zgrat | 6f7189376b953fd0a6e37f23d7f4bf6be70ff4d5cb39214a8d766bf9f6044511

Analysis

max time kernel
82s
max time network
83s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fluxus Cracked.exe
Size

4.9MB
MD5

7a182d7bd6c9304ea5e2fa27e007becc
SHA1

2ff3ccdad179d5ad23a59fedab2cb7b284f51af3
SHA256

6f7189376b953fd0a6e37f23d7f4bf6be70ff4d5cb39214a8d766bf9f6044511
SHA512

cdb5e2bcbbe16619ec008069ac5350743e965b6b89d335b85f36b055baa54f7006c0313093cf435ffc0c84854bfc1600992e2be8512d6436161ae4c3192bb8b6
SSDEEP

98304:BFVqfd/eLhdGYhfl0CcnVNB5G6X4RutZhjltPY5tnJTJmjPduN7umo1YU:IeL9Ncn93X8Yhl8nxJpumo1d

Score

10^/10

zgrat execution rat

Malware Config

Signatures

Detect ZGRat V1 7 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-3.dat	family_zgrat_v1
behavioral1/files/0x0008000000014171-29.dat	family_zgrat_v1
behavioral1/memory/2728-32-0x0000000001330000-0x000000000152A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2640-197-0x0000000000270000-0x000000000046A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1796-212-0x0000000000840000-0x0000000000A3A000-memory.dmp	family_zgrat_v1
behavioral1/memory/836-227-0x0000000000040000-0x000000000023A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-242-0x0000000000E10000-0x000000000100A000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1192	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1192	schtasks.exe	34

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2904	powershell.exe
2036	powershell.exe
948	powershell.exe
1728	powershell.exe
2936	powershell.exe
2160	powershell.exe
1804	powershell.exe
844	powershell.exe
1680	powershell.exe
1488	powershell.exe
572	powershell.exe
944	powershell.exe
1524	powershell.exe
1548	powershell.exe
1248	powershell.exe
276	powershell.exe
2868	powershell.exe
1908	powershell.exe
2932	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2752	DCRatBuild.exe
3036	Fluxus V7.exe
2728	providerCrtdhcp.exe
332	providerCrtdhcp.exe
280	providerCrtdhcp.exe
2640	providerCrtdhcp.exe
1796	providerCrtdhcp.exe
836	providerCrtdhcp.exe
2312	providerCrtdhcp.exe

Loads dropped DLL 9 IoCs

pid	Process
2156	Fluxus Cracked.exe
2156	Fluxus Cracked.exe
2584	cmd.exe
2584	cmd.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe
1676	WerFault.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\FreeCell\lsass.exe	providerCrtdhcp.exe
File created	C:\Program Files\Microsoft Games\FreeCell\6203df4a6bafc7	providerCrtdhcp.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\conhost.exe	providerCrtdhcp.exe
File opened for modification	C:\Windows\Registration\CRMLog\conhost.exe	providerCrtdhcp.exe
File created	C:\Windows\Registration\CRMLog\088424020bedd6	providerCrtdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1676	3036	WerFault.exe	29

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2180	schtasks.exe
2136	schtasks.exe
1408	schtasks.exe
772	schtasks.exe
1412	schtasks.exe
1876	schtasks.exe
1988	schtasks.exe
1896	schtasks.exe
2352	schtasks.exe
2816	schtasks.exe
1976	schtasks.exe
2388	schtasks.exe
2256	schtasks.exe
320	schtasks.exe
2252	schtasks.exe
2164	schtasks.exe
564	schtasks.exe
1616	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	providerCrtdhcp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	providerCrtdhcp.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1848	PING.EXE
1880	PING.EXE
1912	PING.EXE
2580	PING.EXE
2204	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe
2728	providerCrtdhcp.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	Fluxus V7.exe
Token: SeDebugPrivilege	2728	providerCrtdhcp.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	332	providerCrtdhcp.exe
Token: SeDebugPrivilege	280	providerCrtdhcp.exe
Token: SeDebugPrivilege	2640	providerCrtdhcp.exe
Token: SeDebugPrivilege	1796	providerCrtdhcp.exe
Token: SeDebugPrivilege	836	providerCrtdhcp.exe
Token: SeDebugPrivilege	2312	providerCrtdhcp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2752	2156	Fluxus Cracked.exe	28
PID 2156 wrote to memory of 2752	2156	Fluxus Cracked.exe	28
PID 2156 wrote to memory of 2752	2156	Fluxus Cracked.exe	28
PID 2156 wrote to memory of 2752	2156	Fluxus Cracked.exe	28
PID 2156 wrote to memory of 3036	2156	Fluxus Cracked.exe	29
PID 2156 wrote to memory of 3036	2156	Fluxus Cracked.exe	29
PID 2156 wrote to memory of 3036	2156	Fluxus Cracked.exe	29
PID 2156 wrote to memory of 3036	2156	Fluxus Cracked.exe	29
PID 2752 wrote to memory of 2848	2752	DCRatBuild.exe	30
PID 2752 wrote to memory of 2848	2752	DCRatBuild.exe	30
PID 2752 wrote to memory of 2848	2752	DCRatBuild.exe	30
PID 2752 wrote to memory of 2848	2752	DCRatBuild.exe	30
PID 2848 wrote to memory of 2584	2848	WScript.exe	31
PID 2848 wrote to memory of 2584	2848	WScript.exe	31
PID 2848 wrote to memory of 2584	2848	WScript.exe	31
PID 2848 wrote to memory of 2584	2848	WScript.exe	31
PID 2584 wrote to memory of 2728	2584	cmd.exe	33
PID 2584 wrote to memory of 2728	2584	cmd.exe	33
PID 2584 wrote to memory of 2728	2584	cmd.exe	33
PID 2584 wrote to memory of 2728	2584	cmd.exe	33
PID 3036 wrote to memory of 1676	3036	Fluxus V7.exe	53
PID 3036 wrote to memory of 1676	3036	Fluxus V7.exe	53
PID 3036 wrote to memory of 1676	3036	Fluxus V7.exe	53
PID 3036 wrote to memory of 1676	3036	Fluxus V7.exe	53
PID 2728 wrote to memory of 2036	2728	providerCrtdhcp.exe	54
PID 2728 wrote to memory of 2036	2728	providerCrtdhcp.exe	54
PID 2728 wrote to memory of 2036	2728	providerCrtdhcp.exe	54
PID 2728 wrote to memory of 948	2728	providerCrtdhcp.exe	55
PID 2728 wrote to memory of 948	2728	providerCrtdhcp.exe	55
PID 2728 wrote to memory of 948	2728	providerCrtdhcp.exe	55
PID 2728 wrote to memory of 276	2728	providerCrtdhcp.exe	57
PID 2728 wrote to memory of 276	2728	providerCrtdhcp.exe	57
PID 2728 wrote to memory of 276	2728	providerCrtdhcp.exe	57
PID 2728 wrote to memory of 2904	2728	providerCrtdhcp.exe	58
PID 2728 wrote to memory of 2904	2728	providerCrtdhcp.exe	58
PID 2728 wrote to memory of 2904	2728	providerCrtdhcp.exe	58
PID 2728 wrote to memory of 1248	2728	providerCrtdhcp.exe	60
PID 2728 wrote to memory of 1248	2728	providerCrtdhcp.exe	60
PID 2728 wrote to memory of 1248	2728	providerCrtdhcp.exe	60
PID 2728 wrote to memory of 2932	2728	providerCrtdhcp.exe	62
PID 2728 wrote to memory of 2932	2728	providerCrtdhcp.exe	62
PID 2728 wrote to memory of 2932	2728	providerCrtdhcp.exe	62
PID 2728 wrote to memory of 1804	2728	providerCrtdhcp.exe	63
PID 2728 wrote to memory of 1804	2728	providerCrtdhcp.exe	63
PID 2728 wrote to memory of 1804	2728	providerCrtdhcp.exe	63
PID 2728 wrote to memory of 944	2728	providerCrtdhcp.exe	66
PID 2728 wrote to memory of 944	2728	providerCrtdhcp.exe	66
PID 2728 wrote to memory of 944	2728	providerCrtdhcp.exe	66
PID 2728 wrote to memory of 572	2728	providerCrtdhcp.exe	68
PID 2728 wrote to memory of 572	2728	providerCrtdhcp.exe	68
PID 2728 wrote to memory of 572	2728	providerCrtdhcp.exe	68
PID 2728 wrote to memory of 2160	2728	providerCrtdhcp.exe	69
PID 2728 wrote to memory of 2160	2728	providerCrtdhcp.exe	69
PID 2728 wrote to memory of 2160	2728	providerCrtdhcp.exe	69
PID 2728 wrote to memory of 2868	2728	providerCrtdhcp.exe	70
PID 2728 wrote to memory of 2868	2728	providerCrtdhcp.exe	70
PID 2728 wrote to memory of 2868	2728	providerCrtdhcp.exe	70
PID 2728 wrote to memory of 1548	2728	providerCrtdhcp.exe	71
PID 2728 wrote to memory of 1548	2728	providerCrtdhcp.exe	71
PID 2728 wrote to memory of 1548	2728	providerCrtdhcp.exe	71
PID 2728 wrote to memory of 1908	2728	providerCrtdhcp.exe	72
PID 2728 wrote to memory of 1908	2728	providerCrtdhcp.exe	72
PID 2728 wrote to memory of 1908	2728	providerCrtdhcp.exe	72
PID 2728 wrote to memory of 2936	2728	providerCrtdhcp.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fluxus Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus Cracked.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\BlockSurrogatefontMonitor\mU33YMZQGxUfzjmO0oI8Zrz6gJvOxY9asaKa7z6q8Tx1Sco7H6GDW.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\BlockSurrogatefontMonitor\3PJdJcQr3lygZCpzSTZp2eI0PMEBYXtL0AVL8ua0cyEJAoGxj.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe
        
        "C:\BlockSurrogatefontMonitor/providerCrtdhcp.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/BlockSurrogatefontMonitor/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\FreeCell\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\providerCrtdhcp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WrU1gXmJb3.bat"
        6⤵
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1848
        
        C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe
        
        "C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat"
        8⤵
        
        PID:1000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:384
        
        C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe
        
        "C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SZLFiwQel9.bat"
        10⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1856
        
        C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe
        
        "C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX3O4psMNH.bat"
        12⤵
        
        PID:1260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:1880
        
        C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe
        
        "C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OwDUg2gYJx.bat"
        14⤵
        
        PID:2100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:1912
        
        C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe
        
        "C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ge8uHQboyx.bat"
        16⤵
        
        PID:848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:2580
        
        C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe
        
        "C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IhWEZABO4r.bat"
        18⤵
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2204
- C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe
  "C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1148
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\FreeCell\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\FreeCell\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\FreeCell\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerCrtdhcpp" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\providerCrtdhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerCrtdhcp" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\providerCrtdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerCrtdhcpp" /sc MINUTE /mo 12 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\providerCrtdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerCrtdhcpp" /sc MINUTE /mo 12 /tr "'C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerCrtdhcp" /sc ONLOGON /tr "'C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerCrtdhcpp" /sc MINUTE /mo 7 /tr "'C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockSurrogatefontMonitor\3PJdJcQr3lygZCpzSTZp2eI0PMEBYXtL0AVL8ua0cyEJAoGxj.bat

Filesize
98B

MD5
ad2691ba31afed2f48c0f86fd9ce40ea

SHA1
20210915d87b554f022f94abaaef65a0b6b24b04

SHA256
ffb7a40e82071cd94d8482d8a48458ee8ee1ab7e6afa147505910a4d4bca4801

SHA512
32e813271d709fd578fc46e64ffa185e0ab63725bf294186a286f23185076f9aab7984a9c71b606754b2623d5299da61f0a3f7f51d7b450c932e5963aa8074bb

Download Submit
C:\BlockSurrogatefontMonitor\mU33YMZQGxUfzjmO0oI8Zrz6gJvOxY9asaKa7z6q8Tx1Sco7H6GDW.vbe

Filesize
252B

MD5
cd2eaebf959be410709c87c7b02382ed

SHA1
4b12369510c87ab57cbe424bd1c9d22c8acedf1a

SHA256
742a7fdad0768c63df86d1ebb28412d4fa77714d49d3ef8d3ddfbec4d9b65609

SHA512
afb769abd66ee360a5dc3f82a297ce3223059a31185364a8bd1cc22e97e1f3b3f970e9598b6ed48beff056c749919e07e3d2fd4ac99230759ebcc51c4eee656c

Download Submit
C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe

Filesize
2.0MB

MD5
e96f7c0bf7d61148e00dae07be005de9

SHA1
f2a689a2b5e4225995fcfd31b587c3ad71651e21

SHA256
37e1d2d17840e5323c3d3dd88171eabbd6d5c14ccd008cd2ce832c8cd51e7f8c

SHA512
3911e368f4c36f5734297b74cae871aa5b1c8ab5b1308c79d44cabf4695970d3682b6f90f7e260087cd04d364a9def389999dfe038243586a717c2dc4ff6dd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
aa5d196260f56a93d7a9ddf32d202112

SHA1
4abe547da7e38e9facb98523e4795a71af6b4600

SHA256
653eaa58999ff72cd9e858a9661c87b049fc66172d20fc9ae0f1e3b1e2af694b

SHA512
7cf76918a4d04c628cc4e7b3a7f2674c03b97104e98b98ab8407d2e12521e48dc61438d982cfdc9763deaa1b915e4432a972274dd6ac381a5a58f08e1ffd55d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IhWEZABO4r.bat

Filesize
176B

MD5
55009eebfdbb97403be843ee1d802851

SHA1
650fe7fa12b66e2bdb9d5abc3e0c6c60df9224e9

SHA256
78c7837b1a84aa0459c78e8acbc52c1b670ada3ab5c6aea9d29d657c5500d877

SHA512
50b9fea4d38aa19054c2a499a82dee2fd2bde1f7eab955018aa973bf192de5cf6638aa675f325c564d75072e33d2efad22ca4bcc57e49fe53f7d1976973c64b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwDUg2gYJx.bat

Filesize
176B

MD5
4e1f69104865be683655f56d31f474e8

SHA1
7ea5662b69f9f0ae38e16ff6faaafbbc9ccd2cb6

SHA256
38a2a4c02f6f14af6f8a0ecdf4b88459027a46f262af88b5c23607c8b0746946

SHA512
8044b713f1c563e4e73f84f3fbdd536d00250b03001f17773bcc67ddf496cab7650fc02e431bf20e27eefc8c8dcc2d21ab9256b3a8e41320ba33f0d046e11712

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX3O4psMNH.bat

Filesize
176B

MD5
044ba88e3daf26eff39933d75cb30dbe

SHA1
23d4f97e96f97ee8f50f5086a6f58e25cb6f7ac8

SHA256
4aa21a43294620af2b78969a43cc58237721f56a945ce69c4212f34dcfa1b6ff

SHA512
5be9afc12be3408e06316cff1f2768c74024e0d83a6a66582a57ecf14071e69d12918957658f5394a4b595ecbd70cbedaa18694d429074ebb9398726ac0f527c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat

Filesize
224B

MD5
c093b954adb4181aecc6c41adec3ccee

SHA1
c64aff1b4d767739160e7e01ce8fdb028b122fb8

SHA256
8040f431f5c6dfc124e63ae4d750b0617812beaba1cbb3b7e847d73a0536d752

SHA512
e8678ac3f608503dff80cf0bd911056286d56f80b6981d237f39094be67eedc60c99c6a3c32eea5dba647f95ca12bac41ec941ed2f48047633c110e234072949

Download Submit
C:\Users\Admin\AppData\Local\Temp\SZLFiwQel9.bat

Filesize
224B

MD5
6d12ce524bb3418142029ff9c011f603

SHA1
433b04373b587e544a8198b2f66f56ed350ee0bb

SHA256
253f4b57b2b3f5a310cce2c83ea8e1d9e304c008652b79c89a07903227f016f6

SHA512
0fa8883dd949edf69195f6a5df7c590560e47a6f51d6ea893745066045f927e0861fe547ad711ef5a64732ee33e4877438afd219aa4274767164b429b1f9d026

Download Submit
C:\Users\Admin\AppData\Local\Temp\WrU1gXmJb3.bat

Filesize
176B

MD5
3ff17e4b3872d283a2586138b3de36f8

SHA1
2c686e6978cacc67a850d4145f52b02c59385172

SHA256
ac33c3951864ba6639a0404a5cdd89bfa9b4bd533df949f8e5134239fcd1fc1c

SHA512
baf97a292d68aba6a93921eb8f9e53bf85539ec26ab8d839841aecb953854f4f052cd6e7cfca6b5dedbf8943a09a955071581f2c994eef4398134ba8a16bad35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ge8uHQboyx.bat

Filesize
176B

MD5
c2ae0b9b3749272462ee74beb543066c

SHA1
63bb97c3f9dafdd5fdac2dfb98f480e6adf06805

SHA256
a8ac1562c0af462d8c0b9e15dd1460710d9efd8b700aa5572ac1b11b59a50229

SHA512
72116c52b0488d4e08e64c32a90fcac55db86c425b61867fd1e70a92d0e96fe5428ccfeba68ea2b33dcde81ff60c78c420213d2fb914fd6d233240b93265732c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
986887ac83e084abedb4b96d412d3cf6

SHA1
547e4123a2eeaadeb2b45db78fc85c95e027ae00

SHA256
2d7e19ac84d48a71eef57223984371de3587641c1b1cee0d024970a96af3996f

SHA512
ccb2882c3b0bfd9c79bb443c882460cf4ec39824257bc71edb72e5ca96e4027b1d5183e9e3600ca19fcc77b595aded3b9a09c29d4bb8ab53ddbcb8b3076e7975

Download Submit
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
2.3MB

MD5
d341f3cd7398873faf25661504f90b56

SHA1
48e2617f2e46b20460decf7096942d1823bfb143

SHA256
34cbdce2fee0ae1eb578c4a97962d71c3edfe86685c5ae4f24f4f6276f696805

SHA512
482478705ef3ae79fdf4912e33925f6623d533d73b83e3b35eb176d39ed8db3a65bc84c84aabb2a2b570ec41436d6bbcc4b3be9020d5c50530282fa0c90d105d

Download Submit
memory/836-227-0x0000000000040000-0x000000000023A000-memory.dmp

Filesize
2.0MB

Download
memory/1796-212-0x0000000000840000-0x0000000000A3A000-memory.dmp

Filesize
2.0MB

Download
memory/2036-94-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/2036-88-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2312-242-0x0000000000E10000-0x000000000100A000-memory.dmp

Filesize
2.0MB

Download
memory/2640-197-0x0000000000270000-0x000000000046A000-memory.dmp

Filesize
2.0MB

Download
memory/2728-32-0x0000000001330000-0x000000000152A000-memory.dmp

Filesize
2.0MB

Download
memory/2728-34-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/2728-46-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/2728-48-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/2728-36-0x00000000009F0000-0x0000000000A0C000-memory.dmp

Filesize
112KB

Download
memory/2728-44-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/2728-42-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/2728-40-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/2728-38-0x0000000000A10000-0x0000000000A28000-memory.dmp

Filesize
96KB

Download
memory/3036-181-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/3036-180-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/3036-26-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/3036-25-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/3036-24-0x00000000012F0000-0x00000000016E4000-memory.dmp

Filesize
4.0MB

Download