allcome | 19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3

Resubmissions

15-10-2023 15:31

231015-sx9b1aaf63 10

03-06-2023 11:19

230603-ne62psge66 10

12-04-2023 12:00

230412-n6gk5aca73 10

05-09-2022 16:12

220905-tny1cabffk 10

Analysis

max time kernel
11s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RDUQK6W.exe
Size

10.5MB
MD5

4a5a3ad1c74f3f7d525e1c97995ca649
SHA1

cc0548dcbf4c0bc4489529e9148cf9f921485e84
SHA256

19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3
SHA512

fbb94f6b670fbd6e32ac71b97cfe00d3c67a9747e1e4192ad1889bd8cf121b1b3bfe6e9fa0d4ba8634b5a8431b84c4ba7b3800bb6e128ce9ad759f952ac875b3
SSDEEP

196608:OXBAqsvidH8HkLOogdmCvl6SsT2bygeHHNc8zKiSKu5GjY2+rZvPTetsi0ERHblh:vidcEiJtNUEMH6kXYj5etb0qHblVFV

Score

10^/10

allcome colibri build1 evasion loader stealer trojan

Malware Config

Extracted

Family

allcome

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=Raqxnd

Wallets

D7pq84u7ke73RmCkRPc1z2nKBfmfPrYLxM

rEPri1dB2B6TxxzBw31ihKwGkEEE3ZCzH2

0x379844563B2947bCf8Ee7660d674E91704ba85cc

XqcVZ9pP5YyEwfQ4RkVXC5mWZgQBY3qNNz

TT5o47UN2jDfvmbv7EQm8NZ3xw7NcpKhKB

t1Qc898xYxqJ2Vsrd2X15EA3L2QzNrCdZ6W

GB3TZL2PBSQOQAEFU57JPIFAXG7R73ECOSQGT3XCDCOAUGUWUKWAVO7H

4AqLHHmtMTQRWomEbPd8yxFdEsZ5VMXy1MvwhG1TTWgcCbGzgaAcfkA54K45UbQXjtBa3UYhmr8vYaGNGAkVTfXCE5bbT12

qrkkg7692gv3fz407lt8zxdxtx2d4zuf2q204ykdzn

1NipSzEWByjXUarhF2p3qq51MVbnnoo6HZ

0x08BDb0e0339E7B9A725FD665Fc17B3AA3FF73BFc

LQtxqhZWP3EDi9n1tVdKNyZVR6wrFRr7hN

+79889916188

LP1oSHdQ3kdgrWnPvB5XtuBLZaMq9JMoWt

ltc1qq5k32ja0yun36ydqhv6edd8ydpmfkfy6g5e994

bc1qngt9pchlwak6rzc37ez05sfhzr8dnyupu7e769

bc1qnx4g8m8lctzxm5wlcfpw2ae8zkf6nxerdujzuu

89CBob8FyychG8inyWBBhqUxbPFGzVaWnBZRdeFi8V38XRRv312X6ViMPxCuom3GKk8hLFmZYmTPQ1qMmq6YY8rCNCDeubb

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Allcome
A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
stealer allcome
Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	3692	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	3692	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5779722125.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$RDUQK6W.exeXboxUpdate.exe5779722125.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	$RDUQK6W.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	XboxUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	5779722125.exe

Executes dropped EXE 10 IoCs

Processes:

5779722125.exeXboxUpdate.exeBlitz.exeExtreme Injector.exetmp982E.tmp.exetmp9A22.tmp.exetmp982E.tmp.exetmp982E.tmp.exetmp982E.tmp.exetmp9A22.tmp.exe

pid	process
3116	5779722125.exe
2148	XboxUpdate.exe
3328	Blitz.exe
444	Extreme Injector.exe
4792	tmp982E.tmp.exe
3556	tmp9A22.tmp.exe
2912	tmp982E.tmp.exe
4132	tmp982E.tmp.exe
5064	tmp982E.tmp.exe
1156	tmp9A22.tmp.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5779722125.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp982E.tmp.exetmp9A22.tmp.exe

description	pid	process	target process
PID 4132 set thread context of 5064	4132	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 3556 set thread context of 1156	3556	tmp9A22.tmp.exe	tmp9A22.tmp.exe

Drops file in Windows directory 3 IoCs

Processes:

$RDUQK6W.exe

description	ioc	process
File created	C:\Windows\XboxUpdate.exe	$RDUQK6W.exe
File created	C:\Windows\Blitz.exe	$RDUQK6W.exe
File created	C:\Windows\5779722125.exe	$RDUQK6W.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4596	schtasks.exe
4572	schtasks.exe
4104	schtasks.exe
5088	schtasks.exe
4088	schtasks.exe
3308	schtasks.exe
552	schtasks.exe
1648	schtasks.exe
4780	schtasks.exe
1332	schtasks.exe
972	schtasks.exe
4284	schtasks.exe
3560	schtasks.exe
2744	schtasks.exe
1984	schtasks.exe
2324	schtasks.exe
2828	schtasks.exe
4368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5779722125.exeXboxUpdate.exepowershell.exe

pid	process
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
2560	powershell.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
3116	5779722125.exe
3116	5779722125.exe
2560	powershell.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
3116	5779722125.exe
3116	5779722125.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
3116	5779722125.exe
2148	XboxUpdate.exe
2148	XboxUpdate.exe
3116	5779722125.exe
3116	5779722125.exe
2148	XboxUpdate.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

XboxUpdate.exe5779722125.exeExtreme Injector.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2148	XboxUpdate.exe
Token: SeDebugPrivilege	3116	5779722125.exe
Token: SeDebugPrivilege	444	Extreme Injector.exe
Token: 33	444	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	444	Extreme Injector.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	444	Extreme Injector.exe
Token: 33	444	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	444	Extreme Injector.exe
Token: 33	444	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	444	Extreme Injector.exe
Token: 33	444	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	444	Extreme Injector.exe
Token: 33	444	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	444	Extreme Injector.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

$RDUQK6W.exeXboxUpdate.exe5779722125.exetmp982E.tmp.exetmp982E.tmp.exetmp982E.tmp.exetmp9A22.tmp.exe

description	pid	process	target process
PID 1836 wrote to memory of 2560	1836	$RDUQK6W.exe	powershell.exe
PID 1836 wrote to memory of 2560	1836	$RDUQK6W.exe	powershell.exe
PID 1836 wrote to memory of 2560	1836	$RDUQK6W.exe	powershell.exe
PID 1836 wrote to memory of 3116	1836	$RDUQK6W.exe	5779722125.exe
PID 1836 wrote to memory of 3116	1836	$RDUQK6W.exe	5779722125.exe
PID 1836 wrote to memory of 2148	1836	$RDUQK6W.exe	XboxUpdate.exe
PID 1836 wrote to memory of 2148	1836	$RDUQK6W.exe	XboxUpdate.exe
PID 1836 wrote to memory of 3328	1836	$RDUQK6W.exe	Blitz.exe
PID 1836 wrote to memory of 3328	1836	$RDUQK6W.exe	Blitz.exe
PID 1836 wrote to memory of 3328	1836	$RDUQK6W.exe	Blitz.exe
PID 1836 wrote to memory of 444	1836	$RDUQK6W.exe	Extreme Injector.exe
PID 1836 wrote to memory of 444	1836	$RDUQK6W.exe	Extreme Injector.exe
PID 2148 wrote to memory of 4792	2148	XboxUpdate.exe	tmp982E.tmp.exe
PID 2148 wrote to memory of 4792	2148	XboxUpdate.exe	tmp982E.tmp.exe
PID 2148 wrote to memory of 4792	2148	XboxUpdate.exe	tmp982E.tmp.exe
PID 3116 wrote to memory of 3556	3116	5779722125.exe	tmp9A22.tmp.exe
PID 3116 wrote to memory of 3556	3116	5779722125.exe	tmp9A22.tmp.exe
PID 3116 wrote to memory of 3556	3116	5779722125.exe	tmp9A22.tmp.exe
PID 4792 wrote to memory of 2912	4792	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 4792 wrote to memory of 2912	4792	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 4792 wrote to memory of 2912	4792	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 2912 wrote to memory of 4132	2912	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 2912 wrote to memory of 4132	2912	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 2912 wrote to memory of 4132	2912	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 4132 wrote to memory of 5064	4132	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 4132 wrote to memory of 5064	4132	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 4132 wrote to memory of 5064	4132	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 4132 wrote to memory of 5064	4132	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 4132 wrote to memory of 5064	4132	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 4132 wrote to memory of 5064	4132	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 4132 wrote to memory of 5064	4132	tmp982E.tmp.exe	tmp982E.tmp.exe
PID 3556 wrote to memory of 1156	3556	tmp9A22.tmp.exe	tmp9A22.tmp.exe
PID 3556 wrote to memory of 1156	3556	tmp9A22.tmp.exe	tmp9A22.tmp.exe
PID 3556 wrote to memory of 1156	3556	tmp9A22.tmp.exe	tmp9A22.tmp.exe
PID 3556 wrote to memory of 1156	3556	tmp9A22.tmp.exe	tmp9A22.tmp.exe
PID 3556 wrote to memory of 1156	3556	tmp9A22.tmp.exe	tmp9A22.tmp.exe
PID 3556 wrote to memory of 1156	3556	tmp9A22.tmp.exe	tmp9A22.tmp.exe
PID 3556 wrote to memory of 1156	3556	tmp9A22.tmp.exe	tmp9A22.tmp.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

5779722125.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe
"C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbQBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAagBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AZABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAbQByACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\5779722125.exe
"C:\Windows\5779722125.exe"
2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3116

C:\Users\Admin\AppData\Local\Temp\tmp9A22.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9A22.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3556

C:\Users\Admin\AppData\Local\Temp\tmp9A22.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9A22.tmp.exe"
4⤵
- Executes dropped EXE
PID:1156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
3⤵
PID:1520

C:\Program Files\Mozilla Firefox\browser\fontdrvhost.exe
"C:\Program Files\Mozilla Firefox\browser\fontdrvhost.exe"
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmp.exe"
4⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmp.exe"
5⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmp.exe"
6⤵
PID:740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d0ba258-6df3-4974-a25b-a10bb8fd86a4.vbs"
4⤵
PID:4680

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b45b7df-862e-494e-ac01-88bf4bb46a7c.vbs"
4⤵
PID:2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
3⤵
PID:1036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
3⤵
PID:1232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
3⤵
PID:3308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
3⤵
PID:4836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
3⤵
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
3⤵
PID:4832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
3⤵
PID:4080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
3⤵
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
3⤵
PID:2808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
3⤵
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
3⤵
PID:3904

C:\Windows\XboxUpdate.exe
"C:\Windows\XboxUpdate.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\Blitz.exe
"C:\Windows\Blitz.exe"
2⤵
- Executes dropped EXE
PID:3328

C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe"
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\fontdrvhost.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files\Mozilla Firefox\browser\fontdrvhost.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d372699cee5cfaf89ec5ee22569703f1

SHA1
25c96fa671a61f81e13ae1e8d8c9fe9530e718a0

SHA256
e0b62a8b2484b90620bdf30a0961bd3a3d0c0c710d5765421b58719fb1c39d6b

SHA512
d88b4f7c65a7288ddcecbfec8bfb7f6790409c340df7534cefd0e2511488834181ba368b63ca702528aff545a8aaa401a3821af86517990ecfaec48874d818ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b45b7df-862e-494e-ac01-88bf4bb46a7c.vbs
Filesize
508B

MD5
55b17a3f6a5101e450951086a2ab88e3

SHA1
19c3a4d0e35a113872e31327a347aa15de8b5088

SHA256
8482b3417296cdd718e39a2cb5485c182fd8c1b7c0d9d35d0479b405244a422b

SHA512
9c6a3a5f201b4ed320cadb30a70373ebc740e56594cd6e648077b97b61f16c90a5b3e879843e90a1d3e933ed8f059300cd1ff910c06f384f5a128b131eb8705e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d0ba258-6df3-4974-a25b-a10bb8fd86a4.vbs
Filesize
731B

MD5
249a2552d3e99ae8dd1da794d38297e3

SHA1
182adf9332340e4d89908657eb0b0b9b2f77a6f5

SHA256
0b4b43c86a144cbf0543deca981a175ef4b3da0404c78fa39b9c018f88601760

SHA512
6a5a834986c689a1c1b6602e8424b77ee220f86d82afce4098381ec39c0953b4ebd2a6b3a30b37da4952a4b211e488db25797d1e98a592c5c0691f0120e5a100

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdkjp3tq.4tj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp982E.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A22.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A22.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A22.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Windows\5779722125.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\5779722125.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\5779722125.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\Blitz.exe
Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\Blitz.exe
Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\Blitz.exe
Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\XboxUpdate.exe
Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
C:\Windows\XboxUpdate.exe
Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
C:\Windows\XboxUpdate.exe
Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
memory/228-1063-0x000000001B340000-0x000000001B350000-memory.dmp

Filesize
64KB

Download
memory/228-883-0x000000001B340000-0x000000001B350000-memory.dmp

Filesize
64KB

Download
memory/228-1065-0x000000001B340000-0x000000001B350000-memory.dmp

Filesize
64KB

Download
memory/444-312-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/444-885-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/444-224-0x000000001C460000-0x000000001C49C000-memory.dmp

Filesize
240KB

Download
memory/444-194-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/444-222-0x000000001C2F0000-0x000000001C302000-memory.dmp

Filesize
72KB

Download
memory/444-241-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/444-183-0x0000000000570000-0x0000000000756000-memory.dmp

Filesize
1.9MB

Download
memory/1036-1001-0x000001E1F8A00000-0x000001E1F8A10000-memory.dmp

Filesize
64KB

Download
memory/1036-1073-0x000001E1F8A00000-0x000001E1F8A10000-memory.dmp

Filesize
64KB

Download
memory/1232-997-0x000001BF29390000-0x000001BF293A0000-memory.dmp

Filesize
64KB

Download
memory/1232-999-0x000001BF29390000-0x000001BF293A0000-memory.dmp

Filesize
64KB

Download
memory/1520-1016-0x0000021BBDB90000-0x0000021BBDBA0000-memory.dmp

Filesize
64KB

Download
memory/1520-1027-0x0000021BBDB90000-0x0000021BBDBA0000-memory.dmp

Filesize
64KB

Download
memory/1680-951-0x0000019C3A240000-0x0000019C3A250000-memory.dmp

Filesize
64KB

Download
memory/1680-919-0x0000019C3A240000-0x0000019C3A250000-memory.dmp

Filesize
64KB

Download
memory/1680-1071-0x0000019C3A240000-0x0000019C3A250000-memory.dmp

Filesize
64KB

Download
memory/1748-980-0x000002DD73920000-0x000002DD73930000-memory.dmp

Filesize
64KB

Download
memory/1748-995-0x000002DD73920000-0x000002DD73930000-memory.dmp

Filesize
64KB

Download
memory/1976-974-0x0000021CFC520000-0x0000021CFC530000-memory.dmp

Filesize
64KB

Download
memory/2148-216-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-289-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-164-0x0000000000580000-0x00000000007F0000-memory.dmp

Filesize
2.4MB

Download
memory/2148-243-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-231-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-295-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-297-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-299-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-301-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-305-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-179-0x000000001B380000-0x000000001B390000-memory.dmp

Filesize
64KB

Download
memory/2148-260-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-185-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-186-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-190-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-196-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-192-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-188-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-199-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-201-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-208-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-220-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-223-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-226-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-238-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-252-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-255-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-645-0x000000001B380000-0x000000001B390000-memory.dmp

Filesize
64KB

Download
memory/2148-267-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-273-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-263-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-292-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-271-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-279-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2148-285-0x000000001C460000-0x000000001C502000-memory.dmp

Filesize
648KB

Download
memory/2560-284-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/2560-389-0x000000007F870000-0x000000007F880000-memory.dmp

Filesize
64KB

Download
memory/2560-182-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2560-184-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/2560-357-0x0000000006DD0000-0x0000000006E02000-memory.dmp

Filesize
200KB

Download
memory/2560-359-0x0000000072360000-0x00000000723AC000-memory.dmp

Filesize
304KB

Download
memory/2560-372-0x0000000006E10000-0x0000000006E2E000-memory.dmp

Filesize
120KB

Download
memory/2560-387-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2560-197-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/2560-490-0x0000000007D80000-0x0000000007D88000-memory.dmp

Filesize
32KB

Download
memory/2560-177-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2560-391-0x0000000008140000-0x00000000087BA000-memory.dmp

Filesize
6.5MB

Download
memory/2560-483-0x0000000007E30000-0x0000000007E4A000-memory.dmp

Filesize
104KB

Download
memory/2560-471-0x0000000007D40000-0x0000000007D4E000-memory.dmp

Filesize
56KB

Download
memory/2560-393-0x0000000007B00000-0x0000000007B1A000-memory.dmp

Filesize
104KB

Download
memory/2560-209-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/2560-413-0x0000000007D90000-0x0000000007E26000-memory.dmp

Filesize
600KB

Download
memory/2560-215-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/2560-401-0x0000000007B70000-0x0000000007B7A000-memory.dmp

Filesize
40KB

Download
memory/2560-168-0x0000000005250000-0x0000000005286000-memory.dmp

Filesize
216KB

Download
memory/2808-890-0x00000193B47B0000-0x00000193B47C0000-memory.dmp

Filesize
64KB

Download
memory/3116-167-0x0000000000500000-0x0000000000AC2000-memory.dmp

Filesize
5.8MB

Download
memory/3116-217-0x0000000002C70000-0x0000000002CC0000-memory.dmp

Filesize
320KB

Download
memory/3116-427-0x000000001DE50000-0x000000001DF50000-memory.dmp

Filesize
1024KB

Download
memory/3116-429-0x000000001DE50000-0x000000001DF50000-memory.dmp

Filesize
1024KB

Download
memory/3116-246-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/3116-248-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/3116-282-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/3116-314-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/3116-193-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/3308-1014-0x000001C5FB560000-0x000001C5FB570000-memory.dmp

Filesize
64KB

Download
memory/4080-888-0x00000252F0AE0000-0x00000252F0B02000-memory.dmp

Filesize
136KB

Download
memory/4080-914-0x00000252EFCB0000-0x00000252EFCC0000-memory.dmp

Filesize
64KB

Download
memory/4832-887-0x00000142A47D0000-0x00000142A47E0000-memory.dmp

Filesize
64KB

Download
memory/4832-897-0x00000142A47D0000-0x00000142A47E0000-memory.dmp

Filesize
64KB

Download
memory/4832-1068-0x00000142A47D0000-0x00000142A47E0000-memory.dmp

Filesize
64KB

Download
memory/4836-1003-0x000001C3FEF40000-0x000001C3FEF50000-memory.dmp

Filesize
64KB

Download
memory/4836-1070-0x000001C3FEF40000-0x000001C3FEF50000-memory.dmp

Filesize
64KB

Download
memory/5064-310-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5064-281-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download