colibri | 350154b0e3a6b19a71850f3aa2c6ae51e416332e904b4bdd219617a9e0d167e2

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117c359132faf42213eaac64727f05db.exe
Size

4.9MB
MD5

117c359132faf42213eaac64727f05db
SHA1

e9833abb1fdff71b1e521b65300e8a4b3931d662
SHA256

350154b0e3a6b19a71850f3aa2c6ae51e416332e904b4bdd219617a9e0d167e2
SHA512

81e22905790200420632c41fc1b666d5d4c50ef58863ccf477f75c711f19c02549b2011cc2d6a7f51dacdd1c77da68b44250bcb59f39e9b8607ec6823c45ca19
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat redline build1 evasion infostealer loader rat spyware stealer trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

redline

79.137.192.47:46759

Attributes

auth_value
19d502483dcd72732743ff76080e3ef7

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	1740	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/100756-218-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

117c359132faf42213eaac64727f05db.exe117c359132faf42213eaac64727f05db.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	117c359132faf42213eaac64727f05db.exe

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

tmpBD2A.tmp.exetmpBD2A.tmp.exe117c359132faf42213eaac64727f05db.exetmpF830.tmp.exetmpF830.tmp.exeSakuraHack.exe

pid process

4544 tmpBD2A.tmp.exe
456 tmpBD2A.tmp.exe
2560 117c359132faf42213eaac64727f05db.exe
3140 tmpF830.tmp.exe
4832 tmpF830.tmp.exe
3264 SakuraHack.exe

pid	process
4544	tmpBD2A.tmp.exe
456	tmpBD2A.tmp.exe
2560	117c359132faf42213eaac64727f05db.exe
3140	tmpF830.tmp.exe
4832	tmpF830.tmp.exe
3264	SakuraHack.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

117c359132faf42213eaac64727f05db.exe117c359132faf42213eaac64727f05db.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	117c359132faf42213eaac64727f05db.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	117c359132faf42213eaac64727f05db.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

117c359132faf42213eaac64727f05db.exe117c359132faf42213eaac64727f05db.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	117c359132faf42213eaac64727f05db.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	117c359132faf42213eaac64727f05db.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	117c359132faf42213eaac64727f05db.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ipinfo.io
23 ipinfo.io

flow	ioc
22	ipinfo.io
23	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmpBD2A.tmp.exetmpF830.tmp.exeSakuraHack.exe

description	pid	process	target process
PID 4544 set thread context of 456	4544	tmpBD2A.tmp.exe	tmpBD2A.tmp.exe
PID 3140 set thread context of 4832	3140	tmpF830.tmp.exe	tmpF830.tmp.exe
PID 3264 set thread context of 100756	3264	SakuraHack.exe	vbc.exe

Drops file in Windows directory 9 IoCs

Processes:

117c359132faf42213eaac64727f05db.exe

description	ioc	process
File opened for modification	C:\Windows\en-US\StartMenuExperienceHost.exe	117c359132faf42213eaac64727f05db.exe
File created	C:\Windows\TAPI\64322ef9f6e33f	117c359132faf42213eaac64727f05db.exe
File created	C:\Windows\en-US\55b276f4edf653	117c359132faf42213eaac64727f05db.exe
File opened for modification	C:\Windows\TAPI\RCXC2E9.tmp	117c359132faf42213eaac64727f05db.exe
File created	C:\Windows\rescache\_merged\StartMenuExperienceHost.exe	117c359132faf42213eaac64727f05db.exe
File opened for modification	C:\Windows\en-US\RCXC915.tmp	117c359132faf42213eaac64727f05db.exe
File created	C:\Windows\TAPI\117c359132faf42213eaac64727f05db.exe	117c359132faf42213eaac64727f05db.exe
File opened for modification	C:\Windows\TAPI\117c359132faf42213eaac64727f05db.exe	117c359132faf42213eaac64727f05db.exe
File created	C:\Windows\en-US\StartMenuExperienceHost.exe	117c359132faf42213eaac64727f05db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2424	schtasks.exe
1616	schtasks.exe
4352	schtasks.exe
3168	schtasks.exe
2812	schtasks.exe
808	schtasks.exe
216	schtasks.exe
4036	schtasks.exe
60	schtasks.exe
616	schtasks.exe
2604	schtasks.exe
4848	schtasks.exe
2428	schtasks.exe
4836	schtasks.exe
3760	schtasks.exe
3544	schtasks.exe
3636	schtasks.exe
2720	schtasks.exe
1472	schtasks.exe
3916	schtasks.exe
224	schtasks.exe
1416	schtasks.exe
1764	schtasks.exe
2988	schtasks.exe

Modifies registry class 2 IoCs

Processes:

117c359132faf42213eaac64727f05db.exe117c359132faf42213eaac64727f05db.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	117c359132faf42213eaac64727f05db.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	117c359132faf42213eaac64727f05db.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

117c359132faf42213eaac64727f05db.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe117c359132faf42213eaac64727f05db.exevbc.exe

pid	process
2268	117c359132faf42213eaac64727f05db.exe
2268	117c359132faf42213eaac64727f05db.exe
2268	117c359132faf42213eaac64727f05db.exe
2268	117c359132faf42213eaac64727f05db.exe
4784	powershell.exe
4784	powershell.exe
3536	powershell.exe
3536	powershell.exe
1664	powershell.exe
1664	powershell.exe
2676	powershell.exe
2676	powershell.exe
2128	powershell.exe
2128	powershell.exe
920	powershell.exe
920	powershell.exe
5072	powershell.exe
5072	powershell.exe
1668	powershell.exe
1668	powershell.exe
3664	powershell.exe
3664	powershell.exe
4252	powershell.exe
4252	powershell.exe
4068	powershell.exe
4068	powershell.exe
2300	powershell.exe
2300	powershell.exe
3536	powershell.exe
3536	powershell.exe
1664	powershell.exe
1664	powershell.exe
4784	powershell.exe
4784	powershell.exe
5072	powershell.exe
2676	powershell.exe
2128	powershell.exe
1668	powershell.exe
920	powershell.exe
3664	powershell.exe
4068	powershell.exe
2300	powershell.exe
4252	powershell.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
2560	117c359132faf42213eaac64727f05db.exe
100756	vbc.exe
100756	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

117c359132faf42213eaac64727f05db.exe

pid process

2560 117c359132faf42213eaac64727f05db.exe

pid	process
2560	117c359132faf42213eaac64727f05db.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2268	117c359132faf42213eaac64727f05db.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2560	117c359132faf42213eaac64727f05db.exe
Token: SeDebugPrivilege	100756	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

117c359132faf42213eaac64727f05db.exe

pid process

2560 117c359132faf42213eaac64727f05db.exe

pid	process
2560	117c359132faf42213eaac64727f05db.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

117c359132faf42213eaac64727f05db.exetmpBD2A.tmp.exe117c359132faf42213eaac64727f05db.exetmpF830.tmp.exeSakuraHack.exe

description	pid	process	target process
PID 2268 wrote to memory of 4544	2268	117c359132faf42213eaac64727f05db.exe	tmpBD2A.tmp.exe
PID 2268 wrote to memory of 4544	2268	117c359132faf42213eaac64727f05db.exe	tmpBD2A.tmp.exe
PID 2268 wrote to memory of 4544	2268	117c359132faf42213eaac64727f05db.exe	tmpBD2A.tmp.exe
PID 4544 wrote to memory of 456	4544	tmpBD2A.tmp.exe	tmpBD2A.tmp.exe
PID 4544 wrote to memory of 456	4544	tmpBD2A.tmp.exe	tmpBD2A.tmp.exe
PID 4544 wrote to memory of 456	4544	tmpBD2A.tmp.exe	tmpBD2A.tmp.exe
PID 4544 wrote to memory of 456	4544	tmpBD2A.tmp.exe	tmpBD2A.tmp.exe
PID 4544 wrote to memory of 456	4544	tmpBD2A.tmp.exe	tmpBD2A.tmp.exe
PID 4544 wrote to memory of 456	4544	tmpBD2A.tmp.exe	tmpBD2A.tmp.exe
PID 4544 wrote to memory of 456	4544	tmpBD2A.tmp.exe	tmpBD2A.tmp.exe
PID 2268 wrote to memory of 3536	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 3536	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 4784	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 4784	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 1664	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 1664	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 5072	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 5072	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 2676	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 2676	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 920	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 920	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 2128	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 2128	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 1668	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 1668	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 4252	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 4252	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 3664	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 3664	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 2300	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 2300	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 4068	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 4068	2268	117c359132faf42213eaac64727f05db.exe	powershell.exe
PID 2268 wrote to memory of 2560	2268	117c359132faf42213eaac64727f05db.exe	117c359132faf42213eaac64727f05db.exe
PID 2268 wrote to memory of 2560	2268	117c359132faf42213eaac64727f05db.exe	117c359132faf42213eaac64727f05db.exe
PID 2560 wrote to memory of 3140	2560	117c359132faf42213eaac64727f05db.exe	tmpF830.tmp.exe
PID 2560 wrote to memory of 3140	2560	117c359132faf42213eaac64727f05db.exe	tmpF830.tmp.exe
PID 2560 wrote to memory of 3140	2560	117c359132faf42213eaac64727f05db.exe	tmpF830.tmp.exe
PID 2560 wrote to memory of 3084	2560	117c359132faf42213eaac64727f05db.exe	WScript.exe
PID 2560 wrote to memory of 3084	2560	117c359132faf42213eaac64727f05db.exe	WScript.exe
PID 2560 wrote to memory of 1408	2560	117c359132faf42213eaac64727f05db.exe	WScript.exe
PID 2560 wrote to memory of 1408	2560	117c359132faf42213eaac64727f05db.exe	WScript.exe
PID 3140 wrote to memory of 4832	3140	tmpF830.tmp.exe	tmpF830.tmp.exe
PID 3140 wrote to memory of 4832	3140	tmpF830.tmp.exe	tmpF830.tmp.exe
PID 3140 wrote to memory of 4832	3140	tmpF830.tmp.exe	tmpF830.tmp.exe
PID 3140 wrote to memory of 4832	3140	tmpF830.tmp.exe	tmpF830.tmp.exe
PID 3140 wrote to memory of 4832	3140	tmpF830.tmp.exe	tmpF830.tmp.exe
PID 3140 wrote to memory of 4832	3140	tmpF830.tmp.exe	tmpF830.tmp.exe
PID 3140 wrote to memory of 4832	3140	tmpF830.tmp.exe	tmpF830.tmp.exe
PID 2560 wrote to memory of 3264	2560	117c359132faf42213eaac64727f05db.exe	SakuraHack.exe
PID 2560 wrote to memory of 3264	2560	117c359132faf42213eaac64727f05db.exe	SakuraHack.exe
PID 2560 wrote to memory of 3264	2560	117c359132faf42213eaac64727f05db.exe	SakuraHack.exe
PID 3264 wrote to memory of 100756	3264	SakuraHack.exe	vbc.exe
PID 3264 wrote to memory of 100756	3264	SakuraHack.exe	vbc.exe
PID 3264 wrote to memory of 100756	3264	SakuraHack.exe	vbc.exe
PID 3264 wrote to memory of 100756	3264	SakuraHack.exe	vbc.exe
PID 3264 wrote to memory of 100756	3264	SakuraHack.exe	vbc.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

117c359132faf42213eaac64727f05db.exe117c359132faf42213eaac64727f05db.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	117c359132faf42213eaac64727f05db.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	117c359132faf42213eaac64727f05db.exe

C:\Users\Admin\AppData\Local\Temp\117c359132faf42213eaac64727f05db.exe
"C:\Users\Admin\AppData\Local\Temp\117c359132faf42213eaac64727f05db.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2268

C:\Users\Admin\AppData\Local\Temp\tmpBD2A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBD2A.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\tmpBD2A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBD2A.tmp.exe"
3⤵
- Executes dropped EXE
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\TAPI\117c359132faf42213eaac64727f05db.exe
"C:\Windows\TAPI\117c359132faf42213eaac64727f05db.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2560

C:\Users\Admin\AppData\Local\Temp\tmpF830.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF830.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\tmpF830.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF830.tmp.exe"
4⤵
- Executes dropped EXE
PID:4832

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7945007-74c6-4560-a7f9-fa134ad74416.vbs"
3⤵
PID:1408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c54c0cfb-6194-4882-99ae-8173acb16957.vbs"
3⤵
PID:3084

C:\PerfLogs\SakuraHack.exe
"C:\PerfLogs\SakuraHack.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:100756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "117c359132faf42213eaac64727f05db1" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\117c359132faf42213eaac64727f05db.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "117c359132faf42213eaac64727f05db" /sc ONLOGON /tr "'C:\Windows\TAPI\117c359132faf42213eaac64727f05db.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "117c359132faf42213eaac64727f05db1" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\117c359132faf42213eaac64727f05db.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Recent\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\SakuraHack.exe
Filesize
2.6MB

MD5
996af2b7e07fde2072b07cd5e41786b0

SHA1
87d720295e4fc66bf4271296038c6bd36618d3a3

SHA256
cab1dee91f6915703d6bcd13a665ea6ec08a1158c8196e87746ec5c31121643f

SHA512
03df40a6a35a4d8285a182aba5dbef417e0c8375736cc83b7420afefec189226accc133e76203e00e862a1f26c5dc7a404d271a9ff5f55e8ba8dc1a41065b78b

Download Submit
C:\PerfLogs\SakuraHack.exe
Filesize
2.6MB

MD5
996af2b7e07fde2072b07cd5e41786b0

SHA1
87d720295e4fc66bf4271296038c6bd36618d3a3

SHA256
cab1dee91f6915703d6bcd13a665ea6ec08a1158c8196e87746ec5c31121643f

SHA512
03df40a6a35a4d8285a182aba5dbef417e0c8375736cc83b7420afefec189226accc133e76203e00e862a1f26c5dc7a404d271a9ff5f55e8ba8dc1a41065b78b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\117c359132faf42213eaac64727f05db.exe.log
Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\c54c0cfb-6194-4882-99ae-8173acb16957.vbs
Filesize
728B

MD5
846ca887348628fd5cb01b90c844cf8e

SHA1
204e748703e5d865da3d1cbdbe53723e6968e319

SHA256
1d8756e7661b43337abb6a7e66c790a45bef311d723ecacee8f5ab64d22c512a

SHA512
430afa7b54b2068c9b199b69fb00fe92b3cf459d66bfadc343501f8208c99363d5aa79a2f6c7707054c40018008af17b1f8768e0a42e58fdc13c0d5228fa7391

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7945007-74c6-4560-a7f9-fa134ad74416.vbs
Filesize
504B

MD5
790ec36c287d176b0815465e1cda6c7a

SHA1
6df856b48342db8126fae03792586ad36ff7fbfc

SHA256
4fd440bad79e01c0b4772aaea3fa0e5ee2670a5e94e9fc31a7c9fe82558b9dc8

SHA512
929b131493e7bac672088b543b8c24eecc7258a9392c9d70b69d762787a9c8f51dbd1e6e1b48b4fb8ed7bef871a9fa2bf1b00b880e8fb71b8adcd1c2c71f6d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD2A.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD2A.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD2A.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF830.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF830.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF830.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\TAPI\117c359132faf42213eaac64727f05db.exe
Filesize
4.9MB

MD5
2e4b561f520228a667c83f24290999e6

SHA1
eec846bc7355763b5ebd53270d5fbe927f2cbeec

SHA256
57bd9a56b30c68d9089d55133810a53ff78cc7a902f53ff03d8d483b59a06e30

SHA512
438e43e2157681826e00be3926c31780480d00a8c54a31296a3f90b9519ad37fa7a253b9a1fe8483eb016d2d94b2c02f8d3e7cc137a3097302cf726b16aaa072

Download Submit
C:\Windows\TAPI\117c359132faf42213eaac64727f05db.exe
Filesize
4.9MB

MD5
2e4b561f520228a667c83f24290999e6

SHA1
eec846bc7355763b5ebd53270d5fbe927f2cbeec

SHA256
57bd9a56b30c68d9089d55133810a53ff78cc7a902f53ff03d8d483b59a06e30

SHA512
438e43e2157681826e00be3926c31780480d00a8c54a31296a3f90b9519ad37fa7a253b9a1fe8483eb016d2d94b2c02f8d3e7cc137a3097302cf726b16aaa072

Download Submit
memory/456-140-0x0000000000000000-mapping.dmp

Download
memory/456-143-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/456-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/920-150-0x0000000000000000-mapping.dmp

Download
memory/920-173-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/920-198-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/1408-206-0x0000000000000000-mapping.dmp

Download
memory/1664-160-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/1664-184-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/1664-147-0x0000000000000000-mapping.dmp

Download
memory/1668-163-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/1668-192-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/1668-152-0x0000000000000000-mapping.dmp

Download
memory/2128-162-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/2128-191-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/2128-151-0x0000000000000000-mapping.dmp

Download
memory/2268-133-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/2268-135-0x000000001D740000-0x000000001DC68000-memory.dmp

Filesize
5.2MB

Download
memory/2268-144-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/2268-171-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/2268-132-0x0000000000580000-0x0000000000A74000-memory.dmp

Filesize
5.0MB

Download
memory/2268-134-0x000000001D1C0000-0x000000001D210000-memory.dmp

Filesize
320KB

Download
memory/2300-175-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/2300-155-0x0000000000000000-mapping.dmp

Download
memory/2300-205-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/2560-176-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/2560-212-0x000000001E730000-0x000000001E8F2000-memory.dmp

Filesize
1.8MB

Download
memory/2560-213-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/2560-165-0x0000000000000000-mapping.dmp

Download
memory/2560-170-0x0000000000200000-0x00000000006F4000-memory.dmp

Filesize
5.0MB

Download
memory/2676-149-0x0000000000000000-mapping.dmp

Download
memory/2676-193-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/2676-172-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/3084-203-0x0000000000000000-mapping.dmp

Download
memory/3140-177-0x0000000000000000-mapping.dmp

Download
memory/3140-204-0x0000000000870000-0x0000000000873000-memory.dmp

Filesize
12KB

Download
memory/3264-214-0x0000000000000000-mapping.dmp

Download
memory/3536-159-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/3536-145-0x0000000000000000-mapping.dmp

Download
memory/3536-185-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/3664-154-0x0000000000000000-mapping.dmp

Download
memory/3664-196-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/3664-174-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/4068-158-0x0000000000000000-mapping.dmp

Download
memory/4068-166-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/4068-197-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/4252-164-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/4252-153-0x0000000000000000-mapping.dmp

Download
memory/4252-201-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/4544-136-0x0000000000000000-mapping.dmp

Download
memory/4544-139-0x0000000001280000-0x0000000001283000-memory.dmp

Filesize
12KB

Download
memory/4784-189-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/4784-156-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/4784-146-0x0000000000000000-mapping.dmp

Download
memory/4784-157-0x000001CC91720000-0x000001CC91742000-memory.dmp

Filesize
136KB

Download
memory/4832-209-0x0000000000000000-mapping.dmp

Download
memory/5072-148-0x0000000000000000-mapping.dmp

Download
memory/5072-188-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/5072-161-0x00007FFC1C7B0000-0x00007FFC1D271000-memory.dmp

Filesize
10.8MB

Download
memory/100756-217-0x0000000000000000-mapping.dmp

Download
memory/100756-218-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/100756-223-0x00000000055F0000-0x0000000005C08000-memory.dmp

Filesize
6.1MB

Download
memory/100756-224-0x0000000005110000-0x000000000521A000-memory.dmp

Filesize
1.0MB

Download
memory/100756-225-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/100756-226-0x00000000050B0000-0x00000000050EC000-memory.dmp

Filesize
240KB

Download
memory/100756-227-0x00000000061C0000-0x0000000006764000-memory.dmp

Filesize
5.6MB

Download
memory/100756-228-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/100756-229-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/100756-230-0x0000000007360000-0x0000000007522000-memory.dmp

Filesize
1.8MB

Download
memory/100756-231-0x0000000007A60000-0x0000000007F8C000-memory.dmp

Filesize
5.2MB

Download
memory/100756-232-0x0000000006B30000-0x0000000006BA6000-memory.dmp

Filesize
472KB

Download
memory/100756-233-0x0000000006BB0000-0x0000000006C00000-memory.dmp

Filesize
320KB

Download