Overview

overview

10

Static

static

3

fba69a368d...5N.exe

windows7-x64

10

fba69a368d...5N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe

  • Size

    4.9MB

  • MD5

    ebc81db3d71154bc617356d897e0d450

  • SHA1

    d8a2a478437abd6f69685903700b1e9e5a30c6ce

  • SHA256

    fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25

  • SHA512

    33dd0b853085ff2256384c34b44652b9815a34920eea200a3859ac7f626e9795036bdcac6b2de8cf4c03d433431ea5121676f84312a7a90f34fdeb6a8c54ea72

  • SSDEEP

    49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • Colibri family
    colibri
  • DcRat 38 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 42 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 36 IoCs
  • Checks whether UAC is enabled 1 TTPs 28 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 11 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 14 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 42 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
    "C:\Users\Admin\AppData\Local\Temp\fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3692
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GEujOzFY9Y.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3784
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4996
        • C:\Users\Admin\AppData\Local\Temp\fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe
          "C:\Users\Admin\AppData\Local\Temp\fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2280
          • C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe
            "C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:368
            • C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe
              "C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe"
              5⤵
              • Executes dropped EXE
              PID:3840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:432
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4832
          • C:\Windows\security\EDP\Logs\Registry.exe
            "C:\Windows\security\EDP\Logs\Registry.exe"
            4⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:1832
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dcdbc43-a5e2-4531-8892-35614abac38c.vbs"
              5⤵
                PID:3076
                • C:\Windows\security\EDP\Logs\Registry.exe
                  C:\Windows\security\EDP\Logs\Registry.exe
                  6⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:584
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c974ad8-f69a-4fd5-b3b2-012f2ac59ae3.vbs"
                    7⤵
                      PID:4064
                      • C:\Windows\security\EDP\Logs\Registry.exe
                        C:\Windows\security\EDP\Logs\Registry.exe
                        8⤵
                        • UAC bypass
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:4280
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae00a318-e0ac-4fdf-a770-361a2f06ceb3.vbs"
                          9⤵
                            PID:3004
                            • C:\Windows\security\EDP\Logs\Registry.exe
                              C:\Windows\security\EDP\Logs\Registry.exe
                              10⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:3420
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31046b26-3d53-4b9d-b1f8-563cee78b6c3.vbs"
                                11⤵
                                  PID:3108
                                  • C:\Windows\security\EDP\Logs\Registry.exe
                                    C:\Windows\security\EDP\Logs\Registry.exe
                                    12⤵
                                    • UAC bypass
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Modifies registry class
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1996
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e651f8a4-5a64-4220-bd59-f31f0c8cba20.vbs"
                                      13⤵
                                        PID:4536
                                        • C:\Windows\security\EDP\Logs\Registry.exe
                                          C:\Windows\security\EDP\Logs\Registry.exe
                                          14⤵
                                          • UAC bypass
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2224
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca30a68a-5a0b-4fba-8d5c-af88797f004e.vbs"
                                            15⤵
                                              PID:1332
                                              • C:\Windows\security\EDP\Logs\Registry.exe
                                                C:\Windows\security\EDP\Logs\Registry.exe
                                                16⤵
                                                • UAC bypass
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:4616
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09b05da3-9e4b-4287-b1a0-75e83d63abc4.vbs"
                                                  17⤵
                                                    PID:2764
                                                    • C:\Windows\security\EDP\Logs\Registry.exe
                                                      C:\Windows\security\EDP\Logs\Registry.exe
                                                      18⤵
                                                      • UAC bypass
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:1272
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82e87709-f7a4-4eff-9c95-db211c52be88.vbs"
                                                        19⤵
                                                          PID:4372
                                                          • C:\Windows\security\EDP\Logs\Registry.exe
                                                            C:\Windows\security\EDP\Logs\Registry.exe
                                                            20⤵
                                                            • UAC bypass
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Modifies registry class
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:3684
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b016df35-9bdc-490b-9a0c-6e03094bfd53.vbs"
                                                              21⤵
                                                                PID:2212
                                                                • C:\Windows\security\EDP\Logs\Registry.exe
                                                                  C:\Windows\security\EDP\Logs\Registry.exe
                                                                  22⤵
                                                                  • UAC bypass
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Modifies registry class
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:3076
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8cc02b8-934b-464b-944c-1c783dc2a90e.vbs"
                                                                    23⤵
                                                                      PID:2444
                                                                      • C:\Windows\security\EDP\Logs\Registry.exe
                                                                        C:\Windows\security\EDP\Logs\Registry.exe
                                                                        24⤵
                                                                        • UAC bypass
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Checks whether UAC is enabled
                                                                        • Modifies registry class
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • System policy modification
                                                                        PID:3948
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db2ce271-75f0-41d9-bf0a-8a792e8a901a.vbs"
                                                                          25⤵
                                                                            PID:3668
                                                                            • C:\Windows\security\EDP\Logs\Registry.exe
                                                                              C:\Windows\security\EDP\Logs\Registry.exe
                                                                              26⤵
                                                                              • UAC bypass
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Checks whether UAC is enabled
                                                                              • Modifies registry class
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • System policy modification
                                                                              PID:4340
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cf37b8c-02e3-43ee-9ecb-35ded381f79e.vbs"
                                                                                27⤵
                                                                                  PID:4764
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f441d74b-471d-456d-926a-611bcd5061d3.vbs"
                                                                                  27⤵
                                                                                    PID:4220
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f95bfc0-fea3-4a34-9d55-8da1ddd76b73.vbs"
                                                                                25⤵
                                                                                  PID:4768
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp285E.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp285E.tmp.exe"
                                                                                  25⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:432
                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp285E.tmp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp285E.tmp.exe"
                                                                                    26⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:2608
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e78dbce-6bfd-4829-b6e6-120b7254ad08.vbs"
                                                                              23⤵
                                                                                PID:3160
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmpC4B.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmpC4B.tmp.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:4360
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmpC4B.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpC4B.tmp.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3756
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a99110c-2f66-44f1-a780-2a715c1377ba.vbs"
                                                                            21⤵
                                                                              PID:4964
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpEF3D.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpEF3D.tmp.exe"
                                                                              21⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1684
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmpEF3D.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmpEF3D.tmp.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                PID:1448
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d987da6-4c5a-4df7-8b88-1c550f185010.vbs"
                                                                          19⤵
                                                                            PID:3128
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpD358.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpD358.tmp.exe"
                                                                            19⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4424
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpD358.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpD358.tmp.exe"
                                                                              20⤵
                                                                              • Executes dropped EXE
                                                                              PID:3800
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6e9067c-1c04-48e2-ba9e-04b2c4239ec6.vbs"
                                                                        17⤵
                                                                          PID:2004
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7dad774-a6a1-4420-baca-707b2ffa9de4.vbs"
                                                                      15⤵
                                                                        PID:2720
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72523398-f0c1-41b7-a5c7-03f7ec93c813.vbs"
                                                                    13⤵
                                                                      PID:1680
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp6983.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp6983.tmp.exe"
                                                                      13⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:1448
                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp6983.tmp.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp6983.tmp.exe"
                                                                        14⤵
                                                                        • Executes dropped EXE
                                                                        PID:1400
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a3d2975-6f44-428b-8668-29e013b65ac5.vbs"
                                                                  11⤵
                                                                    PID:4712
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp4C27.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp4C27.tmp.exe"
                                                                    11⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2960
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp4C27.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp4C27.tmp.exe"
                                                                      12⤵
                                                                      • Executes dropped EXE
                                                                      PID:4512
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32f416ac-4788-468d-be5f-a49b3a76031b.vbs"
                                                                9⤵
                                                                  PID:4200
                                                                • C:\Users\Admin\AppData\Local\Temp\tmp1B63.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp1B63.tmp.exe"
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:4768
                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp1B63.tmp.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp1B63.tmp.exe"
                                                                    10⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4824
                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp1B63.tmp.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp1B63.tmp.exe"
                                                                      11⤵
                                                                      • Executes dropped EXE
                                                                      PID:64
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69e835a1-3ace-43be-9be9-e066ced7893c.vbs"
                                                              7⤵
                                                                PID:512
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpEA41.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpEA41.tmp.exe"
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                PID:804
                                                                • C:\Users\Admin\AppData\Local\Temp\tmpEA41.tmp.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpEA41.tmp.exe"
                                                                  8⤵
                                                                  • Executes dropped EXE
                                                                  PID:548
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14307c1e-9028-443e-a959-7a03f079d551.vbs"
                                                            5⤵
                                                              PID:4404
                                                            • C:\Users\Admin\AppData\Local\Temp\tmpCAD2.tmp.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\tmpCAD2.tmp.exe"
                                                              5⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              PID:640
                                                              • C:\Users\Admin\AppData\Local\Temp\tmpCAD2.tmp.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\tmpCAD2.tmp.exe"
                                                                6⤵
                                                                • Executes dropped EXE
                                                                PID:3560
                                                      • C:\Users\Admin\AppData\Local\Temp\tmp888C.tmp.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\tmp888C.tmp.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:3976
                                                        • C:\Users\Admin\AppData\Local\Temp\tmp888C.tmp.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\tmp888C.tmp.exe"
                                                          3⤵
                                                          • Executes dropped EXE
                                                          PID:760
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\winlogon.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2280
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Provisioning\winlogon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3988
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\winlogon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:392
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:5068
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4428
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4272
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\security\EDP\Logs\Registry.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:392
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\security\EDP\Logs\Registry.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2212
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\security\EDP\Logs\Registry.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4684
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\dwm.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4152
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1684
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\dwm.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4708
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2936
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3120
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2580
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1360
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3900
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4620
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\services.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1336
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\services.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3424
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\services.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4956
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:548
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1944
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2244
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\winlogon.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2980
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1876
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\winlogon.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4528
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3344
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2604
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\dllhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2916
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\fontdrvhost.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3996
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\fontdrvhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:556
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\fontdrvhost.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:832
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25Nf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe'" /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4652
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4636
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25Nf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • DcRat
                                                      • Process spawned unexpected child process
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:4512

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      4a667f150a4d1d02f53a9f24d89d53d1

                                                      SHA1

                                                      306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                      SHA256

                                                      414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                      SHA512

                                                      4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25N.exe.log
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      bbb951a34b516b66451218a3ec3b0ae1

                                                      SHA1

                                                      7393835a2476ae655916e0a9687eeaba3ee876e9

                                                      SHA256

                                                      eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

                                                      SHA512

                                                      63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                      Filesize

                                                      2KB

                                                      MD5

                                                      d85ba6ff808d9e5444a4b369f5bc2730

                                                      SHA1

                                                      31aa9d96590fff6981b315e0b391b575e4c0804a

                                                      SHA256

                                                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                      SHA512

                                                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      2e907f77659a6601fcc408274894da2e

                                                      SHA1

                                                      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                      SHA256

                                                      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                      SHA512

                                                      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      d28a889fd956d5cb3accfbaf1143eb6f

                                                      SHA1

                                                      157ba54b365341f8ff06707d996b3635da8446f7

                                                      SHA256

                                                      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                      SHA512

                                                      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      6d3e9c29fe44e90aae6ed30ccf799ca8

                                                      SHA1

                                                      c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                      SHA256

                                                      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                      SHA512

                                                      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      bd5940f08d0be56e65e5f2aaf47c538e

                                                      SHA1

                                                      d7e31b87866e5e383ab5499da64aba50f03e8443

                                                      SHA256

                                                      2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                      SHA512

                                                      c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      3a6bad9528f8e23fb5c77fbd81fa28e8

                                                      SHA1

                                                      f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                      SHA256

                                                      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                      SHA512

                                                      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      b801d886e417a9bf405b2f0092e04fe1

                                                      SHA1

                                                      fa99fefa2f49af240141692f78c8c28f04205389

                                                      SHA256

                                                      57b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636

                                                      SHA512

                                                      b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      145039ee65251da29aa337556cab6c61

                                                      SHA1

                                                      5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

                                                      SHA256

                                                      26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

                                                      SHA512

                                                      d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      8846686b7f2d146c0baa27459eedbd8d

                                                      SHA1

                                                      c953a3d1c7870a9d7ded709301f3ae7f1ea94e61

                                                      SHA256

                                                      33e3dc5ccf5c09b1c26c524b284335712ef653a2b2169732d8d890f615026c65

                                                      SHA512

                                                      3e72136bff1772ae7934c67ead939b4783ffb9a3657a366881504c7a11e76abe6469b6a4701b031fd564e6d257f7c62f52fb69f93a67459fadf909fefbbe6154

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      3c625954a51c4bbd8141206b00f6fc0a

                                                      SHA1

                                                      4128cb2f9d2984844e303e2e330e448334e5c273

                                                      SHA256

                                                      952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

                                                      SHA512

                                                      3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      705e397ba2c670b0b9fcebdd31e0feea

                                                      SHA1

                                                      8566fe7e0903b7495e659ba0588b72e3ce538c3b

                                                      SHA256

                                                      ae5d0de2ba6fe534bf67dcdbbfd71cf3f8c26f3d6ec852d73362d274a242732f

                                                      SHA512

                                                      a2914a193cbea13119567199082c52eebe67719c80bc056b3820c6a4b2e8cf8c7ecd3e38975f6ffc616b171ab722a6664f44f65496fdaf114615c1bbdf98306c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      0f6a77860cd9c5289dd6e45bbc36a982

                                                      SHA1

                                                      750d55b0d394bc5716fc3e3204975b029d3dc43b

                                                      SHA256

                                                      a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4

                                                      SHA512

                                                      e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\14307c1e-9028-443e-a959-7a03f079d551.vbs
                                                      Filesize

                                                      493B

                                                      MD5

                                                      85d09a95cadb88eb441cf1df731cae5a

                                                      SHA1

                                                      cc3258cd2f7de04571395627e1f8ae6fe40e9c30

                                                      SHA256

                                                      7c4647c3be1a746ac1e4b81bae67e71207c34d2d8da3bcc01199a2080b36a6d5

                                                      SHA512

                                                      b71c449a70efe4c257b33353f0fdb567c36d9bac6ea8338a313f271316cf877f8fe9998fe680ef9fe5f23a71ed62967acb26056a37f78a20aef7ec2b61b0a37b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\31046b26-3d53-4b9d-b1f8-563cee78b6c3.vbs
                                                      Filesize

                                                      717B

                                                      MD5

                                                      6357e9f6396967651030d3c8fb044b7d

                                                      SHA1

                                                      d48b305b255c40e3990c5b3b9b7421e3bae48b8c

                                                      SHA256

                                                      d37f7bd2ac15a1877c2e88e0cd14247d438f147bf7b4ce01a2515b2138ff939e

                                                      SHA512

                                                      69fddd7bf2ab91f12c821c2ccfa8f9f49e733ff97ff33ebc1a2be43ba0e158b6c0135a8bfef30c7a45debb1441527178a7446677148953fb43e7e2a9f59feabf

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\4c974ad8-f69a-4fd5-b3b2-012f2ac59ae3.vbs
                                                      Filesize

                                                      716B

                                                      MD5

                                                      0e210a8a8c2542c66f57b604023c1fe4

                                                      SHA1

                                                      997f4c82dd164ff20e79237eeadb56c31bc0c6ce

                                                      SHA256

                                                      f54c51562a6d1c37c5f6250f59dc2fd1e3df68e2736bff834e5e96409a82810d

                                                      SHA512

                                                      f174fbbea2df967a06fe78b4c7a7f083e466f58846bf7d83969a08755dc86ec9df33d24515552cebeab5d6aa578d5f868ef7ba814b1ea731a41b2b8d822ca328

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\5dcdbc43-a5e2-4531-8892-35614abac38c.vbs
                                                      Filesize

                                                      717B

                                                      MD5

                                                      2b4caeba91a56a07343129b4813ae7c2

                                                      SHA1

                                                      28db1a0fd03f6f5b3b9e91ef35c0c0ba14f94441

                                                      SHA256

                                                      a132e7cabc55b3c534f21cb3a4e71429ffc098654a717b22eb8e3604484db79b

                                                      SHA512

                                                      79f58a22b6d0ee189eced320c545ddb265cc3ed079d8842746185452eebfe719d9bc05de4be79e511725ab43d8ff80343cea970340510e8c46bb356bcce1fe74

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\GEujOzFY9Y.bat
                                                      Filesize

                                                      268B

                                                      MD5

                                                      1aaa8a82c3c9ca574fd76e37f70fa5a7

                                                      SHA1

                                                      681713c7cf4b200a8f0087e5ba86d4294a68c7ff

                                                      SHA256

                                                      7c64414f4715a2713d1c1a7f71d1de6ca2f20e888635610fcec98a992a1d512e

                                                      SHA512

                                                      4f750fd40efb24a4388104c9faeac55b7654ad810ef685b61015ca5ccaac97d3ca13f24d0c5c85aad53f75ebab64092f6ac51567e26432732b942dbaf7ef10b6

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_550n2mwb.0mh.ps1
                                                      Filesize

                                                      60B

                                                      MD5

                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                      SHA1

                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                      SHA256

                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                      SHA512

                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\ae00a318-e0ac-4fdf-a770-361a2f06ceb3.vbs
                                                      Filesize

                                                      717B

                                                      MD5

                                                      c50eb420b04739139df87202ab7f395e

                                                      SHA1

                                                      dc44df1e784ef6fdcd9d46922207a34da913f7d6

                                                      SHA256

                                                      ab490d142bd81551eb842621397b36eb59e3bcf044d16556a4cd7af4b1005b65

                                                      SHA512

                                                      c2d7349e4fc5b1df4a8143893bb50a4d12dc0af9083aa44d157ad1b11c6b34febafc18e84a17ee4b646531776433b030533570bb808e66574a41db9b33cb4e9b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\e651f8a4-5a64-4220-bd59-f31f0c8cba20.vbs
                                                      Filesize

                                                      717B

                                                      MD5

                                                      966aa30fefabbbd04fb971f97a24d8c1

                                                      SHA1

                                                      fc76e3f31f01e0e9999cd5208ca6c65f9838239a

                                                      SHA256

                                                      c3b747c8b592b33dee1efe7ff8e56d1a27bf1517d493fd1b5ee395c4d4836f94

                                                      SHA512

                                                      8e6036c749a9ccf75b532ca395df33176d9199b2023c8ff8ac4d23214a18a00ffe48695d915fb0e63666898207b1668f7198d63e8a5fad1ba4cf07593ea275db

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\tmp888C.tmp.exe
                                                      Filesize

                                                      75KB

                                                      MD5

                                                      e0a68b98992c1699876f818a22b5b907

                                                      SHA1

                                                      d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                      SHA256

                                                      2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                      SHA512

                                                      856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                      Download Submit

                                                    • C:\Windows\Provisioning\winlogon.exe
                                                      Filesize

                                                      4.9MB

                                                      MD5

                                                      ebc81db3d71154bc617356d897e0d450

                                                      SHA1

                                                      d8a2a478437abd6f69685903700b1e9e5a30c6ce

                                                      SHA256

                                                      fba69a368d73d2a2232258d465d825481048ec5cab01cffc0241dd6a37f12d25

                                                      SHA512

                                                      33dd0b853085ff2256384c34b44652b9815a34920eea200a3859ac7f626e9795036bdcac6b2de8cf4c03d433431ea5121676f84312a7a90f34fdeb6a8c54ea72

                                                      Download Submit

                                                    • memory/760-101-0x0000000000400000-0x0000000000407000-memory.dmp

                                                      Filesize

                                                      28KB

                                                      Download

                                                    • memory/1996-511-0x000000001B420000-0x000000001B432000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/2180-61-0x000001B83B080000-0x000001B83B0A2000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download

                                                    • memory/3420-487-0x0000000002C70000-0x0000000002C82000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/4340-608-0x000000001BE30000-0x000000001BE42000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/4880-10-0x000000001B910000-0x000000001B91A000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/4880-8-0x000000001B8F0000-0x000000001B906000-memory.dmp

                                                      Filesize

                                                      88KB

                                                      Download

                                                    • memory/4880-13-0x000000001B930000-0x000000001B93A000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/4880-15-0x000000001B950000-0x000000001B95E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/4880-14-0x000000001B940000-0x000000001B94E000-memory.dmp

                                                      Filesize

                                                      56KB

                                                      Download

                                                    • memory/4880-12-0x000000001C650000-0x000000001CB78000-memory.dmp

                                                      Filesize

                                                      5.2MB

                                                      Download

                                                    • memory/4880-11-0x000000001B920000-0x000000001B932000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/4880-5-0x000000001BAC0000-0x000000001BB10000-memory.dmp

                                                      Filesize

                                                      320KB

                                                      Download

                                                    • memory/4880-0-0x00007FFD40313000-0x00007FFD40315000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/4880-16-0x000000001B960000-0x000000001B968000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/4880-9-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

                                                      Filesize

                                                      64KB

                                                      Download

                                                    • memory/4880-6-0x0000000002C90000-0x0000000002C98000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/4880-7-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

                                                      Filesize

                                                      64KB

                                                      Download

                                                    • memory/4880-4-0x0000000001470000-0x000000000148C000-memory.dmp

                                                      Filesize

                                                      112KB

                                                      Download

                                                    • memory/4880-3-0x00007FFD40310000-0x00007FFD40DD1000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                      Download

                                                    • memory/4880-18-0x000000001C220000-0x000000001C22C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/4880-2-0x000000001B990000-0x000000001BABE000-memory.dmp

                                                      Filesize

                                                      1.2MB

                                                      Download

                                                    • memory/4880-17-0x000000001B970000-0x000000001B978000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/4880-1-0x0000000000680000-0x0000000000B74000-memory.dmp

                                                      Filesize

                                                      5.0MB

                                                      Download

                                                    • memory/4880-57-0x00007FFD40310000-0x00007FFD40DD1000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                      Download