allcome | 19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3

Resubmissions

15-10-2023 15:31

231015-sx9b1aaf63 10

03-06-2023 11:19

230603-ne62psge66 10

12-04-2023 12:00

230412-n6gk5aca73 10

05-09-2022 16:12

220905-tny1cabffk 10

Analysis

max time kernel
133s
max time network
160s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15-10-2023 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RDUQK6W.exe
Size

10.5MB
MD5

4a5a3ad1c74f3f7d525e1c97995ca649
SHA1

cc0548dcbf4c0bc4489529e9148cf9f921485e84
SHA256

19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3
SHA512

fbb94f6b670fbd6e32ac71b97cfe00d3c67a9747e1e4192ad1889bd8cf121b1b3bfe6e9fa0d4ba8634b5a8431b84c4ba7b3800bb6e128ce9ad759f952ac875b3
SSDEEP

196608:OXBAqsvidH8HkLOogdmCvl6SsT2bygeHHNc8zKiSKu5GjY2+rZvPTetsi0ERHblh:vidcEiJtNUEMH6kXYj5etb0qHblVFV

Score

10^/10

allcome dcrat zgrat evasion infostealer rat stealer trojan

Malware Config

Extracted

Family

allcome

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=Raqxnd

Wallets

D7pq84u7ke73RmCkRPc1z2nKBfmfPrYLxM

rEPri1dB2B6TxxzBw31ihKwGkEEE3ZCzH2

0x379844563B2947bCf8Ee7660d674E91704ba85cc

XqcVZ9pP5YyEwfQ4RkVXC5mWZgQBY3qNNz

TT5o47UN2jDfvmbv7EQm8NZ3xw7NcpKhKB

t1Qc898xYxqJ2Vsrd2X15EA3L2QzNrCdZ6W

GB3TZL2PBSQOQAEFU57JPIFAXG7R73ECOSQGT3XCDCOAUGUWUKWAVO7H

4AqLHHmtMTQRWomEbPd8yxFdEsZ5VMXy1MvwhG1TTWgcCbGzgaAcfkA54K45UbQXjtBa3UYhmr8vYaGNGAkVTfXCE5bbT12

qrkkg7692gv3fz407lt8zxdxtx2d4zuf2q204ykdzn

1NipSzEWByjXUarhF2p3qq51MVbnnoo6HZ

0x08BDb0e0339E7B9A725FD665Fc17B3AA3FF73BFc

LQtxqhZWP3EDi9n1tVdKNyZVR6wrFRr7hN

+79889916188

LP1oSHdQ3kdgrWnPvB5XtuBLZaMq9JMoWt

ltc1qq5k32ja0yun36ydqhv6edd8ydpmfkfy6g5e994

bc1qngt9pchlwak6rzc37ez05sfhzr8dnyupu7e769

bc1qnx4g8m8lctzxm5wlcfpw2ae8zkf6nxerdujzuu

89CBob8FyychG8inyWBBhqUxbPFGzVaWnBZRdeFi8V38XRRv312X6ViMPxCuom3GKk8hLFmZYmTPQ1qMmq6YY8rCNCDeubb

Signatures

Allcome
A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
stealer allcome
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2816-29-0x000000001B800000-0x000000001B8A6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-40-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-41-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-43-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-47-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-51-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-53-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-60-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-67-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-69-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-71-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-74-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-76-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-83-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-85-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-87-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-89-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-91-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-93-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-95-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-97-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-99-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-101-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-103-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-105-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-107-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-109-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-111-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-113-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-115-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-117-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-119-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-121-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2816-123-0x000000001B800000-0x000000001B8A2000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	992	schtasks.exe	40
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	992	schtasks.exe	40

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tmp5D0E.tmp.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2304-28-0x000000001B9C0000-0x000000001BB1E000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
2304	5779722125.exe
2816	XboxUpdate.exe
2208	schtasks.exe
2140	Extreme Injector.exe
2808	tmp5D0E.tmp.exe
2456	tmp5CEF.tmp.exe
2900	tmp5D0E.tmp.exe
892	tmp3C8.tmp.exe
1028	tmp5D0E.tmp.exe
1768	tmp7C80.tmp.exe
804	tmp5D0E.tmp.exe
2876	tmpD578.tmp.exe

Loads dropped DLL 16 IoCs

pid	Process
2016	$RDUQK6W.exe
1696	WerFault.exe
1696	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
1696	WerFault.exe
268	WerFault.exe
268	WerFault.exe
268	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
1940	WerFault.exe
952	WerFault.exe
952	WerFault.exe
952	WerFault.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp5D0E.tmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp5D0E.tmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp5D0E.tmp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\System.exe	5779722125.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\System.exe	5779722125.exe
File created	C:\Program Files (x86)\Windows Media Player\27d1bcfc3c54e0	5779722125.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\explorer.exe	5779722125.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\7a0fd90576e088	5779722125.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\explorer.exe	5779722125.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\5779722125.exe	5779722125.exe
File created	C:\Windows\5779722125.exe	$RDUQK6W.exe
File created	C:\Windows\XboxUpdate.exe	$RDUQK6W.exe
File created	C:\Windows\Microsoft.NET\Framework64\conhost.exe	5779722125.exe
File created	C:\Windows\Logs\CBS\5940a34987c991	5779722125.exe
File opened for modification	C:\Windows\Logs\CBS\dllhost.exe	5779722125.exe
File created	C:\Windows\Blitz.exe	$RDUQK6W.exe
File created	C:\Windows\Microsoft.NET\Framework64\088424020bedd6	5779722125.exe
File created	C:\Windows\Logs\CBS\dllhost.exe	5779722125.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\conhost.exe	5779722125.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
1696	2808	WerFault.exe	34
2860	2456	WerFault.exe	35
268	892	WerFault.exe	96
1940	1768	WerFault.exe	104
952	2876	WerFault.exe	111
1692	2100	WerFault.exe	114

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
344	schtasks.exe
1628	schtasks.exe
2288	schtasks.exe
2132	schtasks.exe
2924	schtasks.exe
324	schtasks.exe
1548	schtasks.exe
1884	schtasks.exe
1756	schtasks.exe
2556	schtasks.exe
2880	schtasks.exe
592	schtasks.exe
1508	schtasks.exe
876	schtasks.exe
3068	schtasks.exe
2588	schtasks.exe
1672	schtasks.exe
2772	schtasks.exe
784	schtasks.exe
2912	schtasks.exe
2540	schtasks.exe
2208	schtasks.exe
2800	schtasks.exe
2848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	5779722125.exe
2304	5779722125.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2044	powershell.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2816	XboxUpdate.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe
2304	5779722125.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	5779722125.exe
Token: SeDebugPrivilege	2816	XboxUpdate.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2140	Extreme Injector.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: SeDebugPrivilege	2140	Extreme Injector.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: SeDebugPrivilege	2900	tmp5D0E.tmp.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: 33	2140	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	2140	Extreme Injector.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1028	tmp5D0E.tmp.exe
Token: SeDebugPrivilege	804	tmp5D0E.tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2044	2016	$RDUQK6W.exe	28
PID 2016 wrote to memory of 2044	2016	$RDUQK6W.exe	28
PID 2016 wrote to memory of 2044	2016	$RDUQK6W.exe	28
PID 2016 wrote to memory of 2044	2016	$RDUQK6W.exe	28
PID 2016 wrote to memory of 2304	2016	$RDUQK6W.exe	30
PID 2016 wrote to memory of 2304	2016	$RDUQK6W.exe	30
PID 2016 wrote to memory of 2304	2016	$RDUQK6W.exe	30
PID 2016 wrote to memory of 2304	2016	$RDUQK6W.exe	30
PID 2016 wrote to memory of 2816	2016	$RDUQK6W.exe	31
PID 2016 wrote to memory of 2816	2016	$RDUQK6W.exe	31
PID 2016 wrote to memory of 2816	2016	$RDUQK6W.exe	31
PID 2016 wrote to memory of 2816	2016	$RDUQK6W.exe	31
PID 2016 wrote to memory of 2208	2016	$RDUQK6W.exe	50
PID 2016 wrote to memory of 2208	2016	$RDUQK6W.exe	50
PID 2016 wrote to memory of 2208	2016	$RDUQK6W.exe	50
PID 2016 wrote to memory of 2208	2016	$RDUQK6W.exe	50
PID 2016 wrote to memory of 2140	2016	$RDUQK6W.exe	33
PID 2016 wrote to memory of 2140	2016	$RDUQK6W.exe	33
PID 2016 wrote to memory of 2140	2016	$RDUQK6W.exe	33
PID 2016 wrote to memory of 2140	2016	$RDUQK6W.exe	33
PID 2304 wrote to memory of 2808	2304	5779722125.exe	34
PID 2304 wrote to memory of 2808	2304	5779722125.exe	34
PID 2304 wrote to memory of 2808	2304	5779722125.exe	34
PID 2304 wrote to memory of 2808	2304	5779722125.exe	34
PID 2816 wrote to memory of 2456	2816	XboxUpdate.exe	35
PID 2816 wrote to memory of 2456	2816	XboxUpdate.exe	35
PID 2816 wrote to memory of 2456	2816	XboxUpdate.exe	35
PID 2816 wrote to memory of 2456	2816	XboxUpdate.exe	35
PID 2808 wrote to memory of 1696	2808	tmp5D0E.tmp.exe	38
PID 2808 wrote to memory of 1696	2808	tmp5D0E.tmp.exe	38
PID 2808 wrote to memory of 1696	2808	tmp5D0E.tmp.exe	38
PID 2808 wrote to memory of 1696	2808	tmp5D0E.tmp.exe	38
PID 2456 wrote to memory of 2860	2456	tmp5CEF.tmp.exe	39
PID 2456 wrote to memory of 2860	2456	tmp5CEF.tmp.exe	39
PID 2456 wrote to memory of 2860	2456	tmp5CEF.tmp.exe	39
PID 2456 wrote to memory of 2860	2456	tmp5CEF.tmp.exe	39
PID 2304 wrote to memory of 2352	2304	5779722125.exe	79
PID 2304 wrote to memory of 2352	2304	5779722125.exe	79
PID 2304 wrote to memory of 2352	2304	5779722125.exe	79
PID 2304 wrote to memory of 2480	2304	5779722125.exe	65
PID 2304 wrote to memory of 2480	2304	5779722125.exe	65
PID 2304 wrote to memory of 2480	2304	5779722125.exe	65
PID 2304 wrote to memory of 1788	2304	5779722125.exe	78
PID 2304 wrote to memory of 1788	2304	5779722125.exe	78
PID 2304 wrote to memory of 1788	2304	5779722125.exe	78
PID 2304 wrote to memory of 564	2304	5779722125.exe	76
PID 2304 wrote to memory of 564	2304	5779722125.exe	76
PID 2304 wrote to memory of 564	2304	5779722125.exe	76
PID 2304 wrote to memory of 988	2304	5779722125.exe	75
PID 2304 wrote to memory of 988	2304	5779722125.exe	75
PID 2304 wrote to memory of 988	2304	5779722125.exe	75
PID 2304 wrote to memory of 2940	2304	5779722125.exe	66
PID 2304 wrote to memory of 2940	2304	5779722125.exe	66
PID 2304 wrote to memory of 2940	2304	5779722125.exe	66
PID 2304 wrote to memory of 1816	2304	5779722125.exe	74
PID 2304 wrote to memory of 1816	2304	5779722125.exe	74
PID 2304 wrote to memory of 1816	2304	5779722125.exe	74
PID 2304 wrote to memory of 2172	2304	5779722125.exe	73
PID 2304 wrote to memory of 2172	2304	5779722125.exe	73
PID 2304 wrote to memory of 2172	2304	5779722125.exe	73
PID 2304 wrote to memory of 2428	2304	5779722125.exe	67
PID 2304 wrote to memory of 2428	2304	5779722125.exe	67
PID 2304 wrote to memory of 2428	2304	5779722125.exe	67
PID 2304 wrote to memory of 1784	2304	5779722125.exe	72

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tmp5D0E.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tmp5D0E.tmp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe
"C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbQBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAagBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AZABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAbQByACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\5779722125.exe
  "C:\Windows\5779722125.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 96
      4⤵
      Loads dropped DLL
      Program crash
      PID:1696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iZj2KDpLfv.bat"
    3⤵
    PID:2376
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2864
  - - C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe
      "C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\tmp3C8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3C8.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:892
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 96
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:268
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5ae1613-d2e3-4c47-9ff2-9f1f7d6f7f74.vbs"
        5⤵
        
        PID:1796
      - C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2350f965-b002-4325-b424-43de88d6df97.vbs"
        7⤵
        
        PID:2560
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\868ff33e-dda5-4fe5-902c-a433fc24df2b.vbs"
        9⤵
        
        PID:1016
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe"
        10⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp5773.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5773.tmp.exe"
        11⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 96
        12⤵
        Program crash
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f56161d3-4649-45d2-9cdf-03aa373ab23d.vbs"
        11⤵
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf39ce42-8765-4371-ab23-5d68770dc76f.vbs"
        11⤵
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c2f3aee-a938-4425-8295-21b114c168aa.vbs"
        9⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmpD578.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD578.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 96
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d55dcb40-5be3-4e93-bd66-5240bdec3481.vbs"
        7⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7C80.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7C80.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 96
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:1940
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47d18e80-e48e-48fe-a002-dd070543bccd.vbs"
        5⤵
        
        PID:1964
- C:\Windows\XboxUpdate.exe
  "C:\Windows\XboxUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\tmp5CEF.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp5CEF.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 96
      4⤵
      Loads dropped DLL
      Program crash
      PID:2860
- C:\Windows\Blitz.exe
  "C:\Windows\Blitz.exe"
  2⤵
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2140 -s 1220
    3⤵
    PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp5D0E.tmpt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe'" /f
1⤵
- Process spawned unexpected child process
- Executes dropped EXE
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp5D0E.tmp" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp5D0E.tmpt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Favorites\Windows Live\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Windows Live\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Windows Live\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\Framework64\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Framework64\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\CBS\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\CBS\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\explorer.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\tmp5D0E.tmp.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2350f965-b002-4325-b424-43de88d6df97.vbs

Filesize
747B

MD5
3b15f2e96b1bd9c30e5a994484c84521

SHA1
31fa4c4313072554f444794fd6f4c004da85f7fa

SHA256
1ee19ebd906fa747a088dc7dc837466b722153205588f23c73e7f1adf8cfdbba

SHA512
594853ae0ec5c395d710ce58a26cb5ca8a64422649cfd795b4eec77946640420e6128d277a787a7183d8d0913b7d25c80bac8fbb6d75f515a10ace45197886aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\47d18e80-e48e-48fe-a002-dd070543bccd.vbs

Filesize
523B

MD5
54542804c298401c31fa03d256eed4d6

SHA1
58d8735a039ce382c1fd1a99e13611b16e2167db

SHA256
48c2f58ccaa1dd8388d65b66b1de0ed3cda6a59587c52d2a7a02319ea8ec8852

SHA512
b9d9fe7080f05d8cfc6c97bfbd936907bd2df7e636432153ba9365623b2b99a1b479ecd80d2e13407908ed515d21b6524d9ec4f70f27420b527c0757d2fdeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c2f3aee-a938-4425-8295-21b114c168aa.vbs

Filesize
523B

MD5
54542804c298401c31fa03d256eed4d6

SHA1
58d8735a039ce382c1fd1a99e13611b16e2167db

SHA256
48c2f58ccaa1dd8388d65b66b1de0ed3cda6a59587c52d2a7a02319ea8ec8852

SHA512
b9d9fe7080f05d8cfc6c97bfbd936907bd2df7e636432153ba9365623b2b99a1b479ecd80d2e13407908ed515d21b6524d9ec4f70f27420b527c0757d2fdeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\868ff33e-dda5-4fe5-902c-a433fc24df2b.vbs

Filesize
746B

MD5
8605515048ccd2219ac9cbf12033457a

SHA1
9121173c73f1813f2b293263c77b8e57124eaace

SHA256
5d86a18cbc2dea991a03c1e852050fd5ebc22bd681410368eebc0d121860a080

SHA512
380064b1bc814a697314868d1190af1a6ca8c5bdabc6e0e045b4975924c8fb641af4998c594defcc0b10daf2838146dea2230b89c1bc1a6cc1c697e4e284d89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa0345deb0c97178b2a4c80665e845af01dfb49b.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa0345deb0c97178b2a4c80665e845af01dfb49b.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa0345deb0c97178b2a4c80665e845af01dfb49b.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf39ce42-8765-4371-ab23-5d68770dc76f.vbs

Filesize
523B

MD5
54542804c298401c31fa03d256eed4d6

SHA1
58d8735a039ce382c1fd1a99e13611b16e2167db

SHA256
48c2f58ccaa1dd8388d65b66b1de0ed3cda6a59587c52d2a7a02319ea8ec8852

SHA512
b9d9fe7080f05d8cfc6c97bfbd936907bd2df7e636432153ba9365623b2b99a1b479ecd80d2e13407908ed515d21b6524d9ec4f70f27420b527c0757d2fdeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\d55dcb40-5be3-4e93-bd66-5240bdec3481.vbs

Filesize
523B

MD5
54542804c298401c31fa03d256eed4d6

SHA1
58d8735a039ce382c1fd1a99e13611b16e2167db

SHA256
48c2f58ccaa1dd8388d65b66b1de0ed3cda6a59587c52d2a7a02319ea8ec8852

SHA512
b9d9fe7080f05d8cfc6c97bfbd936907bd2df7e636432153ba9365623b2b99a1b479ecd80d2e13407908ed515d21b6524d9ec4f70f27420b527c0757d2fdeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\d55dcb40-5be3-4e93-bd66-5240bdec3481.vbs

Filesize
523B

MD5
54542804c298401c31fa03d256eed4d6

SHA1
58d8735a039ce382c1fd1a99e13611b16e2167db

SHA256
48c2f58ccaa1dd8388d65b66b1de0ed3cda6a59587c52d2a7a02319ea8ec8852

SHA512
b9d9fe7080f05d8cfc6c97bfbd936907bd2df7e636432153ba9365623b2b99a1b479ecd80d2e13407908ed515d21b6524d9ec4f70f27420b527c0757d2fdeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5ae1613-d2e3-4c47-9ff2-9f1f7d6f7f74.vbs

Filesize
747B

MD5
fb181f76ffe8fbfec7fec198fd810344

SHA1
bb22443d7f53bfe2b674537c1a38d3efc2fe6ba6

SHA256
b7f4220c48b8917635786d4d1f184f1f35acc124ea4db174ef016587eed92021

SHA512
870b1b5b75ef295fae6dc502ede6c79f25025885cc35fa3322caeb4ba2176b41e6eaa935bdba8b456cd5a03fddee8b63ab4bc94482f4697c63cd680f83cacbd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f56161d3-4649-45d2-9cdf-03aa373ab23d.vbs

Filesize
747B

MD5
1fb25cbbb3c36315db10e35cfce1d60f

SHA1
85dd4820df592538fa57c3fc1a7edf14561feb13

SHA256
c5281869c5ff3bdcfb0d35dcafa4ac80f76c8a45639cc5dce76765a138e81bc9

SHA512
147abff0c19a6ea0dbecbca1da38777f964bab288cccf4f6a32369a4b419e69dd9201389cd051a551f56c8c2ef99e8d053396cd9d1a5a9ad0c784dac25426f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iZj2KDpLfv.bat

Filesize
236B

MD5
f87c8a36e93eee55fed4f2c8903829d7

SHA1
7ae54e3a9ace168ebafb4b6393f9aff64066c616

SHA256
659c429d234bcb77963993ac234f81440333ef0bfb9a13c38290ab9ea184f326

SHA512
0d9d5ffa1fd7e38107b1de1323a5fe42dc6aab9775489767b5f4d037e3a4a8cb62ab28f68ec0e64dadcd221284cb87b3c4c8a0f9ebe804deb5fd2a856de6cbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3C8.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5773.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CEF.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C80.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD578.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3UNZ0W0LH2YRJIOZ8IK3.temp

Filesize
7KB

MD5
37c13b3cf6b56d315e0905142fa7473a

SHA1
4c6bca37105173066bfa02d75ea3a333e37f0ccc

SHA256
f26a0f7d3fa4ce203bf33d53a2c103b80de438e063c33076e5e43c3c2fda60e6

SHA512
10fe9ca85a82475214e70c676a3573b6f58c02bcb02ebc6da4513d7711a82e18fcb60e79711c89983841f6bf3220578c1a95ab1e3faf96172ccfaf11a2f4ea66

Download Submit
C:\Windows\5779722125.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\5779722125.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\Blitz.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
C:\Windows\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3C8.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3C8.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3C8.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5773.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5773.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5773.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5CEF.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5CEF.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5CEF.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7C80.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7C80.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7C80.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD578.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD578.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD578.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/2044-32-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-235-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-31-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2044-231-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-30-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-34-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2044-256-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-37-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2044-233-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2044-243-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2044-240-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2140-33-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-237-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-246-0x000000001B470000-0x000000001B4F0000-memory.dmp

Filesize
512KB

Download
memory/2140-25-0x0000000000D20000-0x0000000000F06000-memory.dmp

Filesize
1.9MB

Download
memory/2140-39-0x000000001B470000-0x000000001B4F0000-memory.dmp

Filesize
512KB

Download
memory/2304-274-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-236-0x000000001B1A0000-0x000000001B1AC000-memory.dmp

Filesize
48KB

Download
memory/2304-218-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/2304-217-0x0000000002740000-0x0000000002748000-memory.dmp

Filesize
32KB

Download
memory/2304-219-0x0000000002760000-0x0000000002776000-memory.dmp

Filesize
88KB

Download
memory/2304-220-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2304-221-0x00000000027A0000-0x00000000027AA000-memory.dmp

Filesize
40KB

Download
memory/2304-222-0x0000000002790000-0x000000000279C000-memory.dmp

Filesize
48KB

Download
memory/2304-223-0x000000001AD40000-0x000000001AD48000-memory.dmp

Filesize
32KB

Download
memory/2304-224-0x000000001AD50000-0x000000001AD5C000-memory.dmp

Filesize
48KB

Download
memory/2304-225-0x000000001AD60000-0x000000001AD6C000-memory.dmp

Filesize
48KB

Download
memory/2304-226-0x000000001AD70000-0x000000001AD78000-memory.dmp

Filesize
32KB

Download
memory/2304-227-0x000000001AD80000-0x000000001AD8A000-memory.dmp

Filesize
40KB

Download
memory/2304-228-0x000000001AD90000-0x000000001AD9E000-memory.dmp

Filesize
56KB

Download
memory/2304-229-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-215-0x00000000024C0000-0x00000000024CE000-memory.dmp

Filesize
56KB

Download
memory/2304-230-0x000000001ADA0000-0x000000001ADA8000-memory.dmp

Filesize
32KB

Download
memory/2304-232-0x000000001B180000-0x000000001B18E000-memory.dmp

Filesize
56KB

Download
memory/2304-24-0x0000000000330000-0x00000000008F2000-memory.dmp

Filesize
5.8MB

Download
memory/2304-234-0x000000001B190000-0x000000001B19C000-memory.dmp

Filesize
48KB

Download
memory/2304-216-0x0000000002720000-0x000000000273C000-memory.dmp

Filesize
112KB

Download
memory/2304-272-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-26-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-28-0x000000001B9C0000-0x000000001BB1E000-memory.dmp

Filesize
1.4MB

Download
memory/2304-241-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-35-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-271-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-244-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-269-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-247-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-277-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-248-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-276-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-253-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-275-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-261-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-266-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-267-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2304-268-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2456-77-0x0000000000C60000-0x0000000000C76000-memory.dmp

Filesize
88KB

Download
memory/2808-72-0x0000000000EA0000-0x0000000000EB6000-memory.dmp

Filesize
88KB

Download
memory/2816-121-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-107-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-109-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-111-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-113-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-105-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-103-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-101-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-99-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-97-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-95-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-93-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-91-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-89-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-87-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-85-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-83-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-245-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-76-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-74-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-115-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-71-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-69-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-67-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-60-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-53-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-51-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-47-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-43-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-41-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-40-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-38-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-36-0x000000001A850000-0x000000001A8D0000-memory.dmp

Filesize
512KB

Download
memory/2816-242-0x000000001A850000-0x000000001A8D0000-memory.dmp

Filesize
512KB

Download
memory/2816-29-0x000000001B800000-0x000000001B8A6000-memory.dmp

Filesize
664KB

Download
memory/2816-117-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-27-0x000000001B010000-0x000000001B096000-memory.dmp

Filesize
536KB

Download
memory/2816-119-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-123-0x000000001B800000-0x000000001B8A2000-memory.dmp

Filesize
648KB

Download
memory/2816-23-0x0000000000880000-0x0000000000AF0000-memory.dmp

Filesize
2.4MB

Download