allcome | 19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3

Resubmissions

15-10-2023 15:31

231015-sx9b1aaf63 10

03-06-2023 11:19

230603-ne62psge66 10

12-04-2023 12:00

230412-n6gk5aca73 10

05-09-2022 16:12

220905-tny1cabffk 10

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2023 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RDUQK6W.exe
Size

10.5MB
MD5

4a5a3ad1c74f3f7d525e1c97995ca649
SHA1

cc0548dcbf4c0bc4489529e9148cf9f921485e84
SHA256

19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3
SHA512

fbb94f6b670fbd6e32ac71b97cfe00d3c67a9747e1e4192ad1889bd8cf121b1b3bfe6e9fa0d4ba8634b5a8431b84c4ba7b3800bb6e128ce9ad759f952ac875b3
SSDEEP

196608:OXBAqsvidH8HkLOogdmCvl6SsT2bygeHHNc8zKiSKu5GjY2+rZvPTetsi0ERHblh:vidcEiJtNUEMH6kXYj5etb0qHblVFV

Score

10^/10

allcome colibri dcrat zgrat build1 evasion infostealer loader rat stealer trojan

Malware Config

Extracted

Family

allcome

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=Raqxnd

Wallets

D7pq84u7ke73RmCkRPc1z2nKBfmfPrYLxM

rEPri1dB2B6TxxzBw31ihKwGkEEE3ZCzH2

0x379844563B2947bCf8Ee7660d674E91704ba85cc

XqcVZ9pP5YyEwfQ4RkVXC5mWZgQBY3qNNz

TT5o47UN2jDfvmbv7EQm8NZ3xw7NcpKhKB

t1Qc898xYxqJ2Vsrd2X15EA3L2QzNrCdZ6W

GB3TZL2PBSQOQAEFU57JPIFAXG7R73ECOSQGT3XCDCOAUGUWUKWAVO7H

4AqLHHmtMTQRWomEbPd8yxFdEsZ5VMXy1MvwhG1TTWgcCbGzgaAcfkA54K45UbQXjtBa3UYhmr8vYaGNGAkVTfXCE5bbT12

qrkkg7692gv3fz407lt8zxdxtx2d4zuf2q204ykdzn

1NipSzEWByjXUarhF2p3qq51MVbnnoo6HZ

0x08BDb0e0339E7B9A725FD665Fc17B3AA3FF73BFc

LQtxqhZWP3EDi9n1tVdKNyZVR6wrFRr7hN

+79889916188

LP1oSHdQ3kdgrWnPvB5XtuBLZaMq9JMoWt

ltc1qq5k32ja0yun36ydqhv6edd8ydpmfkfy6g5e994

bc1qngt9pchlwak6rzc37ez05sfhzr8dnyupu7e769

bc1qnx4g8m8lctzxm5wlcfpw2ae8zkf6nxerdujzuu

89CBob8FyychG8inyWBBhqUxbPFGzVaWnBZRdeFi8V38XRRv312X6ViMPxCuom3GKk8hLFmZYmTPQ1qMmq6YY8rCNCDeubb

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Allcome
A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
stealer allcome
Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/1676-54-0x000000001B830000-0x000000001B8D6000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-59-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-62-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-64-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-66-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-69-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-71-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-75-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-88-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-94-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-100-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-103-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-113-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-115-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-124-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-130-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-133-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-136-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-142-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-163-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-168-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-173-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-179-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-175-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-183-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-196-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-192-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-198-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-187-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-200-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-159-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-202-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1
behavioral2/memory/1676-149-0x000000001B830000-0x000000001B8D2000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	748	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	748	schtasks.exe	95

UAC bypass 3 TTPs 21 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1268-61-0x000000001BAF0000-0x000000001BC4E000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	$RDUQK6W.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	XboxUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	5779722125.exe

Executes dropped EXE 26 IoCs

pid	Process
1268	5779722125.exe
1676	XboxUpdate.exe
3624	Blitz.exe
3400	Extreme Injector.exe
4664	tmp9B75.tmp.exe
1224	tmp9E43.tmp.exe
956	tmp9B75.tmp.exe
4768	tmp9E43.tmp.exe
2800	conhost.exe
2808	tmp2EBC.tmp.exe
2816	tmp2EBC.tmp.exe
2340	conhost.exe
4008	tmp6397.tmp.exe
2336	tmp6397.tmp.exe
4532	conhost.exe
2768	tmpC1C4.tmp.exe
4472	tmpC1C4.tmp.exe
3144	conhost.exe
4596	tmp9F9.tmp.exe
4348	tmp9F9.tmp.exe
4608	conhost.exe
232	tmp3EC4.tmp.exe
3184	tmp3EC4.tmp.exe
5092	conhost.exe
1748	tmp9CE2.tmp.exe
3308	tmp9CE2.tmp.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5779722125.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 4664 set thread context of 956	4664	tmp9B75.tmp.exe	94
PID 1224 set thread context of 4768	1224	tmp9E43.tmp.exe	96
PID 2808 set thread context of 2816	2808	tmp2EBC.tmp.exe	164
PID 4008 set thread context of 2336	4008	tmp6397.tmp.exe	177
PID 2768 set thread context of 4472	2768	tmpC1C4.tmp.exe	183
PID 4596 set thread context of 4348	4596	tmp9F9.tmp.exe	190
PID 232 set thread context of 3184	232	tmp3EC4.tmp.exe	198
PID 1748 set thread context of 3308	1748	tmp9CE2.tmp.exe	202

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\5779722125.exe	5779722125.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe	5779722125.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe	5779722125.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe	5779722125.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\ea1d8f6d871115	5779722125.exe
File created	C:\Program Files (x86)\Google\Update\5779722125.exe	5779722125.exe
File created	C:\Program Files (x86)\Google\Update\fd59360e6faa19	5779722125.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe	5779722125.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\088424020bedd6	5779722125.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\5779722125.exe	5779722125.exe
File opened for modification	C:\Windows\Help\Corporate\dwm.exe	5779722125.exe
File created	C:\Windows\5779722125.exe	$RDUQK6W.exe
File created	C:\Windows\XboxUpdate.exe	$RDUQK6W.exe
File created	C:\Windows\Blitz.exe	$RDUQK6W.exe
File created	C:\Windows\Help\Corporate\dwm.exe	5779722125.exe
File created	C:\Windows\Help\Corporate\6cb0b6c459d5d3	5779722125.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4640	schtasks.exe
4720	schtasks.exe
5048	schtasks.exe
4432	schtasks.exe
2104	schtasks.exe
1532	schtasks.exe
1428	schtasks.exe
3872	schtasks.exe
4232	schtasks.exe
3544	schtasks.exe
1684	schtasks.exe
3532	schtasks.exe
772	schtasks.exe
2832	schtasks.exe
1164	schtasks.exe
4788	schtasks.exe
4008	schtasks.exe
4900	schtasks.exe
1604	schtasks.exe
2480	schtasks.exe
1836	schtasks.exe
448	schtasks.exe
4684	schtasks.exe
1336	schtasks.exe
3156	schtasks.exe
1532	schtasks.exe
3708	schtasks.exe
1940	schtasks.exe
4964	schtasks.exe
816	schtasks.exe
464	schtasks.exe
4468	schtasks.exe
432	schtasks.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	5779722125.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1268	5779722125.exe
1268	5779722125.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1268	5779722125.exe
1268	5779722125.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1124	powershell.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1268	5779722125.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1268	5779722125.exe
1124	powershell.exe
1268	5779722125.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe
1676	XboxUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	XboxUpdate.exe
Token: SeDebugPrivilege	1268	5779722125.exe
Token: SeDebugPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: 33	3400	Extreme Injector.exe
Token: SeIncBasePriorityPrivilege	3400	Extreme Injector.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1124	2200	$RDUQK6W.exe	84
PID 2200 wrote to memory of 1124	2200	$RDUQK6W.exe	84
PID 2200 wrote to memory of 1124	2200	$RDUQK6W.exe	84
PID 2200 wrote to memory of 1268	2200	$RDUQK6W.exe	86
PID 2200 wrote to memory of 1268	2200	$RDUQK6W.exe	86
PID 2200 wrote to memory of 1676	2200	$RDUQK6W.exe	87
PID 2200 wrote to memory of 1676	2200	$RDUQK6W.exe	87
PID 2200 wrote to memory of 3624	2200	$RDUQK6W.exe	88
PID 2200 wrote to memory of 3624	2200	$RDUQK6W.exe	88
PID 2200 wrote to memory of 3624	2200	$RDUQK6W.exe	88
PID 2200 wrote to memory of 3400	2200	$RDUQK6W.exe	89
PID 2200 wrote to memory of 3400	2200	$RDUQK6W.exe	89
PID 1676 wrote to memory of 4664	1676	XboxUpdate.exe	93
PID 1676 wrote to memory of 4664	1676	XboxUpdate.exe	93
PID 1676 wrote to memory of 4664	1676	XboxUpdate.exe	93
PID 1268 wrote to memory of 1224	1268	5779722125.exe	91
PID 1268 wrote to memory of 1224	1268	5779722125.exe	91
PID 1268 wrote to memory of 1224	1268	5779722125.exe	91
PID 4664 wrote to memory of 956	4664	tmp9B75.tmp.exe	94
PID 4664 wrote to memory of 956	4664	tmp9B75.tmp.exe	94
PID 4664 wrote to memory of 956	4664	tmp9B75.tmp.exe	94
PID 4664 wrote to memory of 956	4664	tmp9B75.tmp.exe	94
PID 4664 wrote to memory of 956	4664	tmp9B75.tmp.exe	94
PID 4664 wrote to memory of 956	4664	tmp9B75.tmp.exe	94
PID 4664 wrote to memory of 956	4664	tmp9B75.tmp.exe	94
PID 1224 wrote to memory of 4768	1224	tmp9E43.tmp.exe	96
PID 1224 wrote to memory of 4768	1224	tmp9E43.tmp.exe	96
PID 1224 wrote to memory of 4768	1224	tmp9E43.tmp.exe	96
PID 1224 wrote to memory of 4768	1224	tmp9E43.tmp.exe	96
PID 1224 wrote to memory of 4768	1224	tmp9E43.tmp.exe	96
PID 1224 wrote to memory of 4768	1224	tmp9E43.tmp.exe	96
PID 1224 wrote to memory of 4768	1224	tmp9E43.tmp.exe	96
PID 1268 wrote to memory of 2832	1268	5779722125.exe	131
PID 1268 wrote to memory of 2832	1268	5779722125.exe	131
PID 1268 wrote to memory of 4832	1268	5779722125.exe	135
PID 1268 wrote to memory of 4832	1268	5779722125.exe	135
PID 1268 wrote to memory of 4640	1268	5779722125.exe	134
PID 1268 wrote to memory of 4640	1268	5779722125.exe	134
PID 1268 wrote to memory of 1492	1268	5779722125.exe	133
PID 1268 wrote to memory of 1492	1268	5779722125.exe	133
PID 1268 wrote to memory of 4472	1268	5779722125.exe	132
PID 1268 wrote to memory of 4472	1268	5779722125.exe	132
PID 1268 wrote to memory of 4384	1268	5779722125.exe	153
PID 1268 wrote to memory of 4384	1268	5779722125.exe	153
PID 1268 wrote to memory of 3372	1268	5779722125.exe	152
PID 1268 wrote to memory of 3372	1268	5779722125.exe	152
PID 1268 wrote to memory of 640	1268	5779722125.exe	150
PID 1268 wrote to memory of 640	1268	5779722125.exe	150
PID 1268 wrote to memory of 1344	1268	5779722125.exe	149
PID 1268 wrote to memory of 1344	1268	5779722125.exe	149
PID 1268 wrote to memory of 468	1268	5779722125.exe	148
PID 1268 wrote to memory of 468	1268	5779722125.exe	148
PID 1268 wrote to memory of 5096	1268	5779722125.exe	146
PID 1268 wrote to memory of 5096	1268	5779722125.exe	146
PID 1268 wrote to memory of 3308	1268	5779722125.exe	145
PID 1268 wrote to memory of 3308	1268	5779722125.exe	145
PID 1268 wrote to memory of 5092	1268	5779722125.exe	154
PID 1268 wrote to memory of 5092	1268	5779722125.exe	154
PID 5092 wrote to memory of 2312	5092	cmd.exe	157
PID 5092 wrote to memory of 2312	5092	cmd.exe	157
PID 5092 wrote to memory of 2800	5092	cmd.exe	159
PID 5092 wrote to memory of 2800	5092	cmd.exe	159
PID 2800 wrote to memory of 2808	2800	conhost.exe	162
PID 2800 wrote to memory of 2808	2800	conhost.exe	162

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5779722125.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe
"C:\Users\Admin\AppData\Local\Temp\$RDUQK6W.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbQBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAagBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AZABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAbQByACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\5779722125.exe
  "C:\Windows\5779722125.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\tmp9E43.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9E43.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\tmp9E43.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9E43.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    PID:4472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    PID:468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    PID:3372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQ25hERLBD.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2312
  - - C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe
      "C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2808
      - C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:2816
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54bf2bd3-6080-4ee6-88e3-0ece8e3433e5.vbs"
        5⤵
        
        PID:1320
      - C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp6397.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6397.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp6397.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6397.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc6aa6a9-5dbf-44d6-868e-0ac6375a667e.vbs"
        7⤵
        
        PID:448
        
        C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6698c21f-f9be-4f5d-b556-274d3d2791bc.vbs"
        9⤵
        
        PID:4028
        
        C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp9F9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9F9.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp9F9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9F9.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccc28a02-6f22-48a2-9a5d-5ca8c5bfd5c4.vbs"
        11⤵
        
        PID:1420
        
        C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:4608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec13f237-f9ff-4d66-a035-64e494501ee5.vbs"
        13⤵
        
        PID:2124
        
        C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp9CE2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9CE2.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp9CE2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9CE2.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9de49ae7-e89a-4ac2-ba66-6aa943f24d02.vbs"
        15⤵
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd00e656-ca35-4881-b748-6ff20849fd8b.vbs"
        15⤵
        
        PID:5008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ce8536c-64bf-4a84-ab68-220490553d6a.vbs"
        13⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp3EC4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3EC4.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\tmp3EC4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3EC4.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a00e666-6ef9-4d1f-9dba-ee803edb83ff.vbs"
        11⤵
        
        PID:4144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a90459b0-3369-4b62-a45b-23201202ad9a.vbs"
        9⤵
        
        PID:3440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36fbe1e0-bdc5-4aad-ab88-c5b3185b5067.vbs"
        7⤵
        
        PID:1356
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c7f5146-87e6-4f05-a9d0-cc053e604cad.vbs"
        5⤵
        
        PID:1932
- C:\Windows\XboxUpdate.exe
  "C:\Windows\XboxUpdate.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:956
- C:\Windows\Blitz.exe
  "C:\Windows\Blitz.exe"
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57797221255" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\5779722125.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5779722125" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\5779722125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "57797221255" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\5779722125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Corporate\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\Corporate\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp9E43.tmpt" /sc MINUTE /mo 14 /tr "'C:\odt\tmp9E43.tmp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp9E43.tmp" /sc ONLOGON /tr "'C:\odt\tmp9E43.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp9E43.tmpt" /sc MINUTE /mo 14 /tr "'C:\odt\tmp9E43.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\conhost.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
54eea9572b8a1295c4226dd63cadef78

SHA1
1572cc403c755aa7faeb0ee2e795d449e61d485f

SHA256
47b23fd79d8b2504103e2ffbd3866956a332f4c6d37625195ca0f5ab76a39ee3

SHA512
ca125313f150c27926efd0832f81964c3a6a72a42fa7a4bb9fb8579661d26b6b29ee621683b7be0c84371ce4b3791dcf9fd9da0836fb67c7dd331012dbd48809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
55KB

MD5
d8874959db424819879be4c2fa214824

SHA1
3aede102b10ae80ed60d6560d7e04cf1878b2a47

SHA256
5704f05742c564fc9a5cb35e9ac7761433b23a5089b2799f9dd526d1b9a87cf9

SHA512
815d51c460f527ca7e57dae35d10d5b404e90ba3cf0876e80c0a7d77b6347e9ea3b235fa934ebcbefbc0b2eded8c7674125128329e6583a52bc427994306b0e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d72a787e00438abc7751cb852bc76c99

SHA1
9a8be3a98cdc2382d4db841ad2821cc89583a325

SHA256
7750e38e9b36d502c8e1878ca252c3a5c6045cc842835b0480f55317b71cd8ac

SHA512
5e699f7e0aaca93b316db4b075063d5f87de478131948965b42631e8319bb8f23c465253cb50a8331173612f68760afb27d191e664fcfda432ef57d83b37a848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4267fc1e87ee23aeb8b9a7d0497091c5

SHA1
59ddae7dc44b8317ff933ad113493eb1644c52c0

SHA256
ff7daa872dda2a5fc4ce7a687bb4193774abb607d489887ffdbbd0ef71bc0d8d

SHA512
1d1b048dc3f01680f4049c23db8e4450f2d59a1174184a340e712d6e4340b3ab6191a254986c98743c5374a693733bfa6ff255b62a7b43809bd79c0804be2beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e01868dad1f7b38da16a1e987db38f10

SHA1
d39bdc67b1686bd9b9cd4d0d8586ffe752df0c01

SHA256
ccfe07b1da496ddb6aec4cb98a1e4c1d95b835147aa3bfd0202a08c5586a9434

SHA512
647288076bc0ac5f2e8a9905d16e00321244177fe2e0e29a8af5639e7baa2b6a8dd4a7dfd3928612f4137413c92aea21b5603f64ac660b93109c3edc2049c40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e01868dad1f7b38da16a1e987db38f10

SHA1
d39bdc67b1686bd9b9cd4d0d8586ffe752df0c01

SHA256
ccfe07b1da496ddb6aec4cb98a1e4c1d95b835147aa3bfd0202a08c5586a9434

SHA512
647288076bc0ac5f2e8a9905d16e00321244177fe2e0e29a8af5639e7baa2b6a8dd4a7dfd3928612f4137413c92aea21b5603f64ac660b93109c3edc2049c40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e01868dad1f7b38da16a1e987db38f10

SHA1
d39bdc67b1686bd9b9cd4d0d8586ffe752df0c01

SHA256
ccfe07b1da496ddb6aec4cb98a1e4c1d95b835147aa3bfd0202a08c5586a9434

SHA512
647288076bc0ac5f2e8a9905d16e00321244177fe2e0e29a8af5639e7baa2b6a8dd4a7dfd3928612f4137413c92aea21b5603f64ac660b93109c3edc2049c40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a727c4d41fae585e57dede6f36dbb6b

SHA1
b114da12ee3b628a0bf1c1e62dbe6a556bf31966

SHA256
4106bb23e502d2e6b66990371323f8321613ae5f92cf2e261e2ce0bec2d25081

SHA512
faa6df846c1c17dfc91e32ab793f83c063fe92df07f66fb5c2d44d06845e8219447f52c783a21534a457aa5d6422d8ac6cef220a041ccb60fc6c94a6a029222b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c12dde3a71404f5b5ce35209918269c8

SHA1
2f08f57fde14313ee07d8cfb683c07134a10d964

SHA256
760883ea6c95c53208a2f92b0dbc3cbac142b637fcc232c3d72f9a1a0a8ea421

SHA512
8d36ed1e86339a7200883f252e0effd9a91ff91198673c6d5a20302929cf12b3e05230f325686d64354d39e981521ca478259ee3e3412a6f4b8132b385da905a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
89b4ab874c9688de94f59afdc5afc29e

SHA1
b053e2ca9a763c665da0bfc31a89ab23fb4f0955

SHA256
0517e0e5d1e9c1f21d42bad848bf08b519903e865d4254439e92cfeddf656a54

SHA512
6215f899b39b413937133d46da7653c3c7e8cdf5f7e09cbbdb9c68a7b14886b729bdc2438e2b4fffe44abdec1089229aab38f9d631ccb1b3e025fa64bca3521c

Download Submit
C:\Users\Admin\AppData\Local\Temp\08139ad8453d264535a77caeb94445bbd565e6c6.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\08139ad8453d264535a77caeb94445bbd565e6c6.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\08139ad8453d264535a77caeb94445bbd565e6c6.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Users\Admin\AppData\Local\Temp\36fbe1e0-bdc5-4aad-ab88-c5b3185b5067.vbs

Filesize
514B

MD5
38b111c8ba39e04db38b60154bc2f004

SHA1
1583e30f421401fa3230dba087c8c98d1955b6fc

SHA256
312f2517cccc5190696da8c633eed9d1ce3b371826a1d605a6e4b64d290d1569

SHA512
71c146c6db93f4104c6d75a613f4f7dd1e418f66e3873ab50c89d639a4070b2d7368614732b17b84948601b10db880c58db14767460edb3b6ccb9f25ca5cb3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\36fbe1e0-bdc5-4aad-ab88-c5b3185b5067.vbs

Filesize
514B

MD5
38b111c8ba39e04db38b60154bc2f004

SHA1
1583e30f421401fa3230dba087c8c98d1955b6fc

SHA256
312f2517cccc5190696da8c633eed9d1ce3b371826a1d605a6e4b64d290d1569

SHA512
71c146c6db93f4104c6d75a613f4f7dd1e418f66e3873ab50c89d639a4070b2d7368614732b17b84948601b10db880c58db14767460edb3b6ccb9f25ca5cb3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ce8536c-64bf-4a84-ab68-220490553d6a.vbs

Filesize
514B

MD5
38b111c8ba39e04db38b60154bc2f004

SHA1
1583e30f421401fa3230dba087c8c98d1955b6fc

SHA256
312f2517cccc5190696da8c633eed9d1ce3b371826a1d605a6e4b64d290d1569

SHA512
71c146c6db93f4104c6d75a613f4f7dd1e418f66e3873ab50c89d639a4070b2d7368614732b17b84948601b10db880c58db14767460edb3b6ccb9f25ca5cb3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\54bf2bd3-6080-4ee6-88e3-0ece8e3433e5.vbs

Filesize
738B

MD5
fa38ec4fa4aad1e556aa28d3dff05dfa

SHA1
ab53e4232bf5a82af4a817b85ce91dbbf4df7571

SHA256
15557162ab55ad62d49446bcb22058cbb3da97448f2a933644c83e179a0c4928

SHA512
c3800b2f1319bb180af3df4e9a96b78a52a6821fc5df7ed6d0157a4ccff1caeea637cac2ffbe14740c66cb02ef4245b2016bf10d006e2b3075eca1cf9dc64559

Download Submit
C:\Users\Admin\AppData\Local\Temp\6698c21f-f9be-4f5d-b556-274d3d2791bc.vbs

Filesize
738B

MD5
efddda6e3210b92a819e899e31fff1e2

SHA1
ac1dee974321cdd74b4d519c7106f08e7c766af5

SHA256
63837dea3f7e9ddd9263c5366bf998b08810f294d96dc4d52603f7a8ab9c48a5

SHA512
08568af08628e693240b2b3bee94bf5595e282b75f4bb91b0cdbc2d6c22ad3153a1c634fe98aee57feb034a6f415a4cc80498c0a8108423c819b6ef80ae7e0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a00e666-6ef9-4d1f-9dba-ee803edb83ff.vbs

Filesize
514B

MD5
38b111c8ba39e04db38b60154bc2f004

SHA1
1583e30f421401fa3230dba087c8c98d1955b6fc

SHA256
312f2517cccc5190696da8c633eed9d1ce3b371826a1d605a6e4b64d290d1569

SHA512
71c146c6db93f4104c6d75a613f4f7dd1e418f66e3873ab50c89d639a4070b2d7368614732b17b84948601b10db880c58db14767460edb3b6ccb9f25ca5cb3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c7f5146-87e6-4f05-a9d0-cc053e604cad.vbs

Filesize
514B

MD5
38b111c8ba39e04db38b60154bc2f004

SHA1
1583e30f421401fa3230dba087c8c98d1955b6fc

SHA256
312f2517cccc5190696da8c633eed9d1ce3b371826a1d605a6e4b64d290d1569

SHA512
71c146c6db93f4104c6d75a613f4f7dd1e418f66e3873ab50c89d639a4070b2d7368614732b17b84948601b10db880c58db14767460edb3b6ccb9f25ca5cb3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfwvg4fx.fmm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a90459b0-3369-4b62-a45b-23201202ad9a.vbs

Filesize
514B

MD5
38b111c8ba39e04db38b60154bc2f004

SHA1
1583e30f421401fa3230dba087c8c98d1955b6fc

SHA256
312f2517cccc5190696da8c633eed9d1ce3b371826a1d605a6e4b64d290d1569

SHA512
71c146c6db93f4104c6d75a613f4f7dd1e418f66e3873ab50c89d639a4070b2d7368614732b17b84948601b10db880c58db14767460edb3b6ccb9f25ca5cb3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccc28a02-6f22-48a2-9a5d-5ca8c5bfd5c4.vbs

Filesize
738B

MD5
c888b4def5ee0a6c225fb4df22ab29e8

SHA1
65fc46097a37c7cb67915e79e2efae418e436aba

SHA256
ead2c3eac9e414abbb059b180794dcd11e414f5f5da06e946dff2735a15942eb

SHA512
b2ad4174a4a90acc0da5cb05da4096fc5c378591481c531d8bb59d64d7916f04ccf512f239d7d82d19464b9d9b6302b3ddcbde02a0dc4211b21aa71ebfea2e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec13f237-f9ff-4d66-a035-64e494501ee5.vbs

Filesize
738B

MD5
1de0090cced8d95daf7d5652bbc9cbb7

SHA1
bc1fcbb6980e8e1cf0e11beece6dbb5e63407c14

SHA256
ef7fdaa8915bb250120c604356a518575c35216bd05d48e602646a87a0f0515c

SHA512
e82d095d4bbb4a60838167ca536cd2df6b591aad8be5d2ca312a2bbb3b618730adbfd02faaa5ae45bf8ba7bf9b4aef541f6aae9786eb5b19b2d6f11cc0bcef27

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc6aa6a9-5dbf-44d6-868e-0ac6375a667e.vbs

Filesize
738B

MD5
89e29ae8f5cfd13971461da55c56d13b

SHA1
272310ad959649fdd948e09626d8c689d2c4739c

SHA256
6a42e2a3b11251cc23559e7e529afc2a32310c601209153c9c6c8538eb74851e

SHA512
2c90fa8673031d0283521b10fb72426e4e51ef6b1cb3bef29f2db8ffa0e34ba9a9c14744b2c6c51891a1a1749421edcef0e50b3d5d68ea6a77abeff4deb751de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2EBC.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EC4.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EC4.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EC4.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6397.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6397.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6397.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CE2.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9CE2.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E43.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E43.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E43.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F9.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F9.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F9.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1C4.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQ25hERLBD.bat

Filesize
227B

MD5
3f40f9b6bba30aed99e95168eae63f01

SHA1
80000855b14247f9e9ca89d435cdb5feeaa35513

SHA256
f366e7e71c597482e89ec0dcaafb834f3529729f248a886660a269e122600d7a

SHA512
9764197b89068a50db3cc2419d5de4b7678f800725f6798dea14ed67b28387be2187fae3dadb4dbb987d7d6ff9b0dd958c2db8db38d51786319e4b622e214211

Download Submit
C:\Windows\5779722125.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\5779722125.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\5779722125.exe

Filesize
5.7MB

MD5
44e4646b76a889c2115bdacc6e63ba2a

SHA1
efe7c1dae715922ff19121ff4f0e97ca904ee536

SHA256
91169afa1085d0402983787772694f1e19f08f62c636683cf73e30cc9299bee8

SHA512
b4fc6250eb1b250e78571ecab8b301adcbb5f25a4faf42842f95bf8f73c8a3ba5ac2f64190e7f450a738aff4d495816ab9c7b4c894ff04db5754b5561c60717d

Download Submit
C:\Windows\Blitz.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\Blitz.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\Blitz.exe

Filesize
461KB

MD5
9c30b653d66d104fa03e85c9c5987c19

SHA1
1db5a95ca0e2303bc7bc69ce1259e59594cbeb4d

SHA256
6f38484383e3301e91664d2cf8cfdc9347c37fa2c11e9c03838484745f6f1ba2

SHA512
464b6e92be6e4c0b74161a1d3eecccd766e4ced0c7940ab235cc96e80703b391cf56142c6c256d8fd45498949fde9f5cc5a8977d89752fac0cca133410c4744d

Download Submit
C:\Windows\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
C:\Windows\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
C:\Windows\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
memory/956-184-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/956-157-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1124-193-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1124-81-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/1124-276-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1124-68-0x0000000005580000-0x00000000055A2000-memory.dmp

Filesize
136KB

Download
memory/1124-189-0x0000000006280000-0x00000000062CC000-memory.dmp

Filesize
304KB

Download
memory/1124-58-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1124-180-0x0000000004A60000-0x0000000004A7E000-memory.dmp

Filesize
120KB

Download
memory/1124-182-0x0000000073B20000-0x00000000742D0000-memory.dmp

Filesize
7.7MB

Download
memory/1124-91-0x0000000005990000-0x0000000005CE4000-memory.dmp

Filesize
3.3MB

Download
memory/1124-53-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1124-188-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1124-56-0x0000000073B20000-0x00000000742D0000-memory.dmp

Filesize
7.7MB

Download
memory/1124-55-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/1124-74-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/1124-51-0x0000000004750000-0x0000000004786000-memory.dmp

Filesize
216KB

Download
memory/1224-155-0x0000000000690000-0x00000000006A6000-memory.dmp

Filesize
88KB

Download
memory/1268-195-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/1268-161-0x000000001C940000-0x000000001C94C000-memory.dmp

Filesize
48KB

Download
memory/1268-116-0x0000000002C20000-0x0000000002C2C000-memory.dmp

Filesize
48KB

Download
memory/1268-125-0x000000001C770000-0x000000001C778000-memory.dmp

Filesize
32KB

Download
memory/1268-126-0x000000001C780000-0x000000001C78C000-memory.dmp

Filesize
48KB

Download
memory/1268-191-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/1268-73-0x0000000001290000-0x000000000129E000-memory.dmp

Filesize
56KB

Download
memory/1268-143-0x000000001C900000-0x000000001C90E000-memory.dmp

Filesize
56KB

Download
memory/1268-165-0x00007FF9BA6B0000-0x00007FF9BB171000-memory.dmp

Filesize
10.8MB

Download
memory/1268-135-0x000000001C7A0000-0x000000001C7A8000-memory.dmp

Filesize
32KB

Download
memory/1268-90-0x000000001C250000-0x000000001C2A0000-memory.dmp

Filesize
320KB

Download
memory/1268-140-0x000000001C7B0000-0x000000001C7BA000-memory.dmp

Filesize
40KB

Download
memory/1268-44-0x00007FF9BA6B0000-0x00007FF9BB171000-memory.dmp

Filesize
10.8MB

Download
memory/1268-105-0x0000000002C00000-0x0000000002C0A000-memory.dmp

Filesize
40KB

Download
memory/1268-137-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/1268-57-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/1268-35-0x00000000004D0000-0x0000000000A92000-memory.dmp

Filesize
5.8MB

Download
memory/1268-129-0x000000001C790000-0x000000001C79C000-memory.dmp

Filesize
48KB

Download
memory/1268-158-0x000000001C930000-0x000000001C93C000-memory.dmp

Filesize
48KB

Download
memory/1268-61-0x000000001BAF0000-0x000000001BC4E000-memory.dmp

Filesize
1.4MB

Download
memory/1268-153-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/1268-99-0x000000001B750000-0x000000001B766000-memory.dmp

Filesize
88KB

Download
memory/1268-101-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/1268-144-0x000000001C910000-0x000000001C918000-memory.dmp

Filesize
32KB

Download
memory/1268-151-0x000000001C920000-0x000000001C92E000-memory.dmp

Filesize
56KB

Download
memory/1268-95-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/1268-274-0x000000001CBA0000-0x000000001CCA0000-memory.dmp

Filesize
1024KB

Download
memory/1268-139-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/1268-93-0x0000000002BC0000-0x0000000002BC8000-memory.dmp

Filesize
32KB

Download
memory/1268-87-0x00000000012A0000-0x00000000012BC000-memory.dmp

Filesize
112KB

Download
memory/1676-94-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-124-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-149-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-47-0x00007FF9BA6B0000-0x00007FF9BB171000-memory.dmp

Filesize
10.8MB

Download
memory/1676-202-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-159-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-200-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-186-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/1676-187-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-198-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-192-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-196-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-183-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-175-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-179-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-48-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/1676-34-0x0000000000590000-0x0000000000800000-memory.dmp

Filesize
2.4MB

Download
memory/1676-173-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-172-0x00007FF9BA6B0000-0x00007FF9BB171000-memory.dmp

Filesize
10.8MB

Download
memory/1676-168-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-163-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-142-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-136-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-133-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-130-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-52-0x00000000029C0000-0x0000000002A46000-memory.dmp

Filesize
536KB

Download
memory/1676-115-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-54-0x000000001B830000-0x000000001B8D6000-memory.dmp

Filesize
664KB

Download
memory/1676-113-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-59-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-103-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-100-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-62-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-88-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-75-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-71-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-69-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-66-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/1676-64-0x000000001B830000-0x000000001B8D2000-memory.dmp

Filesize
648KB

Download
memory/3400-96-0x0000000002C60000-0x0000000002C72000-memory.dmp

Filesize
72KB

Download
memory/3400-60-0x00000000012B0000-0x00000000012C0000-memory.dmp

Filesize
64KB

Download
memory/3400-112-0x00000000012B0000-0x00000000012C0000-memory.dmp

Filesize
64KB

Download
memory/3400-98-0x000000001DE00000-0x000000001DE3C000-memory.dmp

Filesize
240KB

Download
memory/3400-270-0x00000000012B0000-0x00000000012C0000-memory.dmp

Filesize
64KB

Download
memory/3400-50-0x0000000000790000-0x0000000000976000-memory.dmp

Filesize
1.9MB

Download
memory/3400-49-0x00007FF9BA6B0000-0x00007FF9BB171000-memory.dmp

Filesize
10.8MB

Download
memory/3400-176-0x00007FF9BA6B0000-0x00007FF9BB171000-memory.dmp

Filesize
10.8MB

Download
memory/3400-178-0x00000000012B0000-0x00000000012C0000-memory.dmp

Filesize
64KB

Download
memory/4664-148-0x0000000000B60000-0x0000000000B76000-memory.dmp

Filesize
88KB

Download