dcrat | 7efd49f4c002fbe6c0380ae3da89cab96456090a2a9ea148fec6fc5263433d78

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-01-2023 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b68945406413301b4a5195cda123ef91.exe
Size

2.3MB
MD5

b68945406413301b4a5195cda123ef91
SHA1

3ee195713743c21c2d0576a4c37a3bb2687f601a
SHA256

7efd49f4c002fbe6c0380ae3da89cab96456090a2a9ea148fec6fc5263433d78
SHA512

ff6686870938b901d765af2085f60cb1a7a7698c14a6e2c41d0f03c536e0c4fa894cdb4c455904197c5cd2c282e049b230014c99c3f318ea1536f7e21ff5ade5
SSDEEP

49152:4EAW6oV1uWgMzCAKcNqGAonnXvjGt8YxKIh3i2L:bADWgmNqGAKKBli

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	468	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2032-54-0x0000000000940000-0x0000000000B94000-memory.dmp	dcrat
C:\Windows\SchCache\dwm.exe	dcrat
C:\Windows\SchCache\dwm.exe	dcrat
behavioral1/memory/3056-115-0x0000000000B80000-0x0000000000DD4000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

dwm.exe

pid process

3056 dwm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3056	dwm.exe

Drops file in Program Files directory 10 IoCs

Processes:

b68945406413301b4a5195cda123ef91.exe

description	ioc	process
File created	C:\Program Files\Common Files\Services\7a0fd90576e088	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX82BC.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX8F9B.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Program Files\Common Files\Services\explorer.exe	b68945406413301b4a5195cda123ef91.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe	b68945406413301b4a5195cda123ef91.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\69ddcba757bf72	b68945406413301b4a5195cda123ef91.exe
File created	C:\Program Files\Common Files\Services\explorer.exe	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX859A.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX8CBD.tmp	b68945406413301b4a5195cda123ef91.exe

Drops file in Windows directory 30 IoCs

Processes:

b68945406413301b4a5195cda123ef91.exe

description	ioc	process
File opened for modification	C:\Windows\PLA\Templates\RCX5A7C.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\SchCache\RCX717A.tmp	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\Logs\HomeGroup\taskhost.exe	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\ShellNew\RCX465C.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\ShellNew\lsm.exe	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\PLA\Templates\dwm.exe	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCX7B8A.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\taskhost.exe	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\PLA\Templates\6cb0b6c459d5d3	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\fr-FR\csrss.exe	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\Logs\HomeGroup\taskhost.exe	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\PLA\Templates\RCX5D5A.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\fr-FR\RCX676A.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\SchCache\dwm.exe	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\ShellNew\lsm.exe	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\ShellNew\101b941d020240	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\fr-FR\csrss.exe	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\Resources\Ease of Access Themes\b75386f1303e64	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\Logs\HomeGroup\RCX351A.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\ShellNew\RCX493A.tmp	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\PLA\Templates\dwm.exe	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\SchCache\6cb0b6c459d5d3	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\Resources\Ease of Access Themes\taskhost.exe	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\Logs\HomeGroup\RCX323C.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\fr-FR\RCX648C.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\SchCache\RCX6E9C.tmp	b68945406413301b4a5195cda123ef91.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCX78AC.tmp	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\Logs\HomeGroup\b75386f1303e64	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\fr-FR\886983d96e3d3e	b68945406413301b4a5195cda123ef91.exe
File created	C:\Windows\SchCache\dwm.exe	b68945406413301b4a5195cda123ef91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1764	schtasks.exe
848	schtasks.exe
1700	schtasks.exe
1056	schtasks.exe
1244	schtasks.exe
2052	schtasks.exe
1744	schtasks.exe
2044	schtasks.exe
788	schtasks.exe
960	schtasks.exe
1924	schtasks.exe
2024	schtasks.exe
1616	schtasks.exe
1544	schtasks.exe
1384	schtasks.exe
888	schtasks.exe
1980	schtasks.exe
1596	schtasks.exe
520	schtasks.exe
1756	schtasks.exe
1612	schtasks.exe
1368	schtasks.exe
1772	schtasks.exe
844	schtasks.exe
1724	schtasks.exe
1008	schtasks.exe
952	schtasks.exe
1536	schtasks.exe
1212	schtasks.exe
2020	schtasks.exe
1492	schtasks.exe
1516	schtasks.exe
1844	schtasks.exe
1804	schtasks.exe
324	schtasks.exe
1360	schtasks.exe
816	schtasks.exe
620	schtasks.exe
1484	schtasks.exe
1416	schtasks.exe
760	schtasks.exe
428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

b68945406413301b4a5195cda123ef91.exedwm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2032	b68945406413301b4a5195cda123ef91.exe
3056	dwm.exe
2108	powershell.exe
2132	powershell.exe
2320	powershell.exe
2176	powershell.exe
2456	powershell.exe
2380	powershell.exe
2308	powershell.exe
2152	powershell.exe
2416	powershell.exe
2272	powershell.exe
2224	powershell.exe
3056	dwm.exe
3056	dwm.exe
3056	dwm.exe
3056	dwm.exe
2256	powershell.exe
2120	powershell.exe
2208	powershell.exe
2348	powershell.exe
3056	dwm.exe
3056	dwm.exe
3056	dwm.exe
3056	dwm.exe
3056	dwm.exe
3056	dwm.exe
3056	dwm.exe
3056	dwm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2032	b68945406413301b4a5195cda123ef91.exe
Token: SeDebugPrivilege	3056	dwm.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeBackupPrivilege	2920	vssvc.exe
Token: SeRestorePrivilege	2920	vssvc.exe
Token: SeAuditPrivilege	2920	vssvc.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

b68945406413301b4a5195cda123ef91.execmd.exedwm.exe

description	pid	process	target process
PID 2032 wrote to memory of 2108	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2108	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2108	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2120	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2120	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2120	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2132	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2132	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2132	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2152	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2152	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2152	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2176	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2176	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2176	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2208	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2208	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2208	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2224	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2224	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2224	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2256	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2256	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2256	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2272	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2272	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2272	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2308	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2308	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2308	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2320	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2320	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2320	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2348	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2348	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2348	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2380	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2380	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2380	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2416	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2416	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2416	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2456	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2456	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2456	2032	b68945406413301b4a5195cda123ef91.exe	powershell.exe
PID 2032 wrote to memory of 2524	2032	b68945406413301b4a5195cda123ef91.exe	cmd.exe
PID 2032 wrote to memory of 2524	2032	b68945406413301b4a5195cda123ef91.exe	cmd.exe
PID 2032 wrote to memory of 2524	2032	b68945406413301b4a5195cda123ef91.exe	cmd.exe
PID 2524 wrote to memory of 3040	2524	cmd.exe	w32tm.exe
PID 2524 wrote to memory of 3040	2524	cmd.exe	w32tm.exe
PID 2524 wrote to memory of 3040	2524	cmd.exe	w32tm.exe
PID 2524 wrote to memory of 3056	2524	cmd.exe	dwm.exe
PID 2524 wrote to memory of 3056	2524	cmd.exe	dwm.exe
PID 2524 wrote to memory of 3056	2524	cmd.exe	dwm.exe
PID 3056 wrote to memory of 1888	3056	dwm.exe	WScript.exe
PID 3056 wrote to memory of 1888	3056	dwm.exe	WScript.exe
PID 3056 wrote to memory of 1888	3056	dwm.exe	WScript.exe
PID 3056 wrote to memory of 2016	3056	dwm.exe	WScript.exe
PID 3056 wrote to memory of 2016	3056	dwm.exe	WScript.exe
PID 3056 wrote to memory of 2016	3056	dwm.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\b68945406413301b4a5195cda123ef91.exe
"C:\Users\Admin\AppData\Local\Temp\b68945406413301b4a5195cda123ef91.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b68945406413301b4a5195cda123ef91.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\WMIADAP.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\taskhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\lsm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\taskhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\lsass.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDsH0VSHM7.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:3040

C:\Windows\SchCache\dwm.exe
"C:\Windows\SchCache\dwm.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee4637fd-f11a-48b6-b639-00a8f9ad8011.vbs"
4⤵
PID:1888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da57e270-f017-469b-89c5-6ce91654381c.vbs"
4⤵
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Admin\Music\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\HomeGroup\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SchCache\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Services\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZDsH0VSHM7.bat
Filesize
192B

MD5
338714d7b11e177484c1f9da56592fef

SHA1
3e53fe1ac5006e68cfcc8d261ff7c2ee379b1553

SHA256
258d3f6bbb698a3247af2853e8a4eb45f9cd2909d232feddb2bd5f11c48dfe32

SHA512
d6b81f266937cbc5d0a83350b2bdd4a4f81b50729760d386f4ce5349c141c20154b613cfc39bdbadec34aa56bb144987e583c34516d0ec0641f21f0d1581608c

Download Submit
C:\Users\Admin\AppData\Local\Temp\da57e270-f017-469b-89c5-6ce91654381c.vbs
Filesize
479B

MD5
0788438a8dcc093e061ce8cd47b97852

SHA1
f425362d2a8505f92cb6154cf63ba995f1d94191

SHA256
fb4669a49707538c26f14643969930a5cac39bc03dd68a95a6a34766c92fa5ab

SHA512
2855aa6251ebe0ae258304d31b67382b58fe94aa87bcf745a90b48e7297bc4163ac69a37f9b06983b5004375086d343c2f73b2fcb5dc8f76d58d425d12bb12d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee4637fd-f11a-48b6-b639-00a8f9ad8011.vbs
Filesize
703B

MD5
79d37b19bf540a9207bc4774f5cd4ac6

SHA1
e95d46a1afe7ac232ad232da000f63766d1a3e19

SHA256
aa8673c6afa13a1ae4d1237e1f7dca9ac9bcfb5cc375f073485e8290373503df

SHA512
06d8818c927f4edfb4e4cb5aa51b6c53236d5505eed22ae620353c8dfac4a03c7d854b7f9b1b03855e5b6ecf3202fb6b4004afcb74bfc1935933ab62e97d7be6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
97f6ae88cb0ba25cbf0b8f50231ea152

SHA1
17eaf562cbbb04dcb6b7a1c7ff4a1eea082e61c7

SHA256
f8093e2dcae06868a14737726512284e1b9173376472a1b3f368ca28894a5312

SHA512
80de03e0c4872eb1a35d27c2301f9c45644ea78460fdcd42d3511af9246c7c3dc68c5fd5a691c6392ace0da710d03376a6fe3726c24d618f945cd273c01d9932

Download Submit
C:\Windows\SchCache\dwm.exe
Filesize
2.3MB

MD5
cea155bd334216a500327b69af539709

SHA1
35091f175db7aa3ca4cf9586d9a7cbe39371c505

SHA256
003a19c0163ed1f49be12fa1fe23178bf6f5cc2b2a8b80f22fa58a9baa69986b

SHA512
b693ec139eb98186b9a94f39b8ffb41c138e7d9a23b83663d480c162443eec4e2baed68a14f16df26614e0691efc11966635714eea54fdae11a6c4f26302d975

Download Submit
C:\Windows\SchCache\dwm.exe
Filesize
2.3MB

MD5
cea155bd334216a500327b69af539709

SHA1
35091f175db7aa3ca4cf9586d9a7cbe39371c505

SHA256
003a19c0163ed1f49be12fa1fe23178bf6f5cc2b2a8b80f22fa58a9baa69986b

SHA512
b693ec139eb98186b9a94f39b8ffb41c138e7d9a23b83663d480c162443eec4e2baed68a14f16df26614e0691efc11966635714eea54fdae11a6c4f26302d975

Download Submit
memory/1888-117-0x0000000000000000-mapping.dmp

Download
memory/2016-118-0x0000000000000000-mapping.dmp

Download
memory/2032-62-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/2032-55-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2032-56-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2032-57-0x0000000000570000-0x0000000000586000-memory.dmp

Filesize
88KB

Download
memory/2032-58-0x00000000008B0000-0x0000000000906000-memory.dmp

Filesize
344KB

Download
memory/2032-59-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2032-60-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2032-54-0x0000000000940000-0x0000000000B94000-memory.dmp

Filesize
2.3MB

Download
memory/2032-61-0x0000000000900000-0x0000000000908000-memory.dmp

Filesize
32KB

Download
memory/2108-197-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2108-63-0x0000000000000000-mapping.dmp

Download
memory/2108-90-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2108-140-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2108-133-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2108-200-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/2108-167-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2108-76-0x000007FEFB7C1000-0x000007FEFB7C3000-memory.dmp

Filesize
8KB

Download
memory/2108-155-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/2120-215-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/2120-153-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2120-162-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2120-64-0x0000000000000000-mapping.dmp

Download
memory/2120-179-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2120-134-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2120-188-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/2132-65-0x0000000000000000-mapping.dmp

Download
memory/2132-137-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2132-170-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/2132-96-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2132-199-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/2132-196-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/2132-156-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/2132-143-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/2152-157-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2152-203-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/2152-186-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2152-129-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2152-66-0x0000000000000000-mapping.dmp

Download
memory/2152-146-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/2152-205-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/2152-208-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/2152-173-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/2176-193-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2176-165-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2176-67-0x0000000000000000-mapping.dmp

Download
memory/2176-194-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/2176-94-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2176-132-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2176-139-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2176-180-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/2208-175-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/2208-164-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2208-148-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/2208-124-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2208-68-0x0000000000000000-mapping.dmp

Download
memory/2224-190-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/2224-147-0x0000000001ED4000-0x0000000001ED7000-memory.dmp

Filesize
12KB

Download
memory/2224-128-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2224-160-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2224-174-0x0000000001ED4000-0x0000000001ED7000-memory.dmp

Filesize
12KB

Download
memory/2224-69-0x0000000000000000-mapping.dmp

Download
memory/2256-177-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/2256-121-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2256-70-0x0000000000000000-mapping.dmp

Download
memory/2256-151-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/2256-161-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2272-181-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/2272-71-0x0000000000000000-mapping.dmp

Download
memory/2272-154-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/2272-130-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2272-211-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/2272-159-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2272-213-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/2272-201-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/2308-210-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download
memory/2308-144-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/2308-207-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/2308-125-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2308-72-0x0000000000000000-mapping.dmp

Download
memory/2308-138-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2308-171-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/2308-204-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download
memory/2320-73-0x0000000000000000-mapping.dmp

Download
memory/2320-198-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/2320-127-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2320-195-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2320-141-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2320-168-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2320-166-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/2320-135-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2348-74-0x0000000000000000-mapping.dmp

Download
memory/2348-176-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2348-163-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2348-123-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2348-150-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2380-142-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2380-122-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2380-214-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/2380-169-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2380-136-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2380-75-0x0000000000000000-mapping.dmp

Download
memory/2380-212-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2380-183-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/2416-178-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2416-77-0x0000000000000000-mapping.dmp

Download
memory/2416-152-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2416-158-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2416-187-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/2416-131-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2456-206-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/2456-145-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/2456-172-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/2456-126-0x000007FEEB940000-0x000007FEEC363000-memory.dmp

Filesize
10.1MB

Download
memory/2456-149-0x000007FEEA390000-0x000007FEEAEED000-memory.dmp

Filesize
11.4MB

Download
memory/2456-209-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/2456-79-0x0000000000000000-mapping.dmp

Download
memory/2456-202-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/2456-182-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/2524-83-0x0000000000000000-mapping.dmp

Download
memory/3040-111-0x0000000000000000-mapping.dmp

Download
memory/3056-113-0x0000000000000000-mapping.dmp

Download
memory/3056-115-0x0000000000B80000-0x0000000000DD4000-memory.dmp

Filesize
2.3MB

Download
memory/3056-116-0x0000000000940000-0x0000000000996000-memory.dmp

Filesize
344KB

Download