Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 00:20

General

  • Target

    0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe

  • Size

    4.9MB

  • MD5

    613c17af7e79ea0696b12a8d2a4b99e0

  • SHA1

    3c1fa83f993484fffb9def759879c320750d8ddc

  • SHA256

    0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003

  • SHA512

    3ccc372ca5dc7ca97f6050ae8b42c3b0d839bda5c8237b256a443e9246fa0fc36d256d6ae5b001d298f5e9253a98f68edce0c652d2a9f85bc7af542c00c52f15

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

  • Colibri family
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 35 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 12 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3336
    • C:\Users\Admin\AppData\Local\Temp\tmpBB34.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBB34.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Users\Admin\AppData\Local\Temp\tmpBB34.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpBB34.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:4700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:2228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4864
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ea0WjfTxms.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4112
        • C:\Recovery\WindowsRE\lsass.exe
          "C:\Recovery\WindowsRE\lsass.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2272
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735e11f6-66fb-4bff-a033-7547699e771a.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Recovery\WindowsRE\lsass.exe
              C:\Recovery\WindowsRE\lsass.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4356
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d294a61-6e22-47e1-b804-0a1cabd4ba5d.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:348
                • C:\Recovery\WindowsRE\lsass.exe
                  C:\Recovery\WindowsRE\lsass.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:4368
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d2a3620-5b96-47e8-b1c5-1f51cce7d551.vbs"
                    8⤵
                      PID:3376
                      • C:\Recovery\WindowsRE\lsass.exe
                        C:\Recovery\WindowsRE\lsass.exe
                        9⤵
                        • UAC bypass
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:3144
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de05ee62-26b6-49fa-99a1-107ccb2716bc.vbs"
                          10⤵
                            PID:1344
                            • C:\Recovery\WindowsRE\lsass.exe
                              C:\Recovery\WindowsRE\lsass.exe
                              11⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:5048
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\362eddf0-7a99-4455-a0c3-f3d71693446a.vbs"
                                12⤵
                                  PID:3112
                                  • C:\Recovery\WindowsRE\lsass.exe
                                    C:\Recovery\WindowsRE\lsass.exe
                                    13⤵
                                    • UAC bypass
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:3796
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c899c4d6-41dc-4516-b5f1-51341737afa7.vbs"
                                      14⤵
                                        PID:1016
                                        • C:\Recovery\WindowsRE\lsass.exe
                                          C:\Recovery\WindowsRE\lsass.exe
                                          15⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:1056
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92a4fc7-1fa4-4aff-b106-38992476ad44.vbs"
                                            16⤵
                                              PID:4512
                                              • C:\Recovery\WindowsRE\lsass.exe
                                                C:\Recovery\WindowsRE\lsass.exe
                                                17⤵
                                                • UAC bypass
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:4992
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\447eca8a-0dc3-480b-b5cb-fac2b57fb8e9.vbs"
                                                  18⤵
                                                    PID:2220
                                                    • C:\Recovery\WindowsRE\lsass.exe
                                                      C:\Recovery\WindowsRE\lsass.exe
                                                      19⤵
                                                      • UAC bypass
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:4320
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3deb626b-b484-4677-9800-11cb48502f2f.vbs"
                                                        20⤵
                                                          PID:2204
                                                          • C:\Recovery\WindowsRE\lsass.exe
                                                            C:\Recovery\WindowsRE\lsass.exe
                                                            21⤵
                                                            • UAC bypass
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:264
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e32438b-cc64-4709-b4fb-424176e6b1cf.vbs"
                                                              22⤵
                                                                PID:3620
                                                                • C:\Recovery\WindowsRE\lsass.exe
                                                                  C:\Recovery\WindowsRE\lsass.exe
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:456
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd82df5-9681-4967-b1f8-92de9f6a5723.vbs"
                                                                    24⤵
                                                                      PID:960
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\966531c4-cac1-4ee5-be69-9ffbda875664.vbs"
                                                                      24⤵
                                                                        PID:2076
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c29feab-69bb-4bd1-9c0b-aa690202d12c.vbs"
                                                                    22⤵
                                                                      PID:880
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"
                                                                      22⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:5068
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp67B9.tmp.exe"
                                                                        23⤵
                                                                        • Executes dropped EXE
                                                                        PID:3408
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fb28ce3-b143-40fc-a510-a1d3edeb31de.vbs"
                                                                  20⤵
                                                                    PID:2500
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp4B57.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp4B57.tmp.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2308
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp4B57.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp4B57.tmp.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      PID:1900
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99295fbc-1619-4582-9b88-b305fe0471ae.vbs"
                                                                18⤵
                                                                  PID:3876
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp1BCB.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp1BCB.tmp.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:544
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp1BCB.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp1BCB.tmp.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    PID:2832
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32948f4d-020b-4d25-8fdb-94abbdca5aca.vbs"
                                                              16⤵
                                                                PID:5020
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"
                                                                16⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1116
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"
                                                                  17⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:4728
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"
                                                                    18⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:3532
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpFD37.tmp.exe"
                                                                      19⤵
                                                                      • Executes dropped EXE
                                                                      PID:3720
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cdbb34b-c81e-4199-b8f8-71c87dd97542.vbs"
                                                            14⤵
                                                              PID:776
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpCA02.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpCA02.tmp.exe"
                                                              14⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:5076
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpCA02.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpCA02.tmp.exe"
                                                                15⤵
                                                                • Executes dropped EXE
                                                                PID:4708
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7f9728d-9a0b-4daf-beaa-82d09d8498c9.vbs"
                                                          12⤵
                                                            PID:1872
                                                          • C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"
                                                            12⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1592
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpACE5.tmp.exe"
                                                              13⤵
                                                              • Executes dropped EXE
                                                              PID:2316
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f171edc-12a1-4e57-b8f6-9b9c66af86f5.vbs"
                                                        10⤵
                                                          PID:4984
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe"
                                                          10⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:4780
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3740
                                                            • C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp.exe"
                                                              12⤵
                                                              • Executes dropped EXE
                                                              PID:5116
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51a0cd33-7e7e-4f6e-aeaa-bcc1a5c8d775.vbs"
                                                      8⤵
                                                        PID:1424
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe"
                                                        8⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1332
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe"
                                                          9⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3820
                                                          • C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\tmp4BE9.tmp.exe"
                                                            10⤵
                                                            • Executes dropped EXE
                                                            PID:1244
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fea913cc-b264-44e5-9852-2416ccc72c2f.vbs"
                                                    6⤵
                                                      PID:2096
                                                    • C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:3864
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp.exe"
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:544
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82abfab3-bf5d-484b-9224-97b41603300c.vbs"
                                                  4⤵
                                                    PID:4100
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1960
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3984
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2164
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4536
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3940
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3364
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2260
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1244
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Setup\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1008
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2316
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Setup\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1076
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1900
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1292
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2104
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Settings\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2088
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Settings\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2080
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\apppatch\fr-FR\fontdrvhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1116
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\apppatch\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3448
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\apppatch\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2444
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3016
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2432
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3808
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:8
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4656
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1220
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3468
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3440
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2748
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4636
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1956
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\upfc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:544
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\upfc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1864
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\upfc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4060
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4108
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2816
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1872
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4448
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4420
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:4424
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:860
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2360

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Program Files\Uninstall Information\fontdrvhost.exe

                                              Filesize

                                              4.9MB

                                              MD5

                                              613c17af7e79ea0696b12a8d2a4b99e0

                                              SHA1

                                              3c1fa83f993484fffb9def759879c320750d8ddc

                                              SHA256

                                              0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003

                                              SHA512

                                              3ccc372ca5dc7ca97f6050ae8b42c3b0d839bda5c8237b256a443e9246fa0fc36d256d6ae5b001d298f5e9253a98f68edce0c652d2a9f85bc7af542c00c52f15

                                            • C:\Recovery\WindowsRE\RCXD764.tmp

                                              Filesize

                                              4.9MB

                                              MD5

                                              5a62035a719393b7968caaf00eedfce5

                                              SHA1

                                              c576dbeb5148c36e91f3b7cd298c9fe653126d2e

                                              SHA256

                                              da91f7c05196161f23bd2cd1b8d240865a6fcb54429bf5035bed55b4acc2060e

                                              SHA512

                                              590ba575cb196b48505709d9f68a0ed9e0e14e9789cd8b140f2447b01cd4d4fd92dd67805b0ab5b68b32b094acc6ec473c84e31991ac6b799893ea659e1bd128

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              4a667f150a4d1d02f53a9f24d89d53d1

                                              SHA1

                                              306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                              SHA256

                                              414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                              SHA512

                                              4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              2KB

                                              MD5

                                              d85ba6ff808d9e5444a4b369f5bc2730

                                              SHA1

                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                              SHA256

                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                              SHA512

                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              2e907f77659a6601fcc408274894da2e

                                              SHA1

                                              9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                              SHA256

                                              385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                              SHA512

                                              34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              bd5940f08d0be56e65e5f2aaf47c538e

                                              SHA1

                                              d7e31b87866e5e383ab5499da64aba50f03e8443

                                              SHA256

                                              2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                              SHA512

                                              c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              5f0ddc7f3691c81ee14d17b419ba220d

                                              SHA1

                                              f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                              SHA256

                                              a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                              SHA512

                                              2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              62623d22bd9e037191765d5083ce16a3

                                              SHA1

                                              4a07da6872672f715a4780513d95ed8ddeefd259

                                              SHA256

                                              95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                              SHA512

                                              9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              2979eabc783eaca50de7be23dd4eafcf

                                              SHA1

                                              d709ce5f3a06b7958a67e20870bfd95b83cad2ea

                                              SHA256

                                              006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

                                              SHA512

                                              92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

                                            • C:\Users\Admin\AppData\Local\Temp\362eddf0-7a99-4455-a0c3-f3d71693446a.vbs

                                              Filesize

                                              707B

                                              MD5

                                              82de90cb0948617c85dcd98c3e47ade9

                                              SHA1

                                              e8ff4e2400ecdb1e6f8483c303f97137ae0d705b

                                              SHA256

                                              2cf81159fbdf5e1f5626921d2652eb591333725c90d193ced53084fa406d9ee8

                                              SHA512

                                              a6927e68b1f6239fb6834fa1565570e08dff5d18bd0f1f5040528da55e454b551f1477adbcf1e8ce03864a21f65f3bc78e5e74fc473f6a95d90b0ff33fb7149a

                                            • C:\Users\Admin\AppData\Local\Temp\6d294a61-6e22-47e1-b804-0a1cabd4ba5d.vbs

                                              Filesize

                                              707B

                                              MD5

                                              6343382e15a7c6cb5c034b72dae12ddf

                                              SHA1

                                              640fabd53aaca5b4280f728b38e8b5f06486ec48

                                              SHA256

                                              c8fe53c4421dfe72a7e465921d992c67286d738c4ebc1bf8e1ecf2fb41f42a22

                                              SHA512

                                              8dc74152e1c863e71d6a52315f02f01db1ca67377160fa33ffacf44e63cd2946347de9900b7792967ae7916efbca14c58e8e3ac48cf5bea6fdb833a20edf650d

                                            • C:\Users\Admin\AppData\Local\Temp\6d2a3620-5b96-47e8-b1c5-1f51cce7d551.vbs

                                              Filesize

                                              707B

                                              MD5

                                              ee2c21e1f77e5eb24fcb17b0d20411a2

                                              SHA1

                                              e23209fbe6af1cbd0045c23cf240218f14ce0a1e

                                              SHA256

                                              c2be726cb69684eff2828bd36911ac13a195a9f7ed7b451f8e3c822a8956c0b1

                                              SHA512

                                              7e097e0d19108e13f14de126ca465da93d3ffd84b300edb7d7077284fb9f657ecc5a6a1e51abe372960e94cb33cda2f1c880d44e015077137b5479b822547bdf

                                            • C:\Users\Admin\AppData\Local\Temp\735e11f6-66fb-4bff-a033-7547699e771a.vbs

                                              Filesize

                                              707B

                                              MD5

                                              953305571b3375660614284764b683f3

                                              SHA1

                                              9cb5ffeba44df580a8f8e7e92da18b04d6d88a4f

                                              SHA256

                                              38ec24b841acded5938a83ab274add067580a09f8c341226fed6ebb2050e2d9a

                                              SHA512

                                              f6cce6aedd356ab55209a0aca2e97d54592f722f8d2d24ef33865cd27000ddbb30d80f8ea5f86ae10a93c480ab035d3db0ad82e67dac607405976926d15dc185

                                            • C:\Users\Admin\AppData\Local\Temp\82abfab3-bf5d-484b-9224-97b41603300c.vbs

                                              Filesize

                                              483B

                                              MD5

                                              e82bafe350c40719f70922558e21d393

                                              SHA1

                                              37acaaefd8156463a6553f747e392198bb65f94c

                                              SHA256

                                              be935a3aa0b7b7b35f1eb9ad5fc9e1095390e570ce72c1c9c2db19db2bd2cbac

                                              SHA512

                                              2675735a6dbefccde87b9fd6903eb8fd92550aa009bdb9478a8fb1c518f3054465d6c57744674ec058a88450b15c6b5e451572d8e5920ce907a8d5e19e6d0191

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hc0e5yzb.vss.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\AppData\Local\Temp\c899c4d6-41dc-4516-b5f1-51341737afa7.vbs

                                              Filesize

                                              707B

                                              MD5

                                              7025f7a28355e21a21198db0dce39bdb

                                              SHA1

                                              9c63d4dfd7ea82f66fc9749a5ebb6f51b1d08265

                                              SHA256

                                              08a38ed9c36de15caf02f76935c11d7be0698c3019c4738f9aa8a6c479d5914d

                                              SHA512

                                              9eb3cd5e429738c992e15db78201ecf2dfbbb9abda5e7fffc1faa72d9db23731e6a3b7abbf348252e797a96f73ecada83f8299041b2527e444b358aaba0d5647

                                            • C:\Users\Admin\AppData\Local\Temp\de05ee62-26b6-49fa-99a1-107ccb2716bc.vbs

                                              Filesize

                                              707B

                                              MD5

                                              c6e85080747adb0eacbe680b59b689cd

                                              SHA1

                                              0831e4b50ff970f674f0cdf1144a16f6e1800d7e

                                              SHA256

                                              b8f1b7f99c6fee90eda96c57ba915b82194abff6e76a5574b0b3f10b642f9964

                                              SHA512

                                              179dc5a82eff73c80d66928637f6e8bd17803ae14509ffd91f14252a3acbc286bca2639d95f42f4eeca48a00c52972ae9d884716b3c11001249d387d6e917f69

                                            • C:\Users\Admin\AppData\Local\Temp\ea0WjfTxms.bat

                                              Filesize

                                              196B

                                              MD5

                                              053735cbc277bcbe02ef3ade8ea02c58

                                              SHA1

                                              b593e748e3743fcff2d35bf31a5d32d6ef7159a7

                                              SHA256

                                              b2c82aeb27ef28379472c628496072e88faa5ca35bd5fd127a2e77cc383f62c9

                                              SHA512

                                              9be1da1fda45d78ece63d7a9c9a4c6ea0e67a7a1fd15d324e458985cdf21cc2534758c52d60cdfbf4a5623f0afae261db76ed39ee93924eca084c852f50817d2

                                            • C:\Users\Admin\AppData\Local\Temp\f92a4fc7-1fa4-4aff-b106-38992476ad44.vbs

                                              Filesize

                                              707B

                                              MD5

                                              a010fed23ef738b78c67a9c5a55815fa

                                              SHA1

                                              d7691da43cb2114babeb465f269d60632c5f41e3

                                              SHA256

                                              999efcee5efc3ace07afec1f9ab94139ccaf8e860ecdda1316b930a3cdddeece

                                              SHA512

                                              5d40f8bdc1ff659b82c5cdfa90ce5d50b7ac1eef85305cd83e3e2d691d54e22f5b1e3d237abfcee1d77ed5aca11fb1ad940787f53f50c1c39e49ea4c73eb2145

                                            • C:\Users\Admin\AppData\Local\Temp\tmpBB34.tmp.exe

                                              Filesize

                                              75KB

                                              MD5

                                              e0a68b98992c1699876f818a22b5b907

                                              SHA1

                                              d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                              SHA256

                                              2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                              SHA512

                                              856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                            • memory/456-496-0x000000001BFF0000-0x000000001C002000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2272-284-0x000000001BFF0000-0x000000001C002000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3088-193-0x00000203B53F0000-0x00000203B5412000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/3336-10-0x0000000002D60000-0x0000000002D6A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3336-0-0x00007FFC76C43000-0x00007FFC76C45000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/3336-169-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/3336-155-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/3336-141-0x00007FFC76C43000-0x00007FFC76C45000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/3336-14-0x000000001C050000-0x000000001C05E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/3336-15-0x000000001C060000-0x000000001C06E000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/3336-8-0x0000000002D40000-0x0000000002D56000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/3336-9-0x0000000001380000-0x0000000001390000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3336-5-0x000000001C090000-0x000000001C0E0000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/3336-7-0x0000000001370000-0x0000000001380000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3336-6-0x0000000001350000-0x0000000001358000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3336-12-0x000000001C610000-0x000000001CB38000-memory.dmp

                                              Filesize

                                              5.2MB

                                            • memory/3336-11-0x000000001B8F0000-0x000000001B902000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3336-18-0x000000001C0E0000-0x000000001C0EC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3336-4-0x0000000001330000-0x000000000134C000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/3336-13-0x000000001C040000-0x000000001C04A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3336-3-0x000000001B910000-0x000000001BA3E000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/3336-2-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

                                              Filesize

                                              10.8MB

                                            • memory/3336-16-0x000000001C070000-0x000000001C078000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/3336-1-0x0000000000630000-0x0000000000B24000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/3336-17-0x000000001C080000-0x000000001C088000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/4356-297-0x000000001DA50000-0x000000001DA62000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4700-75-0x0000000000400000-0x0000000000407000-memory.dmp

                                              Filesize

                                              28KB

                                            • memory/4992-447-0x000000001D140000-0x000000001D152000-memory.dmp

                                              Filesize

                                              72KB