dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
1800s
max time network
1801s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26/08/2023, 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2844	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2844	schtasks.exe	35

DCRat payload 46 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000012022-11.dat	dcrat
behavioral1/files/0x0009000000012022-14.dat	dcrat
behavioral1/files/0x0009000000012022-15.dat	dcrat
behavioral1/files/0x0031000000015eb4-25.dat	dcrat
behavioral1/files/0x0031000000015eb4-26.dat	dcrat
behavioral1/files/0x0031000000015eb4-27.dat	dcrat
behavioral1/files/0x0031000000015eb4-28.dat	dcrat
behavioral1/memory/268-29-0x0000000001210000-0x0000000001390000-memory.dmp	dcrat
behavioral1/files/0x0006000000018b5c-48.dat	dcrat
behavioral1/files/0x0031000000015eb4-72.dat	dcrat
behavioral1/files/0x0005000000019bf4-314.dat	dcrat
behavioral1/files/0x0005000000019bf4-313.dat	dcrat
behavioral1/files/0x0005000000019384-430.dat	dcrat
behavioral1/files/0x0005000000019384-429.dat	dcrat
behavioral1/files/0x0005000000019462-435.dat	dcrat
behavioral1/files/0x0005000000019462-437.dat	dcrat
behavioral1/files/0x00050000000194c2-436.dat	dcrat
behavioral1/files/0x00050000000194c2-438.dat	dcrat
behavioral1/files/0x00050000000195c2-448.dat	dcrat
behavioral1/files/0x00050000000195c2-447.dat	dcrat
behavioral1/files/0x0005000000019487-456.dat	dcrat
behavioral1/files/0x0006000000019bf3-455.dat	dcrat
behavioral1/files/0x0005000000019487-454.dat	dcrat
behavioral1/files/0x0006000000019bf3-453.dat	dcrat
behavioral1/files/0x0006000000018bb4-466.dat	dcrat
behavioral1/files/0x0006000000018bb4-468.dat	dcrat
behavioral1/files/0x000b000000012343-467.dat	dcrat
behavioral1/files/0x000b000000012343-465.dat	dcrat
behavioral1/files/0x0005000000019384-479.dat	dcrat
behavioral1/files/0x0006000000018b5c-478.dat	dcrat
behavioral1/files/0x0006000000018b5c-481.dat	dcrat
behavioral1/files/0x0007000000016607-480.dat	dcrat
behavioral1/files/0x0007000000016607-484.dat	dcrat
behavioral1/files/0x0005000000019bf4-498.dat	dcrat
behavioral1/files/0x0006000000018b8b-497.dat	dcrat
behavioral1/files/0x0006000000018b8b-500.dat	dcrat
behavioral1/files/0x00050000000194c2-511.dat	dcrat
behavioral1/files/0x00050000000195b4-510.dat	dcrat
behavioral1/files/0x00050000000195a6-509.dat	dcrat
behavioral1/files/0x00050000000195a6-508.dat	dcrat
behavioral1/files/0x00050000000195b4-513.dat	dcrat
behavioral1/files/0x0005000000019462-518.dat	dcrat
behavioral1/files/0x0009000000016b96-530.dat	dcrat
behavioral1/files/0x0009000000016b96-531.dat	dcrat
behavioral1/files/0x00050000000195c2-537.dat	dcrat
behavioral1/files/0x0005000000019384-541.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 52 IoCs

pid	Process
2868	Loader.exe
268	MsServerfont.exe
560	MsServerfont.exe
1892	lsm.exe
1764	cmd.exe
772	MsServerfont.exe
1800	csrss.exe
2240	winlogon.exe
1692	smss.exe
1936	WMIADAP.exe
2344	schtasks.exe
2772	Idle.exe
2584	cmd.exe
2236	System.exe
2020	wininit.exe
2472	lsm.exe
2376	sppsvc.exe
812	taskhost.exe
2988	csrss.exe
1724	conhost.exe
2744	MsServerfont.exe
2060	explorer.exe
1532	winlogon.exe
2396	cmd.exe
1164	smss.exe
2640	WMIADAP.exe
2388	Idle.exe
396	csrss.exe
816	schtasks.exe
268	MsServerfont.exe
2216	System.exe
3068	cmd.exe
1344	wininit.exe
2720	winlogon.exe
1964	sppsvc.exe
2648	lsm.exe
2728	taskhost.exe
2788	MsServerfont.exe
652	WMIADAP.exe
1720	smss.exe
1920	conhost.exe
1468	csrss.exe
2084	cmd.exe
2932	explorer.exe
2196	schtasks.exe
588	Idle.exe
904	winlogon.exe
1484	csrss.exe
1712	cmd.exe
2020	System.exe
2756	MsServerfont.exe
2244	wininit.exe

Loads dropped DLL 3 IoCs

pid	Process
1260	YammiBeta.exe
2496	cmd.exe
2496	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipinfo.io
10	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1260	YammiBeta.exe
1260	YammiBeta.exe
1260	YammiBeta.exe
1260	YammiBeta.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6ccacd8608530f	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\cc11b995f2a76d	MsServerfont.exe
File created	C:\Program Files\Windows Mail\it-IT\conhost.exe	MsServerfont.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\7a0fd90576e088	MsServerfont.exe
File created	C:\Program Files\Common Files\System\ja-JP\System.exe	MsServerfont.exe
File created	C:\Program Files\Common Files\System\ja-JP\27d1bcfc3c54e0	MsServerfont.exe
File created	C:\Program Files\Windows Mail\it-IT\088424020bedd6	MsServerfont.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe	MsServerfont.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe	MsServerfont.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\b75386f1303e64	MsServerfont.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe	MsServerfont.exe
File created	C:\Windows\assembly\GAC_64\ISymWrapper\75a57c1bdf437c	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2364	schtasks.exe
1292	schtasks.exe
2960	schtasks.exe
832	schtasks.exe
2520	schtasks.exe
2324	schtasks.exe
2192	schtasks.exe
2100	schtasks.exe
872	schtasks.exe
1392	schtasks.exe
2736	schtasks.exe
2464	schtasks.exe
1424	schtasks.exe
1984	schtasks.exe
1656	schtasks.exe
1764	schtasks.exe
904	schtasks.exe
1068	schtasks.exe
1768	schtasks.exe
2848	schtasks.exe
976	schtasks.exe
320	schtasks.exe
3056	schtasks.exe
1888	schtasks.exe
1988	schtasks.exe
2708	schtasks.exe
948	schtasks.exe
1596	schtasks.exe
1640	schtasks.exe
1608	schtasks.exe
3016	schtasks.exe
1916	schtasks.exe
816	schtasks.exe
2392	schtasks.exe
1880	schtasks.exe
1100	schtasks.exe
1536	schtasks.exe
2444	schtasks.exe
1088	schtasks.exe
2104	schtasks.exe
1404	schtasks.exe
1548	schtasks.exe
1076	schtasks.exe
396	schtasks.exe
2412	schtasks.exe
1808	schtasks.exe
1528	schtasks.exe
2220	schtasks.exe
1164	schtasks.exe
1048	schtasks.exe
2360	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsm.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
268	MsServerfont.exe
268	MsServerfont.exe
268	MsServerfont.exe
268	MsServerfont.exe
268	MsServerfont.exe
268	MsServerfont.exe
268	MsServerfont.exe
560	MsServerfont.exe
1908	powershell.exe
2420	powershell.exe
2136	powershell.exe
2080	powershell.exe
1524	powershell.exe
2028	powershell.exe
1632	powershell.exe
2380	powershell.exe
2808	powershell.exe
2784	powershell.exe
2948	powershell.exe
2800	powershell.exe
312	powershell.exe
2776	powershell.exe
1500	powershell.exe
1052	powershell.exe
2984	powershell.exe
1480	powershell.exe
772	powershell.exe
2892	powershell.exe
1424	powershell.exe
1280	powershell.exe
1684	powershell.exe
2952	powershell.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe
1892	lsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1892	lsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	YammiBeta.exe
Token: SeDebugPrivilege	268	MsServerfont.exe
Token: SeDebugPrivilege	560	MsServerfont.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1892	lsm.exe
Token: SeDebugPrivilege	1764	cmd.exe
Token: SeDebugPrivilege	1800	csrss.exe
Token: SeDebugPrivilege	772	MsServerfont.exe
Token: SeDebugPrivilege	2240	winlogon.exe
Token: SeDebugPrivilege	1692	smss.exe
Token: SeDebugPrivilege	1936	WMIADAP.exe
Token: SeDebugPrivilege	2772	Idle.exe
Token: SeDebugPrivilege	2344	schtasks.exe
Token: SeDebugPrivilege	2236	System.exe
Token: SeDebugPrivilege	2584	cmd.exe
Token: SeDebugPrivilege	2020	wininit.exe
Token: SeDebugPrivilege	2472	lsm.exe
Token: SeDebugPrivilege	2376	sppsvc.exe
Token: SeDebugPrivilege	2988	csrss.exe
Token: SeDebugPrivilege	1724	conhost.exe
Token: SeDebugPrivilege	2744	MsServerfont.exe
Token: SeDebugPrivilege	812	taskhost.exe
Token: SeDebugPrivilege	2060	explorer.exe
Token: SeDebugPrivilege	1532	winlogon.exe
Token: SeDebugPrivilege	2396	cmd.exe
Token: SeDebugPrivilege	2640	WMIADAP.exe
Token: SeDebugPrivilege	1164	smss.exe
Token: SeDebugPrivilege	816	schtasks.exe
Token: SeDebugPrivilege	268	MsServerfont.exe
Token: SeDebugPrivilege	2388	Idle.exe
Token: SeDebugPrivilege	396	csrss.exe
Token: SeDebugPrivilege	2216	System.exe
Token: SeDebugPrivilege	3068	cmd.exe
Token: SeDebugPrivilege	1344	wininit.exe
Token: SeDebugPrivilege	2720	winlogon.exe
Token: SeDebugPrivilege	1964	sppsvc.exe
Token: SeDebugPrivilege	2648	lsm.exe
Token: SeDebugPrivilege	2728	taskhost.exe
Token: SeDebugPrivilege	652	WMIADAP.exe
Token: SeDebugPrivilege	2788	MsServerfont.exe
Token: SeDebugPrivilege	1720	smss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1260	YammiBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2868	1260	YammiBeta.exe	28
PID 1260 wrote to memory of 2868	1260	YammiBeta.exe	28
PID 1260 wrote to memory of 2868	1260	YammiBeta.exe	28
PID 1260 wrote to memory of 2868	1260	YammiBeta.exe	28
PID 2868 wrote to memory of 2828	2868	Loader.exe	29
PID 2868 wrote to memory of 2828	2868	Loader.exe	29
PID 2868 wrote to memory of 2828	2868	Loader.exe	29
PID 2868 wrote to memory of 2828	2868	Loader.exe	29
PID 2828 wrote to memory of 2496	2828	WScript.exe	32
PID 2828 wrote to memory of 2496	2828	WScript.exe	32
PID 2828 wrote to memory of 2496	2828	WScript.exe	32
PID 2828 wrote to memory of 2496	2828	WScript.exe	32
PID 2496 wrote to memory of 268	2496	cmd.exe	34
PID 2496 wrote to memory of 268	2496	cmd.exe	34
PID 2496 wrote to memory of 268	2496	cmd.exe	34
PID 2496 wrote to memory of 268	2496	cmd.exe	34
PID 268 wrote to memory of 1908	268	MsServerfont.exe	78
PID 268 wrote to memory of 1908	268	MsServerfont.exe	78
PID 268 wrote to memory of 1908	268	MsServerfont.exe	78
PID 268 wrote to memory of 2420	268	MsServerfont.exe	79
PID 268 wrote to memory of 2420	268	MsServerfont.exe	79
PID 268 wrote to memory of 2420	268	MsServerfont.exe	79
PID 268 wrote to memory of 1632	268	MsServerfont.exe	102
PID 268 wrote to memory of 1632	268	MsServerfont.exe	102
PID 268 wrote to memory of 1632	268	MsServerfont.exe	102
PID 268 wrote to memory of 2380	268	MsServerfont.exe	80
PID 268 wrote to memory of 2380	268	MsServerfont.exe	80
PID 268 wrote to memory of 2380	268	MsServerfont.exe	80
PID 268 wrote to memory of 2028	268	MsServerfont.exe	81
PID 268 wrote to memory of 2028	268	MsServerfont.exe	81
PID 268 wrote to memory of 2028	268	MsServerfont.exe	81
PID 268 wrote to memory of 2808	268	MsServerfont.exe	82
PID 268 wrote to memory of 2808	268	MsServerfont.exe	82
PID 268 wrote to memory of 2808	268	MsServerfont.exe	82
PID 268 wrote to memory of 1524	268	MsServerfont.exe	83
PID 268 wrote to memory of 1524	268	MsServerfont.exe	83
PID 268 wrote to memory of 1524	268	MsServerfont.exe	83
PID 268 wrote to memory of 2948	268	MsServerfont.exe	84
PID 268 wrote to memory of 2948	268	MsServerfont.exe	84
PID 268 wrote to memory of 2948	268	MsServerfont.exe	84
PID 268 wrote to memory of 2080	268	MsServerfont.exe	98
PID 268 wrote to memory of 2080	268	MsServerfont.exe	98
PID 268 wrote to memory of 2080	268	MsServerfont.exe	98
PID 268 wrote to memory of 2800	268	MsServerfont.exe	85
PID 268 wrote to memory of 2800	268	MsServerfont.exe	85
PID 268 wrote to memory of 2800	268	MsServerfont.exe	85
PID 268 wrote to memory of 2136	268	MsServerfont.exe	97
PID 268 wrote to memory of 2136	268	MsServerfont.exe	97
PID 268 wrote to memory of 2136	268	MsServerfont.exe	97
PID 268 wrote to memory of 2784	268	MsServerfont.exe	86
PID 268 wrote to memory of 2784	268	MsServerfont.exe	86
PID 268 wrote to memory of 2784	268	MsServerfont.exe	86
PID 268 wrote to memory of 560	268	MsServerfont.exe	89
PID 268 wrote to memory of 560	268	MsServerfont.exe	89
PID 268 wrote to memory of 560	268	MsServerfont.exe	89
PID 560 wrote to memory of 1424	560	MsServerfont.exe	112
PID 560 wrote to memory of 1424	560	MsServerfont.exe	112
PID 560 wrote to memory of 1424	560	MsServerfont.exe	112
PID 560 wrote to memory of 2892	560	MsServerfont.exe	113
PID 560 wrote to memory of 2892	560	MsServerfont.exe	113
PID 560 wrote to memory of 2892	560	MsServerfont.exe	113
PID 560 wrote to memory of 2952	560	MsServerfont.exe	114
PID 560 wrote to memory of 2952	560	MsServerfont.exe	114
PID 560 wrote to memory of 2952	560	MsServerfont.exe	114

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i6FNlRHyuX.bat"
        7⤵
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1360
        
        C:\Users\Default\Downloads\lsm.exe
        
        "C:\Users\Default\Downloads\lsm.exe"
        8⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 6 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfont" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 6 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Downloads\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\taskeng.exe
taskeng.exe {7BC30B6A-13BF-4A46-8394-09D1612E11DA} S-1-5-21-1024678951-1535676557-2778719785-1000:KDGGTDCU\Admin:Interactive:[1]
1⤵
PID:2652
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Users\Default\Favorites\smss.exe
  C:\Users\Default\Favorites\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe
  C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Program Files\Common Files\System\ja-JP\System.exe
  "C:\Program Files\Common Files\System\ja-JP\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Users\Default\Downloads\lsm.exe
  C:\Users\Default\Downloads\lsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe
  "C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Program Files\Windows Mail\it-IT\conhost.exe
  "C:\Program Files\Windows Mail\it-IT\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe
  "C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Users\Default\Favorites\smss.exe
  C:\Users\Default\Favorites\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe
  C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Program Files\Common Files\System\ja-JP\System.exe
  "C:\Program Files\Common Files\System\ja-JP\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Users\Default\Downloads\lsm.exe
  C:\Users\Default\Downloads\lsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Users\Default\Favorites\smss.exe
  C:\Users\Default\Favorites\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe
  "C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Program Files\Windows Mail\it-IT\conhost.exe
  "C:\Program Files\Windows Mail\it-IT\conhost.exe"
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe
  C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe
  "C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe"
  2⤵
  - Executes dropped EXE
  PID:588
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe
  C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Program Files\Common Files\System\ja-JP\System.exe
  "C:\Program Files\Common Files\System\ja-JP\System.exe"
  2⤵
  - Executes dropped EXE
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\cmd.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Common Files\System\ja-JP\System.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Common Files\System\ja-JP\System.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Common Files\System\ja-JP\System.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Mozilla Firefox\defaults\pref\explorer.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Windows Mail\it-IT\conhost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Windows Mail\it-IT\conhost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\csrss.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\schtasks.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\sppsvc.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\8ecc50a2-20ee-11ee-a805-d66763f08456\wininit.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F58.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7049.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6FNlRHyuX.bat

Filesize
199B

MD5
3a0a5d5e4aad0fad37bf9bcfa980bac3

SHA1
9c6480c0dbf7a4b77132dc5252f44f1074382dec

SHA256
9b02b9f74e9db65e42f9bca48a31033feebf8ffa231d5d28cc120152ee494c15

SHA512
4d9670e821560217fc9811d35a97943cea5112fa9440ec3c048a8ee6010fc5b3728882ca6c7317dc5d3243ae838df0f0408ac70ef1a3e839be823258b8276ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N95PRAEZYYPAQ5U0VKZT.temp

Filesize
7KB

MD5
e6bd4ffbc3cb316524711984867c4334

SHA1
c53ab1f5789953ef5805e03ce431eb2825807ffe

SHA256
a8dd6dd7ffc290857902fd660855c9314849f1d3d9f32b2205556255408a7ffe

SHA512
1d2e155e63e7e5792ce35859fff6e4eba88d36b20f145759395c05f100a78078915c507bc9b1209a1f0982c2148bb7bc7ae65ae887ee4deb48064b26fcfe5f80

Download Submit
C:\Users\Default\Downloads\lsm.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Default\Downloads\lsm.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Default\Downloads\lsm.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Default\Favorites\smss.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Default\Favorites\smss.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Windows\assembly\GAC_64\ISymWrapper\WMIADAP.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
memory/268-39-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/268-33-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download
memory/268-40-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/268-38-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/268-37-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/268-36-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/268-35-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/268-34-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/268-32-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/268-30-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/268-29-0x0000000001210000-0x0000000001390000-memory.dmp

Filesize
1.5MB

Download
memory/268-73-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/560-154-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/560-198-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/560-79-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/1260-45-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1260-0-0x0000000000D90000-0x000000000110E000-memory.dmp

Filesize
3.5MB

Download
memory/1260-7-0x0000000000D40000-0x0000000000D80000-memory.dmp

Filesize
256KB

Download
memory/1260-44-0x0000000000D90000-0x000000000110E000-memory.dmp

Filesize
3.5MB

Download
memory/1260-6-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1260-5-0x0000000000D90000-0x000000000110E000-memory.dmp

Filesize
3.5MB

Download
memory/1260-3-0x0000000000D40000-0x0000000000D80000-memory.dmp

Filesize
256KB

Download
memory/1260-2-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1260-1-0x0000000000D90000-0x000000000110E000-memory.dmp

Filesize
3.5MB

Download
memory/1524-207-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1524-197-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1524-196-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/1524-199-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1524-200-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1632-214-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/1632-213-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/1632-209-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-208-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/1908-153-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/1908-210-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1908-136-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/1908-152-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/1908-160-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/1908-161-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/1908-189-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2028-244-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2028-202-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2028-203-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2080-191-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2080-186-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-188-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2080-187-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2136-184-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2136-164-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-185-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2136-166-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2136-137-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2136-172-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2380-215-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/2380-216-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/2380-206-0x0000000002AD0000-0x0000000002B50000-memory.dmp

Filesize
512KB

Download
memory/2380-205-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-177-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2420-163-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2420-162-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-179-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2808-218-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2808-204-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2808-201-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download