colibri | 19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3

Resubmissions

15-10-2023 15:31

231015-sx9b1aaf63 10

03-06-2023 11:19

230603-ne62psge66 10

12-04-2023 12:00

230412-n6gk5aca73 10

05-09-2022 16:12

220905-tny1cabffk 10

Analysis

max time kernel
174s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RDUQK6W.exe
Size

10.5MB
MD5

4a5a3ad1c74f3f7d525e1c97995ca649
SHA1

cc0548dcbf4c0bc4489529e9148cf9f921485e84
SHA256

19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3
SHA512

fbb94f6b670fbd6e32ac71b97cfe00d3c67a9747e1e4192ad1889bd8cf121b1b3bfe6e9fa0d4ba8634b5a8431b84c4ba7b3800bb6e128ce9ad759f952ac875b3
SSDEEP

196608:OXBAqsvidH8HkLOogdmCvl6SsT2bygeHHNc8zKiSKu5GjY2+rZvPTetsi0ERHblh:vidcEiJtNUEMH6kXYj5etb0qHblVFV

Score

10^/10

colibri build1 evasion loader trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	640	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5779722125.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe

Executes dropped EXE 13 IoCs

Processes:

5779722125.exeXboxUpdate.exeBlitz.exeExtreme Injector.exetmpF3AC.tmp.exetmpF3AD.tmp.exetmpF3AC.tmp.exetmpF3AD.tmp.execsrss.exetmp8443.tmp.exeMoUSO.exetmp8443.tmp.exetmp8443.tmp.exe

pid	process
4664	5779722125.exe
5104	XboxUpdate.exe
3644	Blitz.exe
1508	Extreme Injector.exe
2584	tmpF3AC.tmp.exe
1560	tmpF3AD.tmp.exe
4752	tmpF3AC.tmp.exe
3488	tmpF3AD.tmp.exe
5676	csrss.exe
5936	tmp8443.tmp.exe
5912	MoUSO.exe
6004	tmp8443.tmp.exe
6040	tmp8443.tmp.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.exe$RDUQK6W.exeXboxUpdate.exe5779722125.exeBlitz.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	$RDUQK6W.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	XboxUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	5779722125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Blitz.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5779722125.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5779722125.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

65 ipinfo.io
66 ipinfo.io

flow	ioc
65	ipinfo.io
66	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmpF3AC.tmp.exetmpF3AD.tmp.exetmp8443.tmp.exe

description	pid	process	target process
PID 2584 set thread context of 4752	2584	tmpF3AC.tmp.exe	tmpF3AC.tmp.exe
PID 1560 set thread context of 3488	1560	tmpF3AD.tmp.exe	tmpF3AD.tmp.exe
PID 6004 set thread context of 6040	6004	tmp8443.tmp.exe	tmp8443.tmp.exe

Drops file in Program Files directory 6 IoCs

Processes:

5779722125.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe	5779722125.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\886983d96e3d3e	5779722125.exe
File created	C:\Program Files\Internet Explorer\ja-JP\conhost.exe	5779722125.exe
File created	C:\Program Files\Internet Explorer\ja-JP\088424020bedd6	5779722125.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe	5779722125.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\conhost.exe	5779722125.exe

Drops file in Windows directory 7 IoCs

Processes:

5779722125.exe$RDUQK6W.exe

description	ioc	process
File created	C:\Windows\fr-FR\fontdrvhost.exe	5779722125.exe
File opened for modification	C:\Windows\fr-FR\fontdrvhost.exe	5779722125.exe
File created	C:\Windows\fr-FR\5b884080fd4f94	5779722125.exe
File opened for modification	C:\Windows\5779722125.exe	5779722125.exe
File created	C:\Windows\5779722125.exe	$RDUQK6W.exe
File created	C:\Windows\XboxUpdate.exe	$RDUQK6W.exe
File created	C:\Windows\Blitz.exe	$RDUQK6W.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
456	schtasks.exe
3128	schtasks.exe
2464	schtasks.exe
4844	schtasks.exe
1388	schtasks.exe
1416	schtasks.exe
4488	schtasks.exe
3384	schtasks.exe
2948	schtasks.exe
2568	schtasks.exe
2144	schtasks.exe
4740	schtasks.exe
4756	schtasks.exe
2332	schtasks.exe
3236	schtasks.exe
3700	schtasks.exe

Modifies registry class 2 IoCs

Processes:

5779722125.execsrss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	5779722125.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5779722125.exeXboxUpdate.exepowershell.exe

pid	process
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
5104	XboxUpdate.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
4664	5779722125.exe
4664	5779722125.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
3116	powershell.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
5104	XboxUpdate.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe
4664	5779722125.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid process

5676 csrss.exe

pid	process
5676	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5779722125.exeXboxUpdate.exeExtreme Injector.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	4664	5779722125.exe
Token: SeDebugPrivilege	5104	XboxUpdate.exe
Token: SeDebugPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: SeDebugPrivilege	5676	csrss.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe
Token: 33	1508	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1508	Extreme Injector.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

$RDUQK6W.exeXboxUpdate.exe5779722125.exetmpF3AC.tmp.exetmpF3AD.tmp.exeBlitz.execmd.exe

description	pid	process	target process
PID 512 wrote to memory of 3116	512	$RDUQK6W.exe	powershell.exe
PID 512 wrote to memory of 3116	512	$RDUQK6W.exe	powershell.exe
PID 512 wrote to memory of 3116	512	$RDUQK6W.exe	powershell.exe
PID 512 wrote to memory of 4664	512	$RDUQK6W.exe	5779722125.exe
PID 512 wrote to memory of 4664	512	$RDUQK6W.exe	5779722125.exe
PID 512 wrote to memory of 5104	512	$RDUQK6W.exe	XboxUpdate.exe
PID 512 wrote to memory of 5104	512	$RDUQK6W.exe	XboxUpdate.exe
PID 512 wrote to memory of 3644	512	$RDUQK6W.exe	Blitz.exe
PID 512 wrote to memory of 3644	512	$RDUQK6W.exe	Blitz.exe
PID 512 wrote to memory of 3644	512	$RDUQK6W.exe	Blitz.exe
PID 512 wrote to memory of 1508	512	$RDUQK6W.exe	Extreme Injector.exe
PID 512 wrote to memory of 1508	512	$RDUQK6W.exe	Extreme Injector.exe
PID 5104 wrote to memory of 2584	5104	XboxUpdate.exe	tmpF3AC.tmp.exe
PID 5104 wrote to memory of 2584	5104	XboxUpdate.exe	tmpF3AC.tmp.exe
PID 5104 wrote to memory of 2584	5104	XboxUpdate.exe	tmpF3AC.tmp.exe
PID 4664 wrote to memory of 1560	4664	5779722125.exe	tmpF3AD.tmp.exe
PID 4664 wrote to memory of 1560	4664	5779722125.exe	tmpF3AD.tmp.exe
PID 4664 wrote to memory of 1560	4664	5779722125.exe	tmpF3AD.tmp.exe
PID 2584 wrote to memory of 4752	2584	tmpF3AC.tmp.exe	tmpF3AC.tmp.exe
PID 2584 wrote to memory of 4752	2584	tmpF3AC.tmp.exe	tmpF3AC.tmp.exe
PID 2584 wrote to memory of 4752	2584	tmpF3AC.tmp.exe	tmpF3AC.tmp.exe
PID 2584 wrote to memory of 4752	2584	tmpF3AC.tmp.exe	tmpF3AC.tmp.exe
PID 2584 wrote to memory of 4752	2584	tmpF3AC.tmp.exe	tmpF3AC.tmp.exe
PID 2584 wrote to memory of 4752	2584	tmpF3AC.tmp.exe	tmpF3AC.tmp.exe
PID 2584 wrote to memory of 4752	2584	tmpF3AC.tmp.exe	tmpF3AC.tmp.exe
PID 1560 wrote to memory of 3488	1560	tmpF3AD.tmp.exe	tmpF3AD.tmp.exe
PID 1560 wrote to memory of 3488	1560	tmpF3AD.tmp.exe	tmpF3AD.tmp.exe
PID 1560 wrote to memory of 3488	1560	tmpF3AD.tmp.exe	tmpF3AD.tmp.exe
PID 1560 wrote to memory of 3488	1560	tmpF3AD.tmp.exe	tmpF3AD.tmp.exe
PID 1560 wrote to memory of 3488	1560	tmpF3AD.tmp.exe	tmpF3AD.tmp.exe
PID 1560 wrote to memory of 3488	1560	tmpF3AD.tmp.exe	tmpF3AD.tmp.exe
PID 1560 wrote to memory of 3488	1560	tmpF3AD.tmp.exe	tmpF3AD.tmp.exe
PID 3644 wrote to memory of 3700	3644	Blitz.exe	schtasks.exe
PID 3644 wrote to memory of 3700	3644	Blitz.exe	schtasks.exe
PID 3644 wrote to memory of 3700	3644	Blitz.exe	schtasks.exe
PID 4664 wrote to memory of 2732	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 2732	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 4492	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 4492	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 4760	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 4760	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 3840	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 3840	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 2884	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 2884	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 1836	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 1836	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 4832	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 4832	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 2180	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 2180	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 4076	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 4076	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 3572	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 3572	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 3864	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 3864	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 4924	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 4924	4664	5779722125.exe	powershell.exe
PID 4664 wrote to memory of 2728	4664	5779722125.exe	cmd.exe
PID 4664 wrote to memory of 2728	4664	5779722125.exe	cmd.exe
PID 2728 wrote to memory of 5152	2728	cmd.exe	w32tm.exe
PID 2728 wrote to memory of 5152	2728	cmd.exe	w32tm.exe
PID 2728 wrote to memory of 5676	2728	cmd.exe	csrss.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

5779722125.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe

C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe
"C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbQBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAagBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AZABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAbQByACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\5779722125.exe
  "C:\Windows\5779722125.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\tmpF3AD.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpF3AD.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\tmpF3AD.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpF3AD.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:3488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ITN63wlJdh.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:5152
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks computer location settings
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:5676
    - - C:\Users\Admin\AppData\Local\Temp\tmp8443.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8443.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:5936
      - C:\Users\Admin\AppData\Local\Temp\tmp8443.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8443.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\tmp8443.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8443.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:6040
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4ba20de-fa7b-4334-9233-c91ddbb10a14.vbs"
        5⤵
        
        PID:3744
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1da29a54-23d6-4bf4-83ab-572a469ab37c.vbs"
        5⤵
        
        PID:5444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- C:\Windows\XboxUpdate.exe
  "C:\Windows\XboxUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\tmpF3AC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpF3AC.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\tmpF3AC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpF3AC.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4752
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\Blitz.exe
  "C:\Windows\Blitz.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\ja-JP\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\ssh\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\ssh\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Executes dropped EXE
PID:5912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1da29a54-23d6-4bf4-83ab-572a469ab37c.vbs

Filesize
515B

MD5
73f1e0418498853677f4b4c07c2805e7

SHA1
68e0b129766236a5b8ac0a956a1227c7875e981b

SHA256
9244b259bfdbe1e8fbcfa21c77f4758fbfc74a163dad70026a1862dbf5896953

SHA512
042fd9efed7a05b72ca86cb0260cc66321881fa404dc10dab46bbe40489b82e7744ccadc1abbb0f71301e4bd6020183d1e6c64a7a812c0252b7be766c9d2dcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ITN63wlJdh.bat

Filesize
228B

MD5
c598086267e3d597229160cc6cd2aaa4

SHA1
cabe4adf81fd21d0f93c6ae8fd0c3952804d055f

SHA256
38979b13009c42ab9f1077d7e09d9daf63818ca9094a29dbd8a4ab6c0b367f00

SHA512
97ab63fdfe55e00edcbdcf71106b302265b92128ccfd3ec943432190dee0f04cf2c480bd20f35a247052b84bcb15b304efc5d635d79470aa33f72d2db05b39bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4ba20de-fa7b-4334-9233-c91ddbb10a14.vbs

Filesize
739B

MD5
9d2c4b38d9d76e60f492f4dc4ac784d9

SHA1
7f7fae382494907ad3cfa84362ba50b77f99e954

SHA256
b42b04399776fb947015b75a5e4365eac63d311cd14926ce1180a02ac67f47f8

SHA512
f23918a2c04d1589f86e60e03888f5af0af1e3b7bf56a21b5287e73fa8c4739a799204189bd10ce8839e293dc9dea73f17917d9f51e4ad4635ac28fada7e0a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8443.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8443.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8443.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8443.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3AC.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3AC.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3AC.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3AD.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3AD.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3AD.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\5779722125.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\5779722125.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\Blitz.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\Blitz.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
C:\Windows\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
memory/1508-152-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/1508-144-0x0000000000000000-mapping.dmp

Download
memory/1508-175-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/1508-176-0x000000001CE00000-0x000000001CE3C000-memory.dmp

Filesize
240KB

Download
memory/1508-270-0x000000001B3F0000-0x000000001B3F4000-memory.dmp

Filesize
16KB

Download
memory/1508-269-0x000000001B9AA000-0x000000001B9AF000-memory.dmp

Filesize
20KB

Download
memory/1508-268-0x000000001B9AA000-0x000000001B9AF000-memory.dmp

Filesize
20KB

Download
memory/1508-148-0x0000000000C60000-0x0000000000E46000-memory.dmp

Filesize
1.9MB

Download
memory/1508-193-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/1560-155-0x0000000000000000-mapping.dmp

Download
memory/1836-232-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/1836-203-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/1836-184-0x0000000000000000-mapping.dmp

Download
memory/2180-204-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/2180-187-0x0000000000000000-mapping.dmp

Download
memory/2180-236-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/2584-159-0x0000000000620000-0x0000000000623000-memory.dmp

Filesize
12KB

Download
memory/2584-154-0x0000000000000000-mapping.dmp

Download
memory/2728-192-0x0000000000000000-mapping.dmp

Download
memory/2732-179-0x0000000000000000-mapping.dmp

Download
memory/2732-239-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/2732-211-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/2884-262-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/2884-183-0x0000000000000000-mapping.dmp

Download
memory/2884-199-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/3116-243-0x0000000006FE0000-0x0000000006FEE000-memory.dmp

Filesize
56KB

Download
memory/3116-150-0x00000000044E0000-0x0000000004516000-memory.dmp

Filesize
216KB

Download
memory/3116-151-0x0000000004C60000-0x0000000005288000-memory.dmp

Filesize
6.2MB

Download
memory/3116-215-0x0000000006E10000-0x0000000006E1A000-memory.dmp

Filesize
40KB

Download
memory/3116-161-0x00000000052F0000-0x0000000005312000-memory.dmp

Filesize
136KB

Download
memory/3116-248-0x0000000007020000-0x0000000007028000-memory.dmp

Filesize
32KB

Download
memory/3116-132-0x0000000000000000-mapping.dmp

Download
memory/3116-205-0x0000000006A30000-0x0000000006A62000-memory.dmp

Filesize
200KB

Download
memory/3116-206-0x0000000074740000-0x000000007478C000-memory.dmp

Filesize
304KB

Download
memory/3116-208-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/3116-170-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/3116-245-0x00000000070D0000-0x00000000070EA000-memory.dmp

Filesize
104KB

Download
memory/3116-172-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/3116-177-0x0000000005A00000-0x0000000005A1E000-memory.dmp

Filesize
120KB

Download
memory/3116-212-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/3116-216-0x0000000007030000-0x00000000070C6000-memory.dmp

Filesize
600KB

Download
memory/3116-213-0x0000000005E70000-0x0000000005E8A000-memory.dmp

Filesize
104KB

Download
memory/3488-167-0x0000000000000000-mapping.dmp

Download
memory/3572-209-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/3572-189-0x0000000000000000-mapping.dmp

Download
memory/3572-233-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/3644-140-0x0000000000000000-mapping.dmp

Download
memory/3700-171-0x0000000000000000-mapping.dmp

Download
memory/3744-260-0x0000000000000000-mapping.dmp

Download
memory/3840-222-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/3840-182-0x0000000000000000-mapping.dmp

Download
memory/3840-200-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/3864-217-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/3864-190-0x0000000000000000-mapping.dmp

Download
memory/3864-195-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4076-235-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4076-207-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4076-188-0x0000000000000000-mapping.dmp

Download
memory/4492-180-0x0000000000000000-mapping.dmp

Download
memory/4492-226-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4492-198-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4492-196-0x0000025C5F460000-0x0000025C5F482000-memory.dmp

Filesize
136KB

Download
memory/4664-194-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4664-137-0x0000000000BF0000-0x00000000011B2000-memory.dmp

Filesize
5.8MB

Download
memory/4664-147-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4664-174-0x00000000018D0000-0x00000000018E0000-memory.dmp

Filesize
64KB

Download
memory/4664-133-0x0000000000000000-mapping.dmp

Download
memory/4664-153-0x000000001D8F0000-0x000000001D940000-memory.dmp

Filesize
320KB

Download
memory/4664-178-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4752-173-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4752-160-0x0000000000000000-mapping.dmp

Download
memory/4752-162-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4760-181-0x0000000000000000-mapping.dmp

Download
memory/4760-227-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4760-197-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4832-201-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4832-225-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4832-186-0x0000000000000000-mapping.dmp

Download
memory/4924-191-0x0000000000000000-mapping.dmp

Download
memory/4924-238-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/4924-214-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/5104-141-0x00000000000D0000-0x0000000000340000-memory.dmp

Filesize
2.4MB

Download
memory/5104-136-0x0000000000000000-mapping.dmp

Download
memory/5104-149-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/5104-185-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/5152-210-0x0000000000000000-mapping.dmp

Download
memory/5444-261-0x0000000000000000-mapping.dmp

Download
memory/5676-265-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/5676-244-0x00007FFF77970000-0x00007FFF78431000-memory.dmp

Filesize
10.8MB

Download
memory/5676-240-0x0000000000000000-mapping.dmp

Download
memory/5676-266-0x00000000203E0000-0x00000000205A2000-memory.dmp

Filesize
1.8MB

Download
memory/5676-267-0x0000000020F30000-0x0000000021458000-memory.dmp

Filesize
5.2MB

Download
memory/5936-246-0x0000000000000000-mapping.dmp

Download
memory/5936-251-0x00000000013F0000-0x00000000013F3000-memory.dmp

Filesize
12KB

Download
memory/6004-254-0x0000000000994000-0x0000000000997000-memory.dmp

Filesize
12KB

Download
memory/6004-252-0x0000000000000000-mapping.dmp

Download
memory/6040-255-0x0000000000000000-mapping.dmp

Download