⤵
                                                PID:3924
                                                • C:\Recovery\WindowsRE\MusNotification.exe
                                                  C:\Recovery\WindowsRE\MusNotification.exe
                                                  17⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:3100
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83097527-ad53-4c07-81c5-a5bdae432ce4.vbs"
                                                    18⤵
                                                      PID:5020
                                                      • C:\Recovery\WindowsRE\MusNotification.exe
                                                        C:\Recovery\WindowsRE\MusNotification.exe
                                                        19⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:1736
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a24da2e-a063-428c-80f6-e6c144c57350.vbs"
                                                          20⤵
                                                            PID:3516
                                                            • C:\Recovery\WindowsRE\MusNotification.exe
                                                              C:\Recovery\WindowsRE\MusNotification.exe
                                                              21⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:4876
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b2e5800-724f-4bd2-9bb1-365b3b214f7f.vbs"
                                                                22⤵
                                                                  PID:1620
                                                                  • C:\Recovery\WindowsRE\MusNotification.exe
                                                                    C:\Recovery\WindowsRE\MusNotification.exe
                                                                    23⤵
                                                                    • UAC bypass
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:4432
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e368430-b5f5-4d16-90b1-6829f03775c9.vbs"
                                                                      24⤵
                                                                        PID:4540
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8c914b1-611a-494a-9739-54d6b4613f2c.vbs"
                                                                        24⤵
                                                                          PID:2160
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpD42E.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpD42E.tmp.exe"
                                                                          24⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4924
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpD42E.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpD42E.tmp.exe"
                                                                            25⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:3684
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpD42E.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpD42E.tmp.exe"
                                                                              26⤵
                                                                              • Executes dropped EXE
                                                                              PID:3924
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbd910bf-3009-4eb3-869c-0c1094f88d5b.vbs"
                                                                      22⤵
                                                                        PID:4912
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpA195.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpA195.tmp.exe"
                                                                        22⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:4460
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpA195.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpA195.tmp.exe"
                                                                          23⤵
                                                                          • Executes dropped EXE
                                                                          PID:4372
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\487a58bd-cfed-42f1-a190-0d0d7a1125dc.vbs"
                                                                    20⤵
                                                                      PID:916
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp712F.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp712F.tmp.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3472
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp712F.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp712F.tmp.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        PID:672
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c93fcffe-fadb-4c4d-969a-01b93de3a4e5.vbs"
                                                                  18⤵
                                                                    PID:2824
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp40D8.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp40D8.tmp.exe"
                                                                    18⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2020
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp40D8.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp40D8.tmp.exe"
                                                                      19⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3468
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp40D8.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp40D8.tmp.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        PID:1852
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0752c5-2d75-402a-9f08-2a749917146f.vbs"
                                                                16⤵
                                                                  PID:224
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp1246.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp1246.tmp.exe"
                                                                  16⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:4444
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp1246.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp1246.tmp.exe"
                                                                    17⤵
                                                                    • Executes dropped EXE
                                                                    PID:4068
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9f22a97-8c89-4be5-b3ce-b893414faef0.vbs"
                                                              14⤵
                                                                PID:1008
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpE0D6.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpE0D6.tmp.exe"
                                                                14⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2944
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpE0D6.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpE0D6.tmp.exe"
                                                                  15⤵
                                                                  • Executes dropped EXE
                                                                  PID:3464
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59083f02-f690-4956-93bf-d36f4b6430aa.vbs"
                                                            12⤵
                                                              PID:1000
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpAFD3.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpAFD3.tmp.exe"
                                                              12⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2160
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpAFD3.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpAFD3.tmp.exe"
                                                                13⤵
                                                                • Executes dropped EXE
                                                                PID:4668
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f7d6598-a5c6-4c94-bba9-2cc2b8dc487d.vbs"
                                                          10⤵
                                                            PID:3148
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp7F1E.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp7F1E.tmp.exe"
                                                            10⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4772
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp7F1E.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp7F1E.tmp.exe"
                                                              11⤵
                                                              • Executes dropped EXE
                                                              PID:3512
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ca2710-e45a-47e6-8df8-f795a1f8dcb0.vbs"
                                                        8⤵
                                                          PID:3572
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp4EF6.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp4EF6.tmp.exe"
                                                          8⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1688
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp4EF6.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp4EF6.tmp.exe"
                                                            9⤵
                                                            • Executes dropped EXE
                                                            PID:3092
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ef4d1d-9c1c-4f03-b515-8997e04aeffb.vbs"
                                                      6⤵
                                                        PID:4632
                                                      • C:\Users\Admin\AppData\Local\Temp\tmpB36.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmpB36.tmp.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:4652
                                                        • C:\Users\Admin\AppData\Local\Temp\tmpB36.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmpB36.tmp.exe"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1584
                                                          • C:\Users\Admin\AppData\Local\Temp\tmpB36.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmpB36.tmp.exe"
                                                            8⤵
                                                            • Executes dropped EXE
                                                            PID:4688
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9e2f1ca-b765-45be-a237-ff9e4feade12.vbs"
                                                    4⤵
                                                      PID:3832
                                                    • C:\Users\Admin\AppData\Local\Temp\tmpDB8B.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmpDB8B.tmp.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2544
                                                      • C:\Users\Admin\AppData\Local\Temp\tmpDB8B.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmpDB8B.tmp.exe"
                                                        5⤵
                                                        • Executes dropped EXE
                                                        PID:468
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\uk-UA\Registry.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3812
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\uk-UA\Registry.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4528
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\uk-UA\Registry.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:5028
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3772
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1896
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:432
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:228
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4884
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:5060
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1172
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4688
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2688
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2852
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2076
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4680
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RuntimeBroker.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:4880
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2896
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3808

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXB182.tmp
                                                Filesize

                                                4.9MB

                                                MD5

                                                c79763edb571a2b7ebe67bed1209134b

                                                SHA1

                                                f3ca654c6fd1efa8b4a1ecd1bea44370ce9a2e57

                                                SHA256

                                                7c54127ffac19a676be8c5742d2ce92a5eb061622f7d1326cf34d8f599e6e202

                                                SHA512

                                                097ced4451dc41b8da7f78fcafa680cc18a08112f8be7d336a466c7c2db92805ab45f6b3d1f80b8987044053d7d6e1335d3d67957a281ebf8c2419105390ed29

                                                Download Submit

                                              • C:\Program Files (x86)\Microsoft\RuntimeBroker.exe
                                                Filesize

                                                4.9MB

                                                MD5

                                                d6c32cc92aff05247e665fec5d1ca5ed

                                                SHA1

                                                864e040db2c99477669bbe45261d8d93ebdba021

                                                SHA256

                                                16f636ea86a82e9ad76a03985b026b75de31c14d5d6aec9a44d88f518f636f00

                                                SHA512

                                                b03a5e8bfa50e1c559d72f912168e56aa93f6d545554e84db723261744ed2c308cca6cb1602a731d00787a1319b44fd326fd5704ba207850a0981ea42fceef96

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MusNotification.exe.log
                                                Filesize

                                                1KB

                                                MD5

                                                4a667f150a4d1d02f53a9f24d89d53d1

                                                SHA1

                                                306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                SHA256

                                                414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                SHA512

                                                4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                Filesize

                                                2KB

                                                MD5

                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                SHA1

                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                SHA256

                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                SHA512

                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                6d3e9c29fe44e90aae6ed30ccf799ca8

                                                SHA1

                                                c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                SHA256

                                                2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                SHA512

                                                60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                d28a889fd956d5cb3accfbaf1143eb6f

                                                SHA1

                                                157ba54b365341f8ff06707d996b3635da8446f7

                                                SHA256

                                                21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                SHA512

                                                0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                bd5940f08d0be56e65e5f2aaf47c538e

                                                SHA1

                                                d7e31b87866e5e383ab5499da64aba50f03e8443

                                                SHA256

                                                2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                SHA512

                                                c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                cadef9abd087803c630df65264a6c81c

                                                SHA1

                                                babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                SHA256

                                                cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                SHA512

                                                7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                Filesize

                                                944B

                                                MD5

                                                5f0ddc7f3691c81ee14d17b419ba220d

                                                SHA1

                                                f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                                SHA256

                                                a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                                SHA512

                                                2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\05602ed2-8a80-4193-8cfe-b1a2c414a9c9.vbs
                                                Filesize

                                                717B

                                                MD5

                                                0ec85c38e8e6531b7627a7696813e045

                                                SHA1

                                                2f91f945b65ac12d122ca613119e585cd99cdb82

                                                SHA256

                                                2cbd549b34aadb39bf9a2aba2e596131d77f7bda4c141199efe63db59a03128d

                                                SHA512

                                                d95fe96b52339d89498311f0aaeeb11341a554510c7ba9dcb553fd24ad55df72f5ec152df54c1961d00096bad75aed7021a5a42821b6c58e86eb8f22d85e281a

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\06011895-0ba7-4d4b-bc04-14f65f36d5bb.vbs
                                                Filesize

                                                717B

                                                MD5

                                                10675caa8b05c1fa9619a155afeca755

                                                SHA1

                                                534ec22f0090e6cf6ead27e7d2e69810c5e60bb3

                                                SHA256

                                                bc5e970ca371b965e9877aa8445299d28e8a06f65565788ceba02509ae6fe667

                                                SHA512

                                                5d34d48bb984b03d21141bf035ebf673f348e6034eeff335137bc4ca60efbf2e08dcf28663e0294d0ae154f37739ad551a931167fd77009ac6ad9058e2d8aafb

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\520c9e21-103f-409c-b5f5-7038e980e50d.vbs
                                                Filesize

                                                717B

                                                MD5

                                                36acfc736eff62e80bce5619d89dd83e

                                                SHA1

                                                56a2d7ed2e7eb76bbef5b06cc9d83375ed753216

                                                SHA256

                                                2f5bd712c2722f70a655bc456f1768121d4a06a5131534f625402d04359eccec

                                                SHA512

                                                a52223e4be9ef053f020c139a7070309521cb090e25a74a9f143b511f49c1f1cd0d48a4ffa06ee9185a1f827f553f2c5a7228e5529e5c559a4857351f35f141c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\61dce134-aa6a-499b-bdfc-a74d5b0ad42c.vbs
                                                Filesize

                                                717B

                                                MD5

                                                f67bcc7dd22a009ebab5088c99516533

                                                SHA1

                                                f5ed9a7229e2474c42b6abb3c66b5a156e531934

                                                SHA256

                                                19f975f5d357ce45c2111ec41b7f615eb04bc5a3145e088c68b1a103e484ef33

                                                SHA512

                                                f7725835cfa8fe93735607f691c9d35945279513aa1535d9fc9f45d7aa6d2c0c17756e6ac7235283cb25dd8dc877bab384bfa0b371c899dc4d24d75ea70396ee

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\948c3343-6c52-4f09-ac7a-57e1a398901d.vbs
                                                Filesize

                                                717B

                                                MD5

                                                0fcab2d01a9789b9ecf380787b804900

                                                SHA1

                                                9ca53b9c11ff9e83dded6fc752b277c4a658ecff

                                                SHA256

                                                a27d8ce1aa485ea79e20b1b36c133e4bddffdcb47e62469f160048ed4716117f

                                                SHA512

                                                cfdca3901314e4a2bea38bfe2b6a47dec7d5bf5c3a769ba0bc58f00a9083529de0358ba7cce4e254c6396b8c8c55887b9564a79aa12ffeb310bad0be1597c72e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mz15e0ar.ds0.ps1
                                                Filesize

                                                60B

                                                MD5

                                                d17fe0a3f47be24a6453e9ef58c94641

                                                SHA1

                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                SHA256

                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                SHA512

                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\d9e2f1ca-b765-45be-a237-ff9e4feade12.vbs
                                                Filesize

                                                493B

                                                MD5

                                                8dd3b2cccb2f3b39cf9e4632fba43680

                                                SHA1

                                                f279d0d12dac4281cfd2df8a37e29c275d733247

                                                SHA256

                                                8a9d3fdb15a3be94ec3c1752c2bb87d7dc3d685702091303701e5242c7e9341b

                                                SHA512

                                                6172403883b3d308ef3f22472a44523d8b6aa7238b0a19000dbcac922175f4f57e47e7e9dda853ec80b5756834bf1c50d1399fb6b6ec0fe94686c9e7955c5345

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\e2db6a07-59d3-4b1b-bc0d-ab10e2ae74d8.vbs
                                                Filesize

                                                717B

                                                MD5

                                                fd42337f528acc2c8355c6cc6a9c87b8

                                                SHA1

                                                b34336c9a662950a631ea016ed2ae52ea634ec55

                                                SHA256

                                                b1768557baa5b9bb131ca46a4e6d18ceeb1132d2386d78cf84092853554d3962

                                                SHA512

                                                66cb5e05cf1fb6c24f022236f168453d5306bf14e46368120813907df4b86786932484fae0d1d2f98d38cbf3498afcf21210759193defcda50d9be93ff23691d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\f6768cd8-48fd-4a68-a1da-5f86ce3af577.vbs
                                                Filesize

                                                717B

                                                MD5

                                                6a1cc41d75578c9f5a935b49a50d55b6

                                                SHA1

                                                35970c32b5196078c84a121e766fe40102747517

                                                SHA256

                                                c6392a15208cbb9d9959b445a12416f7cff4847dd2af5b12316d223bd084792d

                                                SHA512

                                                26c6c1b5cdffe89016df450e5ece1f65ccb3c439edc46f6f68451dc37c57b64a6b4ee5b66b4728a794bb59cdee1a184a369660dc3a0f4fe1a805d016b815de8f

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\ormE6XssLV.bat
                                                Filesize

                                                206B

                                                MD5

                                                dfd9cfebbe3b135123e400d9b924ce03

                                                SHA1

                                                b897e043987b3a7ea2cff9a6eb2685cea58254c9

                                                SHA256

                                                52650e2355dfea45f347ae61414d50eae46338e5983ee9d1f85b1fb8bbf406a0

                                                SHA512

                                                5d647beea74b6b209bc7dc0b78609d6454b226e0ce382981bb56ae1f969738f614c312f01b867fe4a0d53730eac6751cefda03f0fe117c7a6f7e80b635053850

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\tmpB0B6.tmp.exe
                                                Filesize

                                                75KB

                                                MD5

                                                e0a68b98992c1699876f818a22b5b907

                                                SHA1

                                                d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                SHA256

                                                2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                SHA512

                                                856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                Download Submit

                                              • memory/1640-70-0x0000000000400000-0x0000000000407000-memory.dmp

                                                Filesize

                                                28KB

                                                Download

                                              • memory/2896-293-0x000000001C250000-0x000000001C262000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/3068-363-0x000000001BB60000-0x000000001BB72000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/3380-14-0x000000001C980000-0x000000001C98E000-memory.dmp

                                                Filesize

                                                56KB

                                                Download

                                              • memory/3380-91-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/3380-5-0x000000001C1C0000-0x000000001C210000-memory.dmp

                                                Filesize

                                                320KB

                                                Download

                                              • memory/3380-16-0x000000001C9A0000-0x000000001C9A8000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3380-18-0x000000001CAC0000-0x000000001CACC000-memory.dmp

                                                Filesize

                                                48KB

                                                Download

                                              • memory/3380-15-0x000000001C990000-0x000000001C99E000-memory.dmp

                                                Filesize

                                                56KB

                                                Download

                                              • memory/3380-13-0x000000001C970000-0x000000001C97A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3380-12-0x000000001CEA0000-0x000000001D3C8000-memory.dmp

                                                Filesize

                                                5.2MB

                                                Download

                                              • memory/3380-11-0x000000001C960000-0x000000001C972000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/3380-7-0x000000001C180000-0x000000001C190000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/3380-17-0x000000001C9B0000-0x000000001C9B8000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3380-9-0x000000001C1B0000-0x000000001C1C0000-memory.dmp

                                                Filesize

                                                64KB

                                                Download

                                              • memory/3380-10-0x000000001C950000-0x000000001C95A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/3380-1-0x0000000000F20000-0x0000000001414000-memory.dmp

                                                Filesize

                                                5.0MB

                                                Download

                                              • memory/3380-8-0x000000001C190000-0x000000001C1A6000-memory.dmp

                                                Filesize

                                                88KB

                                                Download

                                              • memory/3380-6-0x000000001C170000-0x000000001C178000-memory.dmp

                                                Filesize

                                                32KB

                                                Download

                                              • memory/3380-0-0x00007FFE0B013000-0x00007FFE0B015000-memory.dmp

                                                Filesize

                                                8KB

                                                Download

                                              • memory/3380-4-0x0000000003620000-0x000000000363C000-memory.dmp

                                                Filesize

                                                112KB

                                                Download

                                              • memory/3380-3-0x000000001C220000-0x000000001C34E000-memory.dmp

                                                Filesize

                                                1.2MB

                                                Download

                                              • memory/3380-2-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

                                                Filesize

                                                10.8MB

                                                Download

                                              • memory/4432-434-0x000000001C880000-0x000000001C892000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/4612-243-0x0000000002F90000-0x0000000002FA2000-memory.dmp

                                                Filesize

                                                72KB

                                                Download

                                              • memory/4632-92-0x0000019B60100000-0x0000019B60122000-memory.dmp

                                                Filesize

                                                136KB

                                                Download