allcome | 19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3

Resubmissions

15-10-2023 15:31

231015-sx9b1aaf63 10

03-06-2023 11:19

230603-ne62psge66 10

12-04-2023 12:00

230412-n6gk5aca73 10

05-09-2022 16:12

220905-tny1cabffk 10

Analysis

max time kernel
140s
max time network
133s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-06-2023 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RDUQK6W.exe
Size

10.5MB
MD5

4a5a3ad1c74f3f7d525e1c97995ca649
SHA1

cc0548dcbf4c0bc4489529e9148cf9f921485e84
SHA256

19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3
SHA512

fbb94f6b670fbd6e32ac71b97cfe00d3c67a9747e1e4192ad1889bd8cf121b1b3bfe6e9fa0d4ba8634b5a8431b84c4ba7b3800bb6e128ce9ad759f952ac875b3
SSDEEP

196608:OXBAqsvidH8HkLOogdmCvl6SsT2bygeHHNc8zKiSKu5GjY2+rZvPTetsi0ERHblh:vidcEiJtNUEMH6kXYj5etb0qHblVFV

Score

10^/10

allcome dcrat evasion infostealer rat stealer trojan

Malware Config

Extracted

Family

allcome

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=Raqxnd

Wallets

D7pq84u7ke73RmCkRPc1z2nKBfmfPrYLxM

rEPri1dB2B6TxxzBw31ihKwGkEEE3ZCzH2

0x379844563B2947bCf8Ee7660d674E91704ba85cc

XqcVZ9pP5YyEwfQ4RkVXC5mWZgQBY3qNNz

TT5o47UN2jDfvmbv7EQm8NZ3xw7NcpKhKB

t1Qc898xYxqJ2Vsrd2X15EA3L2QzNrCdZ6W

GB3TZL2PBSQOQAEFU57JPIFAXG7R73ECOSQGT3XCDCOAUGUWUKWAVO7H

4AqLHHmtMTQRWomEbPd8yxFdEsZ5VMXy1MvwhG1TTWgcCbGzgaAcfkA54K45UbQXjtBa3UYhmr8vYaGNGAkVTfXCE5bbT12

qrkkg7692gv3fz407lt8zxdxtx2d4zuf2q204ykdzn

1NipSzEWByjXUarhF2p3qq51MVbnnoo6HZ

0x08BDb0e0339E7B9A725FD665Fc17B3AA3FF73BFc

LQtxqhZWP3EDi9n1tVdKNyZVR6wrFRr7hN

+79889916188

LP1oSHdQ3kdgrWnPvB5XtuBLZaMq9JMoWt

ltc1qq5k32ja0yun36ydqhv6edd8ydpmfkfy6g5e994

bc1qngt9pchlwak6rzc37ez05sfhzr8dnyupu7e769

bc1qnx4g8m8lctzxm5wlcfpw2ae8zkf6nxerdujzuu

89CBob8FyychG8inyWBBhqUxbPFGzVaWnBZRdeFi8V38XRRv312X6ViMPxCuom3GKk8hLFmZYmTPQ1qMmq6YY8rCNCDeubb

Signatures

Allcome
A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
stealer allcome
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1388	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5779722125.exetaskhost.exetaskhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/876-81-0x000000001BB40000-0x000000001BC9E000-memory.dmp	dcrat

Executes dropped EXE 10 IoCs

Processes:

5779722125.exeXboxUpdate.exeBlitz.exeExtreme Injector.exetmp1DED.tmp.exetmp2000.tmp.exetaskhost.exetmpB491.tmp.exetaskhost.exetmpA7A6.tmp.exe

pid	process
876	5779722125.exe
632	XboxUpdate.exe
664	Blitz.exe
1928	Extreme Injector.exe
1392	tmp1DED.tmp.exe
692	tmp2000.tmp.exe
3036	taskhost.exe
1780	tmpB491.tmp.exe
2400	taskhost.exe
1336	tmpA7A6.tmp.exe

Loads dropped DLL 13 IoCs

Processes:

$RDUQK6W.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1992	$RDUQK6W.exe
520	WerFault.exe
520	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
520	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2280	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

taskhost.exe5779722125.exetaskhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

Processes:

5779722125.exe

description	ioc	process
File created	C:\Program Files\Windows Journal\fr-FR\5779722125.exe	5779722125.exe
File created	C:\Program Files\Windows Journal\fr-FR\fd59360e6faa19	5779722125.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\5779722125.exe	5779722125.exe

Drops file in Windows directory 16 IoCs

Processes:

5779722125.exe$RDUQK6W.exe

description	ioc	process
File opened for modification	C:\Windows\Branding\ShellBrd\dwm.exe	5779722125.exe
File opened for modification	C:\Windows\Web\tmp2000.tmp.exe	5779722125.exe
File created	C:\Windows\Resources\Ease of Access Themes\dwm.exe	5779722125.exe
File created	C:\Windows\Resources\Ease of Access Themes\6cb0b6c459d5d3	5779722125.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\dwm.exe	5779722125.exe
File created	C:\Windows\Branding\ShellBrd\dwm.exe	5779722125.exe
File created	C:\Windows\IME\it-IT\0a1fd5f707cd16	5779722125.exe
File opened for modification	C:\Windows\5779722125.exe	5779722125.exe
File created	C:\Windows\5779722125.exe	$RDUQK6W.exe
File created	C:\Windows\Web\tmp2000.tmp.exe	5779722125.exe
File created	C:\Windows\Branding\ShellBrd\6cb0b6c459d5d3	5779722125.exe
File created	C:\Windows\Web\3ac88e6904912e	5779722125.exe
File created	C:\Windows\IME\it-IT\sppsvc.exe	5779722125.exe
File opened for modification	C:\Windows\IME\it-IT\sppsvc.exe	5779722125.exe
File created	C:\Windows\XboxUpdate.exe	$RDUQK6W.exe
File created	C:\Windows\Blitz.exe	$RDUQK6W.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
520	1392	WerFault.exe	tmp1DED.tmp.exe
1336	692	WerFault.exe	tmp2000.tmp.exe
2280	1780	WerFault.exe	tmpB491.tmp.exe
2648	1336	WerFault.exe	tmpA7A6.tmp.exe

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1700	schtasks.exe
1840	schtasks.exe
1652	schtasks.exe
1796	schtasks.exe
2044	schtasks.exe
1172	schtasks.exe
556	schtasks.exe
1596	schtasks.exe
1532	schtasks.exe
1224	schtasks.exe
2044	schtasks.exe
1532	schtasks.exe
1984	schtasks.exe
1584	schtasks.exe
1516	schtasks.exe
1752	schtasks.exe
1804	schtasks.exe
1312	schtasks.exe
1596	schtasks.exe
1100	schtasks.exe
768	schtasks.exe
1284	schtasks.exe
1168	schtasks.exe
1704	schtasks.exe
1252	schtasks.exe
1040	schtasks.exe
1312	schtasks.exe
1732	schtasks.exe
1040	schtasks.exe
1584	schtasks.exe
1700	schtasks.exe
1200	schtasks.exe
1376	schtasks.exe
764	schtasks.exe
948	schtasks.exe
1620	schtasks.exe

Modifies registry class 31 IoCs

Processes:

Extreme Injector.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Extreme Injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Extreme Injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Extreme Injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	Extreme Injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Extreme Injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Extreme Injector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	Extreme Injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	Extreme Injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Extreme Injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Extreme Injector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Extreme Injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Extreme Injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Extreme Injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	Extreme Injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Extreme Injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Extreme Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	Extreme Injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	Extreme Injector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	Extreme Injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Extreme Injector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Extreme Injector.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

XboxUpdate.exe5779722125.exepowershell.exe

pid	process
632	XboxUpdate.exe
632	XboxUpdate.exe
876	5779722125.exe
876	5779722125.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
876	5779722125.exe
876	5779722125.exe
1824	powershell.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
632	XboxUpdate.exe
876	5779722125.exe
632	XboxUpdate.exe
876	5779722125.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
876	5779722125.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
876	5779722125.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
632	XboxUpdate.exe
632	XboxUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Extreme Injector.exe

pid process

1928 Extreme Injector.exe

pid	process
1928	Extreme Injector.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

XboxUpdate.exe5779722125.exeExtreme Injector.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	632	XboxUpdate.exe
Token: SeDebugPrivilege	876	5779722125.exe
Token: SeDebugPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: SeDebugPrivilege	3036	taskhost.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe
Token: 33	1928	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	1928	Extreme Injector.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Extreme Injector.exe

pid process

1928 Extreme Injector.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Extreme Injector.exe

pid process

1928 Extreme Injector.exe

pid	process
1928	Extreme Injector.exe

pid	process
1928	Extreme Injector.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

$RDUQK6W.exe5779722125.exeXboxUpdate.exetmp1DED.tmp.exetmp2000.tmp.exe

description	pid	process	target process
PID 1992 wrote to memory of 1824	1992	$RDUQK6W.exe	powershell.exe
PID 1992 wrote to memory of 1824	1992	$RDUQK6W.exe	powershell.exe
PID 1992 wrote to memory of 1824	1992	$RDUQK6W.exe	powershell.exe
PID 1992 wrote to memory of 1824	1992	$RDUQK6W.exe	powershell.exe
PID 1992 wrote to memory of 876	1992	$RDUQK6W.exe	5779722125.exe
PID 1992 wrote to memory of 876	1992	$RDUQK6W.exe	5779722125.exe
PID 1992 wrote to memory of 876	1992	$RDUQK6W.exe	5779722125.exe
PID 1992 wrote to memory of 876	1992	$RDUQK6W.exe	5779722125.exe
PID 1992 wrote to memory of 632	1992	$RDUQK6W.exe	XboxUpdate.exe
PID 1992 wrote to memory of 632	1992	$RDUQK6W.exe	XboxUpdate.exe
PID 1992 wrote to memory of 632	1992	$RDUQK6W.exe	XboxUpdate.exe
PID 1992 wrote to memory of 632	1992	$RDUQK6W.exe	XboxUpdate.exe
PID 1992 wrote to memory of 664	1992	$RDUQK6W.exe	Blitz.exe
PID 1992 wrote to memory of 664	1992	$RDUQK6W.exe	Blitz.exe
PID 1992 wrote to memory of 664	1992	$RDUQK6W.exe	Blitz.exe
PID 1992 wrote to memory of 664	1992	$RDUQK6W.exe	Blitz.exe
PID 1992 wrote to memory of 1928	1992	$RDUQK6W.exe	Extreme Injector.exe
PID 1992 wrote to memory of 1928	1992	$RDUQK6W.exe	Extreme Injector.exe
PID 1992 wrote to memory of 1928	1992	$RDUQK6W.exe	Extreme Injector.exe
PID 1992 wrote to memory of 1928	1992	$RDUQK6W.exe	Extreme Injector.exe
PID 876 wrote to memory of 1392	876	5779722125.exe	tmp1DED.tmp.exe
PID 876 wrote to memory of 1392	876	5779722125.exe	tmp1DED.tmp.exe
PID 876 wrote to memory of 1392	876	5779722125.exe	tmp1DED.tmp.exe
PID 876 wrote to memory of 1392	876	5779722125.exe	tmp1DED.tmp.exe
PID 632 wrote to memory of 692	632	XboxUpdate.exe	tmp2000.tmp.exe
PID 632 wrote to memory of 692	632	XboxUpdate.exe	tmp2000.tmp.exe
PID 632 wrote to memory of 692	632	XboxUpdate.exe	tmp2000.tmp.exe
PID 632 wrote to memory of 692	632	XboxUpdate.exe	tmp2000.tmp.exe
PID 1392 wrote to memory of 520	1392	tmp1DED.tmp.exe	WerFault.exe
PID 1392 wrote to memory of 520	1392	tmp1DED.tmp.exe	WerFault.exe
PID 1392 wrote to memory of 520	1392	tmp1DED.tmp.exe	WerFault.exe
PID 1392 wrote to memory of 520	1392	tmp1DED.tmp.exe	WerFault.exe
PID 692 wrote to memory of 1336	692	tmp2000.tmp.exe	WerFault.exe
PID 692 wrote to memory of 1336	692	tmp2000.tmp.exe	WerFault.exe
PID 692 wrote to memory of 1336	692	tmp2000.tmp.exe	WerFault.exe
PID 692 wrote to memory of 1336	692	tmp2000.tmp.exe	WerFault.exe
PID 876 wrote to memory of 1376	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1376	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1376	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1752	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1752	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1752	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1496	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1496	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1496	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1008	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1008	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1008	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 2000	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 2000	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 2000	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1532	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1532	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1532	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1704	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1704	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1704	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 552	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 552	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 552	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 696	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 696	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 696	876	5779722125.exe	powershell.exe
PID 876 wrote to memory of 1284	876	5779722125.exe	powershell.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exe5779722125.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe
"C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbQBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAagBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AZABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAbQByACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\5779722125.exe
"C:\Windows\5779722125.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:876

C:\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\opelt31uZT.bat"
3⤵
PID:2096

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:2552

C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe
"C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3036

C:\Users\Admin\AppData\Local\Temp\tmpB491.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB491.tmp.exe"
5⤵
- Executes dropped EXE
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 96
6⤵
- Loads dropped DLL
- Program crash
PID:2280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e6415bd-bb62-4dfe-a531-f19fda85a5d6.vbs"
5⤵
PID:2344

C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe
C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:2400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3517bfb6-3cf9-41dc-b771-7349a4ac79cd.vbs"
7⤵
PID:2256

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c81cf77d-a497-471e-a878-06eb28965bd7.vbs"
7⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\tmpA7A6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA7A6.tmp.exe"
7⤵
- Executes dropped EXE
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 96
8⤵
- Loads dropped DLL
- Program crash
PID:2648

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\928a2e68-7730-4d21-8399-f06798578ca4.vbs"
5⤵
PID:2620

C:\Windows\XboxUpdate.exe
"C:\Windows\XboxUpdate.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:1336

C:\Windows\Blitz.exe
"C:\Windows\Blitz.exe"
2⤵
- Executes dropped EXE
PID:664

C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Ease of Access Themes\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Ease of Access Themes\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57797221255" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\fr-FR\5779722125.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5779722125" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\5779722125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57797221255" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\5779722125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 5 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\WerFault.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFaultW" /sc MINUTE /mo 10 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57797221255" /sc MINUTE /mo 14 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\5779722125.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5779722125" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\5779722125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57797221255" /sc MINUTE /mo 14 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\5779722125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp2000.tmpt" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\tmp2000.tmp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp2000.tmp" /sc ONLOGON /tr "'C:\Windows\Web\tmp2000.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp2000.tmpt" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\tmp2000.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Users\Default\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480
1⤵
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Recovery\d2ce1482-b192-11ed-8622-cee1c2fbb193\taskhost.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\17326c6211084566deb2f5d8525bb5986aab5cf1.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e6415bd-bb62-4dfe-a531-f19fda85a5d6.vbs
Filesize
737B

MD5
adbdc40e57bc9579aff5558c1dd721a4

SHA1
9998cd54f83e4f18c4e4bb1e4878e6dfc1b1f166

SHA256
51ae24638f30ef749c428b29c8200e805c2234590657a87fde867a29dea2d2e9

SHA512
dc6ed091fef57ef76628227437dd43e3a1d715cf397788c667cb7a5565dbf937734dc4155f663eb0c040cba2402a6f9ce93af18dc086c0f786bea79cea7e370b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3517bfb6-3cf9-41dc-b771-7349a4ac79cd.vbs
Filesize
737B

MD5
d9cd64e660849cfc855b7561565bac3e

SHA1
ff9f32d5e886b1665b8cc9c67e7a0a1144ec35e0

SHA256
ab73a83b3619837ae61821da05d8ccaf9f76e29cbc41f02c36971c19b76193b3

SHA512
9cab03de8d9138291eb646f4b51d381dc327fc87c6fb5024ecaaad05aa3a18a618d2f9137e8f577bd3c547b9d4de4f7838b614d9ab0efa467097ff58d408daeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\928a2e68-7730-4d21-8399-f06798578ca4.vbs
Filesize
513B

MD5
5a3710ef2936d3f0e0d91774999c5673

SHA1
a620cd0d9eec137656f64230233878f78c9ca971

SHA256
031ecef105399339becedd3dfeef09b4e969749f513f0fdfbab42b25119adba2

SHA512
e69c4424be91a97253cf86a2fff1b1c61b20796d97d1cad42c6210f09b5a10cb973a3bb558ca4f4d734f6738947564fe0353261c01e6bdfd475f100d9290b157

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\c81cf77d-a497-471e-a878-06eb28965bd7.vbs
Filesize
513B

MD5
5a3710ef2936d3f0e0d91774999c5673

SHA1
a620cd0d9eec137656f64230233878f78c9ca971

SHA256
031ecef105399339becedd3dfeef09b4e969749f513f0fdfbab42b25119adba2

SHA512
e69c4424be91a97253cf86a2fff1b1c61b20796d97d1cad42c6210f09b5a10cb973a3bb558ca4f4d734f6738947564fe0353261c01e6bdfd475f100d9290b157

Download Submit
C:\Users\Admin\AppData\Local\Temp\c81cf77d-a497-471e-a878-06eb28965bd7.vbs
Filesize
513B

MD5
5a3710ef2936d3f0e0d91774999c5673

SHA1
a620cd0d9eec137656f64230233878f78c9ca971

SHA256
031ecef105399339becedd3dfeef09b4e969749f513f0fdfbab42b25119adba2

SHA512
e69c4424be91a97253cf86a2fff1b1c61b20796d97d1cad42c6210f09b5a10cb973a3bb558ca4f4d734f6738947564fe0353261c01e6bdfd475f100d9290b157

Download Submit
C:\Users\Admin\AppData\Local\Temp\opelt31uZT.bat
Filesize
226B

MD5
f41110b71580d1c7520e871591f53df7

SHA1
c33ac8765efb55b26f98f41b61ddc6708325c504

SHA256
4f0c5157fadde9b672232de5f4f94e7a5658952109200d739c588650c7a2e265

SHA512
e35aa55c8c6b703358de049d351f0717f009dac24225f6978b1e1accd26e0d68addd305bee78bef19ebf91f488794503d9771f95956bfda5eaae052e683eff33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7A6.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB491.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6793e15f4b1e73584a36b215baebcd2a

SHA1
def7b5924842457537e1915cede0bf829cb621ec

SHA256
5d94afb1a1cc66116ee592245fd7224cb2ba1e2b034eea4e01900a1cb3f86f98

SHA512
1484020bd7497c62733ebfbae4d3e36ec7dc385fac73aa01e4c34b7e09baf1efc1e55c561c68095eac3e41213422c852b9f8faffe4539dade36a3a55afa919e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6793e15f4b1e73584a36b215baebcd2a

SHA1
def7b5924842457537e1915cede0bf829cb621ec

SHA256
5d94afb1a1cc66116ee592245fd7224cb2ba1e2b034eea4e01900a1cb3f86f98

SHA512
1484020bd7497c62733ebfbae4d3e36ec7dc385fac73aa01e4c34b7e09baf1efc1e55c561c68095eac3e41213422c852b9f8faffe4539dade36a3a55afa919e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6793e15f4b1e73584a36b215baebcd2a

SHA1
def7b5924842457537e1915cede0bf829cb621ec

SHA256
5d94afb1a1cc66116ee592245fd7224cb2ba1e2b034eea4e01900a1cb3f86f98

SHA512
1484020bd7497c62733ebfbae4d3e36ec7dc385fac73aa01e4c34b7e09baf1efc1e55c561c68095eac3e41213422c852b9f8faffe4539dade36a3a55afa919e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6793e15f4b1e73584a36b215baebcd2a

SHA1
def7b5924842457537e1915cede0bf829cb621ec

SHA256
5d94afb1a1cc66116ee592245fd7224cb2ba1e2b034eea4e01900a1cb3f86f98

SHA512
1484020bd7497c62733ebfbae4d3e36ec7dc385fac73aa01e4c34b7e09baf1efc1e55c561c68095eac3e41213422c852b9f8faffe4539dade36a3a55afa919e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6793e15f4b1e73584a36b215baebcd2a

SHA1
def7b5924842457537e1915cede0bf829cb621ec

SHA256
5d94afb1a1cc66116ee592245fd7224cb2ba1e2b034eea4e01900a1cb3f86f98

SHA512
1484020bd7497c62733ebfbae4d3e36ec7dc385fac73aa01e4c34b7e09baf1efc1e55c561c68095eac3e41213422c852b9f8faffe4539dade36a3a55afa919e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6793e15f4b1e73584a36b215baebcd2a

SHA1
def7b5924842457537e1915cede0bf829cb621ec

SHA256
5d94afb1a1cc66116ee592245fd7224cb2ba1e2b034eea4e01900a1cb3f86f98

SHA512
1484020bd7497c62733ebfbae4d3e36ec7dc385fac73aa01e4c34b7e09baf1efc1e55c561c68095eac3e41213422c852b9f8faffe4539dade36a3a55afa919e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6793e15f4b1e73584a36b215baebcd2a

SHA1
def7b5924842457537e1915cede0bf829cb621ec

SHA256
5d94afb1a1cc66116ee592245fd7224cb2ba1e2b034eea4e01900a1cb3f86f98

SHA512
1484020bd7497c62733ebfbae4d3e36ec7dc385fac73aa01e4c34b7e09baf1efc1e55c561c68095eac3e41213422c852b9f8faffe4539dade36a3a55afa919e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6793e15f4b1e73584a36b215baebcd2a

SHA1
def7b5924842457537e1915cede0bf829cb621ec

SHA256
5d94afb1a1cc66116ee592245fd7224cb2ba1e2b034eea4e01900a1cb3f86f98

SHA512
1484020bd7497c62733ebfbae4d3e36ec7dc385fac73aa01e4c34b7e09baf1efc1e55c561c68095eac3e41213422c852b9f8faffe4539dade36a3a55afa919e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
6793e15f4b1e73584a36b215baebcd2a

SHA1
def7b5924842457537e1915cede0bf829cb621ec

SHA256
5d94afb1a1cc66116ee592245fd7224cb2ba1e2b034eea4e01900a1cb3f86f98

SHA512
1484020bd7497c62733ebfbae4d3e36ec7dc385fac73aa01e4c34b7e09baf1efc1e55c561c68095eac3e41213422c852b9f8faffe4539dade36a3a55afa919e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9INVUJT1ZF8Y5E8HWG7G.temp
Filesize
7KB

MD5
6793e15f4b1e73584a36b215baebcd2a

SHA1
def7b5924842457537e1915cede0bf829cb621ec

SHA256
5d94afb1a1cc66116ee592245fd7224cb2ba1e2b034eea4e01900a1cb3f86f98

SHA512
1484020bd7497c62733ebfbae4d3e36ec7dc385fac73aa01e4c34b7e09baf1efc1e55c561c68095eac3e41213422c852b9f8faffe4539dade36a3a55afa919e6

Download Submit
C:\Windows\5779722125.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\5779722125.exe
Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\Blitz.exe
Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\XboxUpdate.exe
Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
C:\Windows\XboxUpdate.exe
Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1DED.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2000.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmpA7A6.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmpA7A6.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmpA7A6.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmpB491.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmpB491.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmpB491.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/632-120-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-94-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-138-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-150-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-152-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-154-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-142-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-162-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-78-0x0000000000DE0000-0x0000000001050000-memory.dmp

Filesize
2.4MB

Download
memory/632-136-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-134-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-165-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-82-0x0000000000340000-0x00000000003C6000-memory.dmp

Filesize
536KB

Download
memory/632-132-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-130-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-83-0x0000000000CF0000-0x0000000000D96000-memory.dmp

Filesize
664KB

Download
memory/632-84-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-85-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-87-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/632-88-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-92-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-1300-0x000000001B070000-0x000000001B0BC000-memory.dmp

Filesize
304KB

Download
memory/632-128-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-126-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-96-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-98-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-100-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-102-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-104-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-122-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-118-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-116-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-106-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-124-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-108-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-110-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-112-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-1273-0x000000001AC50000-0x000000001AC9E000-memory.dmp

Filesize
312KB

Download
memory/632-114-0x0000000000CF0000-0x0000000000D92000-memory.dmp

Filesize
648KB

Download
memory/632-1276-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/696-1372-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/696-1373-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/696-1371-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/876-241-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/876-223-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/876-1284-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-1288-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-1289-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-1290-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-1294-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-1295-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-1296-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-1298-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-1280-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-1302-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-168-0x0000000000AB0000-0x0000000000ACC000-memory.dmp

Filesize
112KB

Download
memory/876-79-0x0000000000E70000-0x0000000001432000-memory.dmp

Filesize
5.8MB

Download
memory/876-81-0x000000001BB40000-0x000000001BC9E000-memory.dmp

Filesize
1.4MB

Download
memory/876-173-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/876-1277-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-1274-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-175-0x0000000000C70000-0x0000000000C80000-memory.dmp

Filesize
64KB

Download
memory/876-1137-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-834-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-363-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-318-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-177-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/876-179-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/876-185-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/876-257-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/876-254-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/876-252-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/876-250-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/876-246-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/876-244-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/876-220-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/876-1283-0x000000001B620000-0x000000001B6A0000-memory.dmp

Filesize
512KB

Download
memory/876-226-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/876-232-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/876-149-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/1008-1377-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1008-1378-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1376-1359-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1376-1344-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1376-1343-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1532-1374-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1532-1375-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1532-1376-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1704-1311-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1704-1310-0x000000001B160000-0x000000001B442000-memory.dmp

Filesize
2.9MB

Download
memory/1752-1341-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/1824-89-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/1824-80-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/1928-91-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/1928-1278-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/1928-1279-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/1928-77-0x0000000000870000-0x0000000000A56000-memory.dmp

Filesize
1.9MB

Download