Overview

overview

10

Static

static

3

e986cebe9f...6N.exe

windows7-x64

10

e986cebe9f...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe

  • Size

    4.9MB

  • MD5

    c1757f1892079f80e08372461f2bbf30

  • SHA1

    0e0f61b61d3de07e3026b6742fb4a182625d0af4

  • SHA256

    e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26

  • SHA512

    0e971ae529960d59ddacbda72f5dbf9b6e03cfb2666b3fc986c39d58690266b830257de77ee256601aad909e86cc1e8d77ef45bb365d9a2c29f5dfc813d5826a

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Colibri family
    colibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 39 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 13 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 41 IoCs
  • Checks whether UAC is enabled 1 TTPs 26 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 12 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe
    "C:\Users\Admin\AppData\Local\Temp\e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26N.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:728
    • C:\Users\Admin\AppData\Local\Temp\tmpCB82.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpCB82.tmp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Users\Admin\AppData\Local\Temp\tmpCB82.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpCB82.tmp.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1032
        • C:\Users\Admin\AppData\Local\Temp\tmpCB82.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmpCB82.tmp.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4052
          • C:\Users\Admin\AppData\Local\Temp\tmpCB82.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\tmpCB82.tmp.exe"
            5⤵
            • Executes dropped EXE
            PID:216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4072
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3276
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sK8cVNSNLn.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1108
        • C:\Users\All Users\Oracle\Java\SearchApp.exe
          "C:\Users\All Users\Oracle\Java\SearchApp.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2644
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1fdbc38-db11-4b72-81aa-fdc3878d32b1.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4288
            • C:\Users\All Users\Oracle\Java\SearchApp.exe
              "C:\Users\All Users\Oracle\Java\SearchApp.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:5068
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef301b07-e008-466e-8269-4e60f8748e22.vbs"
                6⤵
                  PID:1100
                  • C:\Users\All Users\Oracle\Java\SearchApp.exe
                    "C:\Users\All Users\Oracle\Java\SearchApp.exe"
                    7⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:2340
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ce89bbe-96f9-43d9-b7e2-85d008c27c14.vbs"
                      8⤵
                        PID:4316
                        • C:\Users\All Users\Oracle\Java\SearchApp.exe
                          "C:\Users\All Users\Oracle\Java\SearchApp.exe"
                          9⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:3936
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba255bf3-1fd1-4cdd-b1c4-6ee1ebbfbf07.vbs"
                            10⤵
                              PID:4544
                              • C:\Users\All Users\Oracle\Java\SearchApp.exe
                                "C:\Users\All Users\Oracle\Java\SearchApp.exe"
                                11⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:988
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e400c08e-fbaa-40b9-a61c-4eb2bbd7d49c.vbs"
                                  12⤵
                                    PID:4072
                                    • C:\Users\All Users\Oracle\Java\SearchApp.exe
                                      "C:\Users\All Users\Oracle\Java\SearchApp.exe"
                                      13⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:1524
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73a4df45-97ae-4767-8ef6-11a21ac37f7c.vbs"
                                        14⤵
                                          PID:5000
                                          • C:\Users\All Users\Oracle\Java\SearchApp.exe
                                            "C:\Users\All Users\Oracle\Java\SearchApp.exe"
                                            15⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:4796
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffc4f061-5a5e-44e1-9658-054a59a2dad6.vbs"
                                              16⤵
                                                PID:3644
                                                • C:\Users\All Users\Oracle\Java\SearchApp.exe
                                                  "C:\Users\All Users\Oracle\Java\SearchApp.exe"
                                                  17⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:3048
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b0f3533-b775-451e-8a4c-261bd2591262.vbs"
                                                    18⤵
                                                      PID:3912
                                                      • C:\Users\All Users\Oracle\Java\SearchApp.exe
                                                        "C:\Users\All Users\Oracle\Java\SearchApp.exe"
                                                        19⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:2724
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6507580e-50f5-4fda-ad0a-328b28643324.vbs"
                                                          20⤵
                                                            PID:992
                                                            • C:\Users\All Users\Oracle\Java\SearchApp.exe
                                                              "C:\Users\All Users\Oracle\Java\SearchApp.exe"
                                                              21⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:556
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73224d36-6903-4ba5-9750-001986d5c286.vbs"
                                                                22⤵
                                                                  PID:3984
                                                                  • C:\Users\All Users\Oracle\Java\SearchApp.exe
                                                                    "C:\Users\All Users\Oracle\Java\SearchApp.exe"
                                                                    23⤵
                                                                    • UAC bypass
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:2712
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\117d55b1-d0d9-4e8f-ab0f-2a8a375509a1.vbs"
                                                                      24⤵
                                                                        PID:672
                                                                        • C:\Users\All Users\Oracle\Java\SearchApp.exe
                                                                          "C:\Users\All Users\Oracle\Java\SearchApp.exe"
                                                                          25⤵
                                                                          • UAC bypass
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • System policy modification
                                                                          PID:4292
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\201b97d6-8b9e-4f35-8ffd-cb5143920695.vbs"
                                                                            26⤵
                                                                              PID:3528
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0193e7e-d047-4753-a993-8e0b8fa32ee0.vbs"
                                                                              26⤵
                                                                                PID:828
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12573d23-9c44-4034-bdd3-2d17f9eda035.vbs"
                                                                            24⤵
                                                                              PID:2312
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp7834.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp7834.tmp.exe"
                                                                              24⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4060
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp7834.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp7834.tmp.exe"
                                                                                25⤵
                                                                                • Executes dropped EXE
                                                                                PID:2860
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bdaa761-1fd9-4eb7-a999-94dac6dee6d8.vbs"
                                                                          22⤵
                                                                            PID:1912
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp5C30.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp5C30.tmp.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2648
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp5C30.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp5C30.tmp.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4920
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp5C30.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp5C30.tmp.exe"
                                                                                24⤵
                                                                                • Executes dropped EXE
                                                                                PID:2644
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9482c06-7197-4200-b603-69e54648f540.vbs"
                                                                        20⤵
                                                                          PID:728
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp2B0E.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmp2B0E.tmp.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4052
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp2B0E.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp2B0E.tmp.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            PID:1852
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0e755b2-40e8-4101-b639-0d2ba70fcdda.vbs"
                                                                      18⤵
                                                                        PID:1844
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpF77.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpF77.tmp.exe"
                                                                        18⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2868
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpF77.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpF77.tmp.exe"
                                                                          19⤵
                                                                          • Executes dropped EXE
                                                                          PID:3352
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\030a391f-a273-4d31-808c-dca27d9cc627.vbs"
                                                                    16⤵
                                                                      PID:3980
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpDE16.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpDE16.tmp.exe"
                                                                      16⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2972
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpDE16.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpDE16.tmp.exe"
                                                                        17⤵
                                                                        • Executes dropped EXE
                                                                        PID:1744
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac4930df-3a1c-4692-96b9-d9a183de0539.vbs"
                                                                  14⤵
                                                                    PID:3316
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe"
                                                                    14⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2800
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe"
                                                                      15⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4336
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe"
                                                                        16⤵
                                                                        • Executes dropped EXE
                                                                        PID:5044
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a66ce9ac-7a8b-4b50-9712-105f6b692bb6.vbs"
                                                                12⤵
                                                                  PID:4888
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp8EFC.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp8EFC.tmp.exe"
                                                                  12⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:212
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp8EFC.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp8EFC.tmp.exe"
                                                                    13⤵
                                                                    • Executes dropped EXE
                                                                    PID:1036
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf2bb6a3-6e28-4bdc-ba39-2c481fdaa887.vbs"
                                                              10⤵
                                                                PID:3396
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp5E57.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp5E57.tmp.exe"
                                                                10⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4508
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp5E57.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp5E57.tmp.exe"
                                                                  11⤵
                                                                  • Executes dropped EXE
                                                                  PID:3200
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70659074-277b-4571-9e66-08973591a096.vbs"
                                                            8⤵
                                                              PID:1868
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp4263.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp4263.tmp.exe"
                                                              8⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2800
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp4263.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp4263.tmp.exe"
                                                                9⤵
                                                                • Executes dropped EXE
                                                                PID:2292
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c418d4ea-28da-4142-b9fa-d303f10a04ea.vbs"
                                                          6⤵
                                                            PID:3452
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp1289.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp1289.tmp.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4660
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp1289.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp1289.tmp.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:552
                                                              • C:\Users\Admin\AppData\Local\Temp\tmp1289.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmp1289.tmp.exe"
                                                                8⤵
                                                                • Executes dropped EXE
                                                                PID:2796
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe790987-db7e-4bae-b693-c45e7b711024.vbs"
                                                        4⤵
                                                          PID:5052
                                                        • C:\Users\Admin\AppData\Local\Temp\tmpF618.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmpF618.tmp.exe"
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:4280
                                                          • C:\Users\Admin\AppData\Local\Temp\tmpF618.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmpF618.tmp.exe"
                                                            5⤵
                                                            • Executes dropped EXE
                                                            PID:3012
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Oracle\Java\SearchApp.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2544
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\SearchApp.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:792
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\Java\SearchApp.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1632
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\smss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:640
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1728
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\smss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3936
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\services.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:408
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1096
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3408
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:32
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2892
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:5072
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4232
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4288
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4260

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe
                                                    Filesize

                                                    4.9MB

                                                    MD5

                                                    c1757f1892079f80e08372461f2bbf30

                                                    SHA1

                                                    0e0f61b61d3de07e3026b6742fb4a182625d0af4

                                                    SHA256

                                                    e986cebe9fc35b6cc175e48a4c447fc94d85ca7f6ea0d6a400fe9db731ce8c26

                                                    SHA512

                                                    0e971ae529960d59ddacbda72f5dbf9b6e03cfb2666b3fc986c39d58690266b830257de77ee256601aad909e86cc1e8d77ef45bb365d9a2c29f5dfc813d5826a

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    4a667f150a4d1d02f53a9f24d89d53d1

                                                    SHA1

                                                    306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                    SHA256

                                                    414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                    SHA512

                                                    4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                    Filesize

                                                    2KB

                                                    MD5

                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                    SHA1

                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                    SHA256

                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                    SHA512

                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    77d622bb1a5b250869a3238b9bc1402b

                                                    SHA1

                                                    d47f4003c2554b9dfc4c16f22460b331886b191b

                                                    SHA256

                                                    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                    SHA512

                                                    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    be9965796e35a7999ce50af07f73b631

                                                    SHA1

                                                    dde100f3f5a51fa399755fefd49da003d887742a

                                                    SHA256

                                                    6ea6a56f5d5ec6f60b5a748840eed28859f792db2e37f4c1c419e3a92fc619b3

                                                    SHA512

                                                    45369246c8f6e80fa7a3c34db98922702e5f10e67348c94bb27f5bb241ad72cecd72ff5843a2c6b47cec390a6b9c97ba3c4d4244c62b8119ce1b2ca0c3dc3e37

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    d28a889fd956d5cb3accfbaf1143eb6f

                                                    SHA1

                                                    157ba54b365341f8ff06707d996b3635da8446f7

                                                    SHA256

                                                    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                    SHA512

                                                    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    cadef9abd087803c630df65264a6c81c

                                                    SHA1

                                                    babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                    SHA256

                                                    cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                    SHA512

                                                    7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    e243a38635ff9a06c87c2a61a2200656

                                                    SHA1

                                                    ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                                    SHA256

                                                    af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                                    SHA512

                                                    4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                    Filesize

                                                    944B

                                                    MD5

                                                    59d97011e091004eaffb9816aa0b9abd

                                                    SHA1

                                                    1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                    SHA256

                                                    18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                    SHA512

                                                    d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\0ce89bbe-96f9-43d9-b7e2-85d008c27c14.vbs
                                                    Filesize

                                                    720B

                                                    MD5

                                                    5537ee0a0132acab92f5c288999daf6a

                                                    SHA1

                                                    6c6161768d448042eac3580a0ac1dd8199777f82

                                                    SHA256

                                                    93e1428e4424086b887dd34a599b6a54d315e0d6bd3c08fd1484489b2f23cfb5

                                                    SHA512

                                                    d9e1322489dd09b6ac90403084384a69caacbe33058522c69f44df87d2aa04e44aaed7e648d146d963471c44302fb5c1957428fc82145f451d20c0e047c6fed5

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\73a4df45-97ae-4767-8ef6-11a21ac37f7c.vbs
                                                    Filesize

                                                    720B

                                                    MD5

                                                    f2fb1bddd51c23213ff09e86e59f57da

                                                    SHA1

                                                    70ae361aa0442534b293bbaf2e09aa83c5324549

                                                    SHA256

                                                    88df8ea52b7aadcdede6a373730cfb51071a92f4296600c5b8e87456cc36eab1

                                                    SHA512

                                                    4c9a5bcf63529191e725f3818733c59c3e6ff064184be75801889e9939198567fdc80a6fa4cc73ca6f574b28e77ba186de7e07f2d8c3250e1a3ab33b93c8cd0a

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_esv1p1ph.vfz.ps1
                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\ba255bf3-1fd1-4cdd-b1c4-6ee1ebbfbf07.vbs
                                                    Filesize

                                                    720B

                                                    MD5

                                                    0da8f93e9fd507ba22c56a414253dd6e

                                                    SHA1

                                                    8326e9bc286e3168da4a48ea8dc70c1c9b58f4e3

                                                    SHA256

                                                    578dc978edb44f663227ee90d337ef4f0bb0423d0adb7700f8a08ef7ec686ba6

                                                    SHA512

                                                    f4a6f29461ecd83e12793ae1bb3a8659d0fdbfd87ec2321af5343c381c74d423561d11e873b4014e993bc87c8c87965f4631d335103c16a0d9e93cdba0281169

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\e1fdbc38-db11-4b72-81aa-fdc3878d32b1.vbs
                                                    Filesize

                                                    720B

                                                    MD5

                                                    cdf38436ac1358493b84aac806285e8b

                                                    SHA1

                                                    2651b9c2e081d21d780959287fedcb7dfb2232d7

                                                    SHA256

                                                    845079dafd3578b359bc01d3675e300635d66d852c0249f42e4be1b6cb64eb84

                                                    SHA512

                                                    edf2a2738e9a5df8b89490746deaca5b47a152b731dd5477c298d9a4426c997511790f52f30df12b2d6ca44dcd65b0f4a31c6549ba8bacab72d6d62b80e07db3

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\e400c08e-fbaa-40b9-a61c-4eb2bbd7d49c.vbs
                                                    Filesize

                                                    719B

                                                    MD5

                                                    78b65aee980dae692921349b29fd0b93

                                                    SHA1

                                                    ba41c1c176bf073c404786d1ad8934b6efe105eb

                                                    SHA256

                                                    98597ebd73cc25effe3f5dd81dd69e683733b36de58bbf45e5a1e8f08813be8b

                                                    SHA512

                                                    b5c8d0035f0d256dc7a63222affd29a89fe1b898e7358ac3dc28d7c45999a609f94a70dca4ba160f331b4a26eda9e630f1e18a7401ff9d5ebecf256fb6620cbd

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\ef301b07-e008-466e-8269-4e60f8748e22.vbs
                                                    Filesize

                                                    720B

                                                    MD5

                                                    26b7bdf36123b21f3ed3aee29a3dd24d

                                                    SHA1

                                                    39c4b17e8aa79f0ba8e9b50b40def7de535b3006

                                                    SHA256

                                                    e5740217ea59593f835188f58cfc0c4a51a32508507da58dbf1d3a1d7a9bf8c3

                                                    SHA512

                                                    5e4d64fd19aecf008042d1312bee22c303d792ace83e864acb452013a1d67949741c240f46eac37b64a82a17be378781198b986dac18c9c0da987a95c5ca602b

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\fe790987-db7e-4bae-b693-c45e7b711024.vbs
                                                    Filesize

                                                    496B

                                                    MD5

                                                    10ede04cfcb519dfeb754c163fa5b0b6

                                                    SHA1

                                                    db6c3754cf6103ea28867406c80de425bac1a7dd

                                                    SHA256

                                                    146fb89cdf1bacf0efabc325b95276a181d7cdc51c6fb307aff4b396e0211969

                                                    SHA512

                                                    ca11d5bc31d0bfe245a3e9d0be4dea380c664ccb5a74f24607e1782d2692472ad070ee52a8db8fdd5b8716dc4772e1dbdf2e0c9ba6b09ae11fff062c6f51f1a2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\sK8cVNSNLn.bat
                                                    Filesize

                                                    209B

                                                    MD5

                                                    8e4caa31405ffdf453a7a79d072bb27d

                                                    SHA1

                                                    5e7e0b4e8395e4b8753e143447891e0b63585c55

                                                    SHA256

                                                    f2731ed31e476f285c155d8531d477cdd492ea64cf6262eac72e3d14724d364b

                                                    SHA512

                                                    bfb184b062f3f0a67c11be986850820195cb83d37b1961ebf3ba9d1050d79df0a0328c637cb7e0674a513327bc93334c9503a9e097daceca3c1ba5a1580267b2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\tmpCB82.tmp.exe
                                                    Filesize

                                                    75KB

                                                    MD5

                                                    e0a68b98992c1699876f818a22b5b907

                                                    SHA1

                                                    d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                    SHA256

                                                    2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                    SHA512

                                                    856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                    Download Submit

                                                  • memory/216-66-0x0000000000400000-0x0000000000407000-memory.dmp

                                                    Filesize

                                                    28KB

                                                    Download

                                                  • memory/556-411-0x000000001BF60000-0x000000001BF72000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/728-10-0x000000001BF40000-0x000000001BF4A000-memory.dmp

                                                    Filesize

                                                    40KB

                                                    Download

                                                  • memory/728-16-0x000000001BFE0000-0x000000001BFE8000-memory.dmp

                                                    Filesize

                                                    32KB

                                                    Download

                                                  • memory/728-7-0x000000001BF00000-0x000000001BF10000-memory.dmp

                                                    Filesize

                                                    64KB

                                                    Download

                                                  • memory/728-18-0x000000001C000000-0x000000001C00C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                    Download

                                                  • memory/728-17-0x000000001BFF0000-0x000000001BFF8000-memory.dmp

                                                    Filesize

                                                    32KB

                                                    Download

                                                  • memory/728-12-0x000000001C4E0000-0x000000001CA08000-memory.dmp

                                                    Filesize

                                                    5.2MB

                                                    Download

                                                  • memory/728-15-0x000000001BFD0000-0x000000001BFDE000-memory.dmp

                                                    Filesize

                                                    56KB

                                                    Download

                                                  • memory/728-13-0x000000001BFB0000-0x000000001BFBA000-memory.dmp

                                                    Filesize

                                                    40KB

                                                    Download

                                                  • memory/728-8-0x000000001BF10000-0x000000001BF26000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/728-11-0x000000001BFA0000-0x000000001BFB2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/728-0-0x00007FFFAC463000-0x00007FFFAC465000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/728-88-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/728-14-0x000000001BFC0000-0x000000001BFCE000-memory.dmp

                                                    Filesize

                                                    56KB

                                                    Download

                                                  • memory/728-6-0x000000001B870000-0x000000001B878000-memory.dmp

                                                    Filesize

                                                    32KB

                                                    Download

                                                  • memory/728-9-0x000000001BF30000-0x000000001BF40000-memory.dmp

                                                    Filesize

                                                    64KB

                                                    Download

                                                  • memory/728-5-0x000000001BF50000-0x000000001BFA0000-memory.dmp

                                                    Filesize

                                                    320KB

                                                    Download

                                                  • memory/728-4-0x0000000002C60000-0x0000000002C7C000-memory.dmp

                                                    Filesize

                                                    112KB

                                                    Download

                                                  • memory/728-2-0x00007FFFAC460000-0x00007FFFACF21000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                    Download

                                                  • memory/728-3-0x000000001B890000-0x000000001B9BE000-memory.dmp

                                                    Filesize

                                                    1.2MB

                                                    Download

                                                  • memory/728-1-0x0000000000560000-0x0000000000A54000-memory.dmp

                                                    Filesize

                                                    5.0MB

                                                    Download

                                                  • memory/4796-361-0x000000001B670000-0x000000001B682000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/5044-98-0x00000287AAC30000-0x00000287AAC52000-memory.dmp

                                                    Filesize

                                                    136KB

                                                    Download