dcrat | 19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3

Resubmissions

15-10-2023 15:31

231015-sx9b1aaf63 10

03-06-2023 11:19

230603-ne62psge66 10

12-04-2023 12:00

230412-n6gk5aca73 10

05-09-2022 16:12

220905-tny1cabffk 10

Analysis

max time kernel
170s
max time network
173s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RDUQK6W.exe
Size

10.5MB
MD5

4a5a3ad1c74f3f7d525e1c97995ca649
SHA1

cc0548dcbf4c0bc4489529e9148cf9f921485e84
SHA256

19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3
SHA512

fbb94f6b670fbd6e32ac71b97cfe00d3c67a9747e1e4192ad1889bd8cf121b1b3bfe6e9fa0d4ba8634b5a8431b84c4ba7b3800bb6e128ce9ad759f952ac875b3
SSDEEP

196608:OXBAqsvidH8HkLOogdmCvl6SsT2bygeHHNc8zKiSKu5GjY2+rZvPTetsi0ERHblh:vidcEiJtNUEMH6kXYj5etb0qHblVFV

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	1692	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1692	schtasks.exe	36

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5779722125.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1356-73-0x000000001BB60000-0x000000001BCBE000-memory.dmp	dcrat

Executes dropped EXE 7 IoCs

Processes:

5779722125.exeXboxUpdate.exeBlitz.exeExtreme Injector.exetmp1AA3.tmp.exetmp1C48.tmp.exeMoUSO.exe

pid	Process
1356	5779722125.exe
1212	XboxUpdate.exe
1768	Blitz.exe
1940	Extreme Injector.exe
1556	tmp1AA3.tmp.exe
1044	tmp1C48.tmp.exe
1968	MoUSO.exe

Loads dropped DLL 7 IoCs

Processes:

$RDUQK6W.exeWerFault.exeWerFault.exe

pid	Process
1884	$RDUQK6W.exe
1964	WerFault.exe
1964	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1964	WerFault.exe
1792	WerFault.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5779722125.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

Processes:

5779722125.exe

description	ioc	Process
File created	C:\Program Files\Windows Journal\ja-JP\dwm.exe	5779722125.exe
File created	C:\Program Files\Windows Journal\ja-JP\6cb0b6c459d5d3	5779722125.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\dwm.exe	5779722125.exe

Drops file in Windows directory 7 IoCs

Processes:

$RDUQK6W.exe5779722125.exe

description	ioc	Process
File created	C:\Windows\XboxUpdate.exe	$RDUQK6W.exe
File created	C:\Windows\Blitz.exe	$RDUQK6W.exe
File created	C:\Windows\schemas\WCN\smss.exe	5779722125.exe
File created	C:\Windows\schemas\WCN\69ddcba757bf72	5779722125.exe
File opened for modification	C:\Windows\5779722125.exe	5779722125.exe
File opened for modification	C:\Windows\schemas\WCN\smss.exe	5779722125.exe
File created	C:\Windows\5779722125.exe	$RDUQK6W.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1964	1556	WerFault.exe	44
1792	1044	WerFault.exe	55

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	Process
1440	schtasks.exe
960	schtasks.exe
784	schtasks.exe
1712	schtasks.exe
1768	schtasks.exe
576	schtasks.exe
540	schtasks.exe
1520	schtasks.exe
1332	schtasks.exe
536	schtasks.exe
1976	schtasks.exe
1172	schtasks.exe
1736	schtasks.exe
1316	schtasks.exe
660	schtasks.exe
1424	schtasks.exe
900	schtasks.exe
820	schtasks.exe
572	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

helppane.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	helppane.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Blitz.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Blitz.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Blitz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5779722125.exeXboxUpdate.exepowershell.exe

pid	Process
1356	5779722125.exe
1356	5779722125.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1356	5779722125.exe
1356	5779722125.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1356	5779722125.exe
1356	5779722125.exe
1696	powershell.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1356	5779722125.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe
1212	XboxUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5779722125.exeXboxUpdate.exeExtreme Injector.exepowershell.exeAUDIODG.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1356	5779722125.exe
Token: SeDebugPrivilege	1212	XboxUpdate.exe
Token: SeDebugPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: 33	3000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3000	AUDIODG.EXE
Token: 33	3000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3000	AUDIODG.EXE
Token: 33	1940	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1940	Extreme Injector.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Extreme Injector.exehelppane.exe

pid	Process
1940	Extreme Injector.exe
3024	helppane.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

helppane.exe

pid	Process
3024	helppane.exe
3024	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

$RDUQK6W.exeBlitz.exe5779722125.exetmp1AA3.tmp.exeXboxUpdate.exetmp1C48.tmp.exe

description	pid	Process	procid_target
PID 1884 wrote to memory of 1696	1884	$RDUQK6W.exe	27
PID 1884 wrote to memory of 1696	1884	$RDUQK6W.exe	27
PID 1884 wrote to memory of 1696	1884	$RDUQK6W.exe	27
PID 1884 wrote to memory of 1696	1884	$RDUQK6W.exe	27
PID 1884 wrote to memory of 1356	1884	$RDUQK6W.exe	29
PID 1884 wrote to memory of 1356	1884	$RDUQK6W.exe	29
PID 1884 wrote to memory of 1356	1884	$RDUQK6W.exe	29
PID 1884 wrote to memory of 1356	1884	$RDUQK6W.exe	29
PID 1884 wrote to memory of 1212	1884	$RDUQK6W.exe	31
PID 1884 wrote to memory of 1212	1884	$RDUQK6W.exe	31
PID 1884 wrote to memory of 1212	1884	$RDUQK6W.exe	31
PID 1884 wrote to memory of 1212	1884	$RDUQK6W.exe	31
PID 1884 wrote to memory of 1768	1884	$RDUQK6W.exe	30
PID 1884 wrote to memory of 1768	1884	$RDUQK6W.exe	30
PID 1884 wrote to memory of 1768	1884	$RDUQK6W.exe	30
PID 1884 wrote to memory of 1768	1884	$RDUQK6W.exe	30
PID 1884 wrote to memory of 1940	1884	$RDUQK6W.exe	32
PID 1884 wrote to memory of 1940	1884	$RDUQK6W.exe	32
PID 1884 wrote to memory of 1940	1884	$RDUQK6W.exe	32
PID 1884 wrote to memory of 1940	1884	$RDUQK6W.exe	32
PID 1768 wrote to memory of 1172	1768	Blitz.exe	34
PID 1768 wrote to memory of 1172	1768	Blitz.exe	34
PID 1768 wrote to memory of 1172	1768	Blitz.exe	34
PID 1768 wrote to memory of 1172	1768	Blitz.exe	34
PID 1356 wrote to memory of 1556	1356	5779722125.exe	44
PID 1356 wrote to memory of 1556	1356	5779722125.exe	44
PID 1356 wrote to memory of 1556	1356	5779722125.exe	44
PID 1356 wrote to memory of 1556	1356	5779722125.exe	44
PID 1556 wrote to memory of 1964	1556	tmp1AA3.tmp.exe	51
PID 1556 wrote to memory of 1964	1556	tmp1AA3.tmp.exe	51
PID 1556 wrote to memory of 1964	1556	tmp1AA3.tmp.exe	51
PID 1556 wrote to memory of 1964	1556	tmp1AA3.tmp.exe	51
PID 1212 wrote to memory of 1044	1212	XboxUpdate.exe	55
PID 1212 wrote to memory of 1044	1212	XboxUpdate.exe	55
PID 1212 wrote to memory of 1044	1212	XboxUpdate.exe	55
PID 1212 wrote to memory of 1044	1212	XboxUpdate.exe	55
PID 1044 wrote to memory of 1792	1044	tmp1C48.tmp.exe	58
PID 1044 wrote to memory of 1792	1044	tmp1C48.tmp.exe	58
PID 1044 wrote to memory of 1792	1044	tmp1C48.tmp.exe	58
PID 1044 wrote to memory of 1792	1044	tmp1C48.tmp.exe	58
PID 1356 wrote to memory of 2188	1356	5779722125.exe	61
PID 1356 wrote to memory of 2188	1356	5779722125.exe	61
PID 1356 wrote to memory of 2188	1356	5779722125.exe	61
PID 1356 wrote to memory of 2200	1356	5779722125.exe	79
PID 1356 wrote to memory of 2200	1356	5779722125.exe	79
PID 1356 wrote to memory of 2200	1356	5779722125.exe	79
PID 1356 wrote to memory of 2212	1356	5779722125.exe	78
PID 1356 wrote to memory of 2212	1356	5779722125.exe	78
PID 1356 wrote to memory of 2212	1356	5779722125.exe	78
PID 1356 wrote to memory of 2240	1356	5779722125.exe	75
PID 1356 wrote to memory of 2240	1356	5779722125.exe	75
PID 1356 wrote to memory of 2240	1356	5779722125.exe	75
PID 1356 wrote to memory of 2252	1356	5779722125.exe	74
PID 1356 wrote to memory of 2252	1356	5779722125.exe	74
PID 1356 wrote to memory of 2252	1356	5779722125.exe	74
PID 1356 wrote to memory of 2292	1356	5779722125.exe	72
PID 1356 wrote to memory of 2292	1356	5779722125.exe	72
PID 1356 wrote to memory of 2292	1356	5779722125.exe	72
PID 1356 wrote to memory of 2304	1356	5779722125.exe	64
PID 1356 wrote to memory of 2304	1356	5779722125.exe	64
PID 1356 wrote to memory of 2304	1356	5779722125.exe	64
PID 1356 wrote to memory of 2336	1356	5779722125.exe	69
PID 1356 wrote to memory of 2336	1356	5779722125.exe	69
PID 1356 wrote to memory of 2336	1356	5779722125.exe	69

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

5779722125.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe

C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe
"C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbQBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAagBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AZABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAbQByACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\5779722125.exe
  "C:\Windows\5779722125.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\tmp1AA3.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp1AA3.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 96
      4⤵
      Loads dropped DLL
      Program crash
      PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    PID:2188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    PID:2212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- C:\Windows\Blitz.exe
  "C:\Windows\Blitz.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1172
- C:\Windows\XboxUpdate.exe
  "C:\Windows\XboxUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 96
      4⤵
      Loads dropped DLL
      Program crash
      PID:1792
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\PrintHood\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\PrintHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\NetHood\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\NetHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\schemas\WCN\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\schemas\WCN\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\WCN\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2768

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\taskeng.exe
taskeng.exe {83159812-8506-4510-B2C7-F2B591D391CA} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\cache\MoUSO.exe
  C:\Users\Admin\AppData\Local\cache\MoUSO.exe
  2⤵
  - Executes dropped EXE
  PID:1968

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1AA3.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00c9fc2750312cb51b2bd44897bb1ea4

SHA1
665347b8c597797564f9a38ab319c16da014bb8b

SHA256
2259b77280bbc2c8c7a4f8a70aa751895e24c39ce2960813079992803705cc64

SHA512
e704f282112817eec9aefd231678a198bd964f4bdb3b615c4db22a9fd5a931c42d7554cd04e33baf68f7ff82c6114c4be5504277e8189b4da562fafc72e6f7f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00c9fc2750312cb51b2bd44897bb1ea4

SHA1
665347b8c597797564f9a38ab319c16da014bb8b

SHA256
2259b77280bbc2c8c7a4f8a70aa751895e24c39ce2960813079992803705cc64

SHA512
e704f282112817eec9aefd231678a198bd964f4bdb3b615c4db22a9fd5a931c42d7554cd04e33baf68f7ff82c6114c4be5504277e8189b4da562fafc72e6f7f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00c9fc2750312cb51b2bd44897bb1ea4

SHA1
665347b8c597797564f9a38ab319c16da014bb8b

SHA256
2259b77280bbc2c8c7a4f8a70aa751895e24c39ce2960813079992803705cc64

SHA512
e704f282112817eec9aefd231678a198bd964f4bdb3b615c4db22a9fd5a931c42d7554cd04e33baf68f7ff82c6114c4be5504277e8189b4da562fafc72e6f7f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00c9fc2750312cb51b2bd44897bb1ea4

SHA1
665347b8c597797564f9a38ab319c16da014bb8b

SHA256
2259b77280bbc2c8c7a4f8a70aa751895e24c39ce2960813079992803705cc64

SHA512
e704f282112817eec9aefd231678a198bd964f4bdb3b615c4db22a9fd5a931c42d7554cd04e33baf68f7ff82c6114c4be5504277e8189b4da562fafc72e6f7f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00c9fc2750312cb51b2bd44897bb1ea4

SHA1
665347b8c597797564f9a38ab319c16da014bb8b

SHA256
2259b77280bbc2c8c7a4f8a70aa751895e24c39ce2960813079992803705cc64

SHA512
e704f282112817eec9aefd231678a198bd964f4bdb3b615c4db22a9fd5a931c42d7554cd04e33baf68f7ff82c6114c4be5504277e8189b4da562fafc72e6f7f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00c9fc2750312cb51b2bd44897bb1ea4

SHA1
665347b8c597797564f9a38ab319c16da014bb8b

SHA256
2259b77280bbc2c8c7a4f8a70aa751895e24c39ce2960813079992803705cc64

SHA512
e704f282112817eec9aefd231678a198bd964f4bdb3b615c4db22a9fd5a931c42d7554cd04e33baf68f7ff82c6114c4be5504277e8189b4da562fafc72e6f7f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00c9fc2750312cb51b2bd44897bb1ea4

SHA1
665347b8c597797564f9a38ab319c16da014bb8b

SHA256
2259b77280bbc2c8c7a4f8a70aa751895e24c39ce2960813079992803705cc64

SHA512
e704f282112817eec9aefd231678a198bd964f4bdb3b615c4db22a9fd5a931c42d7554cd04e33baf68f7ff82c6114c4be5504277e8189b4da562fafc72e6f7f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00c9fc2750312cb51b2bd44897bb1ea4

SHA1
665347b8c597797564f9a38ab319c16da014bb8b

SHA256
2259b77280bbc2c8c7a4f8a70aa751895e24c39ce2960813079992803705cc64

SHA512
e704f282112817eec9aefd231678a198bd964f4bdb3b615c4db22a9fd5a931c42d7554cd04e33baf68f7ff82c6114c4be5504277e8189b4da562fafc72e6f7f1

Download Submit
C:\Windows\5779722125.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\5779722125.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\Blitz.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\Blitz.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
C:\Windows\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1AA3.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1AA3.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1AA3.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/1044-105-0x0000000000000000-mapping.dmp

Download
memory/1172-87-0x0000000000000000-mapping.dmp

Download
memory/1212-78-0x000000001B050000-0x000000001B09E000-memory.dmp

Filesize
312KB

Download
memory/1212-76-0x0000000002200000-0x00000000022A6000-memory.dmp

Filesize
664KB

Download
memory/1212-75-0x00000000005B0000-0x0000000000636000-memory.dmp

Filesize
536KB

Download
memory/1212-151-0x000000001AF20000-0x000000001AF6C000-memory.dmp

Filesize
304KB

Download
memory/1212-207-0x000000001B0B6000-0x000000001B0D5000-memory.dmp

Filesize
124KB

Download
memory/1212-70-0x0000000000340000-0x00000000005B0000-memory.dmp

Filesize
2.4MB

Download
memory/1212-60-0x0000000000000000-mapping.dmp

Download
memory/1356-91-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/1356-79-0x0000000000360000-0x000000000036E000-memory.dmp

Filesize
56KB

Download
memory/1356-95-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/1356-96-0x0000000000740000-0x000000000074E000-memory.dmp

Filesize
56KB

Download
memory/1356-97-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/1356-98-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/1356-94-0x0000000000720000-0x000000000072E000-memory.dmp

Filesize
56KB

Download
memory/1356-57-0x0000000000000000-mapping.dmp

Download
memory/1356-146-0x000000001B436000-0x000000001B455000-memory.dmp

Filesize
124KB

Download
memory/1356-92-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/1356-71-0x0000000000C80000-0x0000000001242000-memory.dmp

Filesize
5.8MB

Download
memory/1356-104-0x000000001B436000-0x000000001B455000-memory.dmp

Filesize
124KB

Download
memory/1356-90-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/1356-89-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/1356-88-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/1356-85-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/1356-73-0x000000001BB60000-0x000000001BCBE000-memory.dmp

Filesize
1.4MB

Download
memory/1356-84-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/1356-83-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/1356-80-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/1356-81-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/1356-82-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/1356-93-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/1556-99-0x0000000000000000-mapping.dmp

Download
memory/1696-55-0x0000000000000000-mapping.dmp

Download
memory/1696-74-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-112-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-61-0x0000000000000000-mapping.dmp

Download
memory/1792-107-0x0000000000000000-mapping.dmp

Download
memory/1884-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1940-152-0x000000001B146000-0x000000001B165000-memory.dmp

Filesize
124KB

Download
memory/1940-113-0x000000001B146000-0x000000001B165000-memory.dmp

Filesize
124KB

Download
memory/1940-67-0x0000000000000000-mapping.dmp

Download
memory/1940-72-0x0000000000800000-0x00000000009E6000-memory.dmp

Filesize
1.9MB

Download
memory/1940-77-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1964-101-0x0000000000000000-mapping.dmp

Download
memory/1968-177-0x0000000000000000-mapping.dmp

Download
memory/2188-166-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/2188-171-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2188-114-0x0000000000000000-mapping.dmp

Download
memory/2188-183-0x000000001B900000-0x000000001BBFF000-memory.dmp

Filesize
3.0MB

Download
memory/2188-198-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/2188-209-0x0000000002A0B000-0x0000000002A2A000-memory.dmp

Filesize
124KB

Download
memory/2188-135-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2188-199-0x0000000002A0B000-0x0000000002A2A000-memory.dmp

Filesize
124KB

Download
memory/2200-191-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/2200-192-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/2200-168-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2200-178-0x000000001B980000-0x000000001BC7F000-memory.dmp

Filesize
3.0MB

Download
memory/2200-148-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2200-208-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/2200-162-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/2200-115-0x0000000000000000-mapping.dmp

Download
memory/2212-155-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2212-205-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/2212-116-0x0000000000000000-mapping.dmp

Download
memory/2212-206-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/2212-144-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2212-158-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/2212-188-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/2240-117-0x0000000000000000-mapping.dmp

Download
memory/2240-130-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2240-170-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2240-174-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/2240-164-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/2240-189-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/2240-187-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/2252-118-0x0000000000000000-mapping.dmp

Download
memory/2252-172-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2252-150-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2252-203-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/2252-196-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/2252-165-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/2252-182-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/2292-153-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2292-169-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2292-179-0x000000001B940000-0x000000001BC3F000-memory.dmp

Filesize
3.0MB

Download
memory/2292-204-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/2292-197-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/2292-119-0x0000000000000000-mapping.dmp

Download
memory/2292-163-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/2304-202-0x000000000244B000-0x000000000246A000-memory.dmp

Filesize
124KB

Download
memory/2304-145-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2304-195-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/2304-160-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/2304-120-0x0000000000000000-mapping.dmp

Download
memory/2304-181-0x000000001B8C0000-0x000000001BBBF000-memory.dmp

Filesize
3.0MB

Download
memory/2304-157-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2336-175-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/2336-167-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/2336-200-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/2336-173-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2336-190-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/2336-121-0x0000000000000000-mapping.dmp

Download
memory/2336-194-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/2336-154-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2356-201-0x000000000250B000-0x000000000252A000-memory.dmp

Filesize
124KB

Download
memory/2356-193-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/2356-156-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2356-159-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/2356-186-0x000000000250B000-0x000000000252A000-memory.dmp

Filesize
124KB

Download
memory/2356-122-0x0000000000000000-mapping.dmp

Download
memory/2356-147-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2356-180-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

Filesize
3.0MB

Download
memory/2384-123-0x0000000000000000-mapping.dmp

Download