colibri | 9f487d16cd0e0548b6bde75853d0cfcd4eb9362f61d101ce55740781e3e04b2d

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2022 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb476576bd4aeb366aa82b6240ff2e8.exe
Size

4.9MB
MD5

1fb476576bd4aeb366aa82b6240ff2e8
SHA1

5ae8fba07122131f385bda0274967713d52057db
SHA256

9f487d16cd0e0548b6bde75853d0cfcd4eb9362f61d101ce55740781e3e04b2d
SHA512

360fcce899a22c55235078e3a72fe765fdedfeb9fc2effb3851dd629ea372440ca471dbe748a9e23ad41a3015c372f27a28c239c83abb186024b8c19026ebaa6
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 evasion infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2056	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2056	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sppsvc.exe1fb476576bd4aeb366aa82b6240ff2e8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Executes dropped EXE 5 IoCs

Processes:

tmpCBA2.tmp.exetmpCBA2.tmp.exesppsvc.exetmpC06.tmp.exetmpC06.tmp.exe

pid process

1732 tmpCBA2.tmp.exe
3180 tmpCBA2.tmp.exe
4744 sppsvc.exe
4256 tmpC06.tmp.exe
1360 tmpC06.tmp.exe

pid	process
1732	tmpCBA2.tmp.exe
3180	tmpCBA2.tmp.exe
4744	sppsvc.exe
4256	tmpC06.tmp.exe
1360	tmpC06.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1fb476576bd4aeb366aa82b6240ff2e8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ipinfo.io
33 ipinfo.io

flow	ioc
31	ipinfo.io
33	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmpCBA2.tmp.exetmpC06.tmp.exe

description	pid	process	target process
PID 1732 set thread context of 3180	1732	tmpCBA2.tmp.exe	tmpCBA2.tmp.exe
PID 4256 set thread context of 1360	4256	tmpC06.tmp.exe	tmpC06.tmp.exe

Drops file in Program Files directory 12 IoCs

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Program Files\Windows Mail\dllhost.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Program Files\Windows Mail\5940a34987c991	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXD289.tmp	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files\Windows Mail\RCXDCED.tmp	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\9e8d7a4ca61bd9	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\smss.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\69ddcba757bf72	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files\Windows Mail\dllhost.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\RCXE50F.tmp	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\smss.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe

Drops file in Windows directory 4 IoCs

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exe

description	ioc	process
File created	C:\Windows\ShellExperiences\OfficeClickToRun.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe
File created	C:\Windows\ShellExperiences\e6c9b481da804f	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Windows\ShellExperiences\RCXE27D.tmp	1fb476576bd4aeb366aa82b6240ff2e8.exe
File opened for modification	C:\Windows\ShellExperiences\OfficeClickToRun.exe	1fb476576bd4aeb366aa82b6240ff2e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1408	schtasks.exe
4840	schtasks.exe
2844	schtasks.exe
1704	schtasks.exe
476	schtasks.exe
540	schtasks.exe
4888	schtasks.exe
4900	schtasks.exe
4876	schtasks.exe
1636	schtasks.exe
2272	schtasks.exe
3164	schtasks.exe
704	schtasks.exe
4180	schtasks.exe
4804	schtasks.exe
2412	schtasks.exe
3760	schtasks.exe
1080	schtasks.exe
5080	schtasks.exe
1564	schtasks.exe
2252	schtasks.exe
1664	schtasks.exe
1592	schtasks.exe
852	schtasks.exe
2140	schtasks.exe
4908	schtasks.exe
4080	schtasks.exe
1964	schtasks.exe
2100	schtasks.exe
4444	schtasks.exe
2916	schtasks.exe
3020	schtasks.exe
4576	schtasks.exe
2684	schtasks.exe
2064	schtasks.exe
2860	schtasks.exe

Modifies registry class 2 IoCs

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exesppsvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1fb476576bd4aeb366aa82b6240ff2e8.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exe

pid	process
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
3436	powershell.exe
3336	powershell.exe
3436	powershell.exe
3336	powershell.exe
3448	powershell.exe
3448	powershell.exe
756	powershell.exe
756	powershell.exe
5092	powershell.exe
5092	powershell.exe
1376	powershell.exe
1376	powershell.exe
2420	powershell.exe
2420	powershell.exe
4572	powershell.exe
4572	powershell.exe
2300	powershell.exe
2300	powershell.exe
424	powershell.exe
424	powershell.exe
3712	powershell.exe
3712	powershell.exe
3188	powershell.exe
3188	powershell.exe
2300	powershell.exe
3448	powershell.exe
3448	powershell.exe
3436	powershell.exe
3436	powershell.exe
3336	powershell.exe
3336	powershell.exe
756	powershell.exe
1376	powershell.exe
5092	powershell.exe
5092	powershell.exe
2420	powershell.exe
4572	powershell.exe
424	powershell.exe
3188	powershell.exe
3712	powershell.exe
4744	sppsvc.exe
4744	sppsvc.exe
4744	sppsvc.exe
4744	sppsvc.exe
4744	sppsvc.exe
4744	sppsvc.exe
4744	sppsvc.exe
4744	sppsvc.exe
4744	sppsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sppsvc.exe

pid process

4744 sppsvc.exe

pid	process
4744	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	4744	sppsvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sppsvc.exe

pid process

4744 sppsvc.exe

pid	process
4744	sppsvc.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exetmpCBA2.tmp.exesppsvc.exetmpC06.tmp.exe

description	pid	process	target process
PID 1016 wrote to memory of 1732	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	tmpCBA2.tmp.exe
PID 1016 wrote to memory of 1732	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	tmpCBA2.tmp.exe
PID 1016 wrote to memory of 1732	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	tmpCBA2.tmp.exe
PID 1732 wrote to memory of 3180	1732	tmpCBA2.tmp.exe	tmpCBA2.tmp.exe
PID 1732 wrote to memory of 3180	1732	tmpCBA2.tmp.exe	tmpCBA2.tmp.exe
PID 1732 wrote to memory of 3180	1732	tmpCBA2.tmp.exe	tmpCBA2.tmp.exe
PID 1732 wrote to memory of 3180	1732	tmpCBA2.tmp.exe	tmpCBA2.tmp.exe
PID 1732 wrote to memory of 3180	1732	tmpCBA2.tmp.exe	tmpCBA2.tmp.exe
PID 1732 wrote to memory of 3180	1732	tmpCBA2.tmp.exe	tmpCBA2.tmp.exe
PID 1732 wrote to memory of 3180	1732	tmpCBA2.tmp.exe	tmpCBA2.tmp.exe
PID 1016 wrote to memory of 3448	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 3448	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 3436	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 3436	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 3336	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 3336	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 1376	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 1376	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 5092	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 5092	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 756	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 756	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 4572	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 4572	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 2420	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 2420	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 2300	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 2300	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 424	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 424	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 3712	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 3712	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 3188	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 3188	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	powershell.exe
PID 1016 wrote to memory of 4744	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	sppsvc.exe
PID 1016 wrote to memory of 4744	1016	1fb476576bd4aeb366aa82b6240ff2e8.exe	sppsvc.exe
PID 4744 wrote to memory of 4256	4744	sppsvc.exe	tmpC06.tmp.exe
PID 4744 wrote to memory of 4256	4744	sppsvc.exe	tmpC06.tmp.exe
PID 4744 wrote to memory of 4256	4744	sppsvc.exe	tmpC06.tmp.exe
PID 4256 wrote to memory of 1360	4256	tmpC06.tmp.exe	tmpC06.tmp.exe
PID 4256 wrote to memory of 1360	4256	tmpC06.tmp.exe	tmpC06.tmp.exe
PID 4256 wrote to memory of 1360	4256	tmpC06.tmp.exe	tmpC06.tmp.exe
PID 4256 wrote to memory of 1360	4256	tmpC06.tmp.exe	tmpC06.tmp.exe
PID 4256 wrote to memory of 1360	4256	tmpC06.tmp.exe	tmpC06.tmp.exe
PID 4256 wrote to memory of 1360	4256	tmpC06.tmp.exe	tmpC06.tmp.exe
PID 4256 wrote to memory of 1360	4256	tmpC06.tmp.exe	tmpC06.tmp.exe
PID 4744 wrote to memory of 3804	4744	sppsvc.exe	WScript.exe
PID 4744 wrote to memory of 3804	4744	sppsvc.exe	WScript.exe
PID 4744 wrote to memory of 2684	4744	sppsvc.exe	WScript.exe
PID 4744 wrote to memory of 2684	4744	sppsvc.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

1fb476576bd4aeb366aa82b6240ff2e8.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1fb476576bd4aeb366aa82b6240ff2e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\1fb476576bd4aeb366aa82b6240ff2e8.exe
"C:\Users\Admin\AppData\Local\Temp\1fb476576bd4aeb366aa82b6240ff2e8.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1016

C:\Users\Admin\AppData\Local\Temp\tmpCBA2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCBA2.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\tmpCBA2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCBA2.tmp.exe"
3⤵
- Executes dropped EXE
PID:3180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\odt\sppsvc.exe
"C:\odt\sppsvc.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4744

C:\Users\Admin\AppData\Local\Temp\tmpC06.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC06.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\tmpC06.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC06.tmp.exe"
4⤵
- Executes dropped EXE
PID:1360

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\793f3478-55ea-4c1a-815c-774d9b77ef15.vbs"
3⤵
PID:3804

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0f1ef14-adbc-4aeb-b23e-e2afc851138e.vbs"
3⤵
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellExperiences\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\793f3478-55ea-4c1a-815c-774d9b77ef15.vbs
Filesize
693B

MD5
64266bef2babcac5e9aaf38a03b0c14b

SHA1
de38c481fd8eeecbe41e76f87844698c715187eb

SHA256
bf0823890972d1c1028ed56ba98b8489f746999f750abdb7a4d7a1d607f01a39

SHA512
6ed1b422d06f75fb3963f45fee1489b10c27d8b56a025fc9065404f6492204d720c34eec9c3af76cda828cad9c30d2156198165c097d4cd1893ad0e45f985503

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0f1ef14-adbc-4aeb-b23e-e2afc851138e.vbs
Filesize
469B

MD5
c75365dd7e721e0fd1c99422274931ca

SHA1
59d105153398ead9e798bdd08d9d2b104da05804

SHA256
90a9da92bd125fcab5e79a587c651aa31df364ecf5ced48d715192d20aa04869

SHA512
c849c2aa579d668431575df956c1cff114f83204d79a5313eaaf6ceed7b1722b162d176094bfe621a6505bef4c934b725416f61803874df1b513336172130ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC06.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC06.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC06.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBA2.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBA2.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBA2.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\odt\sppsvc.exe
Filesize
4.9MB

MD5
9d499cab7ad680f4cc08a9d4fe08a269

SHA1
5880d9dad1ecaaa7493274d2f7b910a738af053b

SHA256
8d80a04d77f92e9979dec8806570701d974f87a7774f08a9764fd5fd7bc89f73

SHA512
6731bdfbf1af79239413f4cd114329f39eb6b482773c4d844924b3add8c44c1809d269a97e29e579108d2258bef92babaa0d0bb2bb754485f194140e058f73e8

Download Submit
C:\odt\sppsvc.exe
Filesize
4.9MB

MD5
9d499cab7ad680f4cc08a9d4fe08a269

SHA1
5880d9dad1ecaaa7493274d2f7b910a738af053b

SHA256
8d80a04d77f92e9979dec8806570701d974f87a7774f08a9764fd5fd7bc89f73

SHA512
6731bdfbf1af79239413f4cd114329f39eb6b482773c4d844924b3add8c44c1809d269a97e29e579108d2258bef92babaa0d0bb2bb754485f194140e058f73e8

Download Submit
memory/424-170-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/424-154-0x0000000000000000-mapping.dmp

Download
memory/424-196-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/756-162-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/756-202-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/756-150-0x0000000000000000-mapping.dmp

Download
memory/1016-135-0x000000001CBA0000-0x000000001D0C8000-memory.dmp

Filesize
5.2MB

Download
memory/1016-133-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/1016-172-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/1016-144-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/1016-132-0x00000000001C0000-0x00000000006B4000-memory.dmp

Filesize
5.0MB

Download
memory/1016-134-0x000000001B3D0000-0x000000001B420000-memory.dmp

Filesize
320KB

Download
memory/1360-192-0x0000000000000000-mapping.dmp

Download
memory/1376-148-0x0000000000000000-mapping.dmp

Download
memory/1376-203-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/1376-161-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/1732-136-0x0000000000000000-mapping.dmp

Download
memory/1732-139-0x0000000001090000-0x0000000001093000-memory.dmp

Filesize
12KB

Download
memory/2300-201-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/2300-153-0x0000000000000000-mapping.dmp

Download
memory/2300-173-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/2420-166-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/2420-152-0x0000000000000000-mapping.dmp

Download
memory/2420-198-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/2684-207-0x0000000000000000-mapping.dmp

Download
memory/3180-140-0x0000000000000000-mapping.dmp

Download
memory/3180-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3180-143-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3188-171-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3188-156-0x0000000000000000-mapping.dmp

Download
memory/3188-197-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3336-147-0x0000000000000000-mapping.dmp

Download
memory/3336-160-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3336-195-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3436-146-0x0000000000000000-mapping.dmp

Download
memory/3436-157-0x00000206EF4F0000-0x00000206EF512000-memory.dmp

Filesize
136KB

Download
memory/3436-158-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3436-193-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3448-194-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3448-145-0x0000000000000000-mapping.dmp

Download
memory/3448-159-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3712-174-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3712-200-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/3712-155-0x0000000000000000-mapping.dmp

Download
memory/3804-206-0x0000000000000000-mapping.dmp

Download
memory/4256-176-0x0000000000000000-mapping.dmp

Download
memory/4572-164-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/4572-204-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/4572-151-0x0000000000000000-mapping.dmp

Download
memory/4744-169-0x00000000006F0000-0x0000000000BE4000-memory.dmp

Filesize
5.0MB

Download
memory/4744-165-0x0000000000000000-mapping.dmp

Download
memory/4744-175-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/4744-210-0x000000001E0E0000-0x000000001E2A2000-memory.dmp

Filesize
1.8MB

Download
memory/4744-211-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/5092-149-0x0000000000000000-mapping.dmp

Download
memory/5092-191-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download
memory/5092-163-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

Filesize
10.8MB

Download