dcrat | ee45a91c9cf4646ec221733677e6ad5e50c32d10659528ffd6df4c25ff52e138

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kdmapper.exe
Size

4.4MB
MD5

f67ce1c7f9360af571a329573d0b38ed
SHA1

f72c8ecaf324a31b2c3bf7ca15514af09ec3841f
SHA256

ee45a91c9cf4646ec221733677e6ad5e50c32d10659528ffd6df4c25ff52e138
SHA512

f2a55d9070f56d0bcbf6f4db36c3e9655c80e61db55720935369e0d4a1c59f5ec5e0907864b522af24fba17b85ebe60251b22d32a4b9afc1448bf7e3f0456fbd
SSDEEP

49152:vm9xoQqBH6m4FTkEKVb0kxFAIXH3v2DK2cts9pX+D1+nISQbp2PyjzWT0q+Tnba:vTJhb+QzwCXuDKZts9p7epNAu

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\csrss.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\WMIADAP.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\WMIADAP.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\3082\\msdriverruntime.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\csrss.exe\", \"C:\\MSOCache\\All Users\\WMIADAP.exe\", \"C:\\Windows\\Microsoft.NET\\Framework64\\3082\\msdriverruntime.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\main\\msdriverruntime.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\WmiPrvSE.exe\""	msdriverruntime.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1348	schtasks.exe	44
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1348	schtasks.exe	44

DCRat payload 14 IoCs

rat

resource	yara_rule
behavioral1/files/0x00060000000174b4-79.dat	family_dcrat_v2
behavioral1/memory/2960-82-0x0000000000FA0000-0x000000000106A000-memory.dmp	family_dcrat_v2
behavioral1/memory/2940-155-0x00000000012E0000-0x00000000013AA000-memory.dmp	family_dcrat_v2
behavioral1/memory/1976-167-0x00000000001A0000-0x000000000026A000-memory.dmp	family_dcrat_v2
behavioral1/memory/2444-179-0x0000000000200000-0x00000000002CA000-memory.dmp	family_dcrat_v2
behavioral1/memory/2320-191-0x0000000000A00000-0x0000000000ACA000-memory.dmp	family_dcrat_v2
behavioral1/memory/1636-225-0x0000000000160000-0x000000000022A000-memory.dmp	family_dcrat_v2
behavioral1/memory/2832-237-0x0000000000920000-0x00000000009EA000-memory.dmp	family_dcrat_v2
behavioral1/memory/1508-249-0x0000000000220000-0x00000000002EA000-memory.dmp	family_dcrat_v2
behavioral1/memory/352-259-0x00000000001E0000-0x00000000002AA000-memory.dmp	family_dcrat_v2
behavioral1/memory/2104-269-0x00000000013A0000-0x000000000146A000-memory.dmp	family_dcrat_v2
behavioral1/memory/3032-279-0x00000000001F0000-0x00000000002BA000-memory.dmp	family_dcrat_v2
behavioral1/memory/3008-289-0x0000000000A40000-0x0000000000B0A000-memory.dmp	family_dcrat_v2
behavioral1/memory/1308-299-0x0000000000390000-0x000000000045A000-memory.dmp	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1516	powershell.exe
2036	powershell.exe
1752	powershell.exe
868	powershell.exe
1224	powershell.exe
1804	powershell.exe

Executes dropped EXE 23 IoCs

pid	Process
2764	main_2024-08-02_17-05-17.exe
2584	7z.exe
1560	7z.exe
2612	7z.exe
2976	7z.exe
1636	7z.exe
2180	7z.exe
2840	7z.exe
2960	msdriverruntime.exe
2940	msdriverruntime.exe
1976	msdriverruntime.exe
2444	msdriverruntime.exe
2320	msdriverruntime.exe
2640	msdriverruntime.exe
2272	msdriverruntime.exe
1636	msdriverruntime.exe
2832	msdriverruntime.exe
1508	msdriverruntime.exe
352	msdriverruntime.exe
2104	msdriverruntime.exe
3032	msdriverruntime.exe
3008	msdriverruntime.exe
1308	msdriverruntime.exe

Loads dropped DLL 15 IoCs

pid	Process
2676	kdmapper.exe
2680	cmd.exe
2584	7z.exe
2680	cmd.exe
1560	7z.exe
2680	cmd.exe
2612	7z.exe
2680	cmd.exe
2976	7z.exe
2680	cmd.exe
1636	7z.exe
2680	cmd.exe
2180	7z.exe
2680	cmd.exe
2840	7z.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msdriverruntime = "\"C:\\Windows\\Microsoft.NET\\Framework64\\3082\\msdriverruntime.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\WmiPrvSE.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\csrss.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Common Files\\Adobe AIR\\Versions\\1.0\\csrss.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\MSOCache\\All Users\\WMIADAP.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\WmiPrvSE.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\MSOCache\\All Users\\WMIADAP.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\msdriverruntime = "\"C:\\Windows\\Microsoft.NET\\Framework64\\3082\\msdriverruntime.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\msdriverruntime = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\main\\msdriverruntime.exe\""	msdriverruntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msdriverruntime = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\main\\msdriverruntime.exe\""	msdriverruntime.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC41A12F883B974151B61EC5297BB396C2.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe	msdriverruntime.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\886983d96e3d3e	msdriverruntime.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\WmiPrvSE.exe	msdriverruntime.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\24dbde2999530e	msdriverruntime.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe	msdriverruntime.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe	msdriverruntime.exe
File created	C:\Windows\Microsoft.NET\Framework64\3082\0ee8f91c296b07	msdriverruntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdmapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main_2024-08-02_17-05-17.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1632	PING.EXE
1772	PING.EXE
1196	PING.EXE
2268	PING.EXE
2612	PING.EXE
2068	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	msdriverruntime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	msdriverruntime.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1196	PING.EXE
2268	PING.EXE
2612	PING.EXE
2068	PING.EXE
1632	PING.EXE
1772	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1728	schtasks.exe
2304	schtasks.exe
1196	schtasks.exe
1692	schtasks.exe
1672	schtasks.exe
904	schtasks.exe
1052	schtasks.exe
632	schtasks.exe
1552	schtasks.exe
2116	schtasks.exe
320	schtasks.exe
1760	schtasks.exe
2132	schtasks.exe
2100	schtasks.exe
2448	schtasks.exe
2372	schtasks.exe
2312	schtasks.exe
2236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe
2960	msdriverruntime.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeRestorePrivilege	2584	7z.exe
Token: 35	2584	7z.exe
Token: SeSecurityPrivilege	2584	7z.exe
Token: SeSecurityPrivilege	2584	7z.exe
Token: SeRestorePrivilege	1560	7z.exe
Token: 35	1560	7z.exe
Token: SeSecurityPrivilege	1560	7z.exe
Token: SeSecurityPrivilege	1560	7z.exe
Token: SeRestorePrivilege	2612	7z.exe
Token: 35	2612	7z.exe
Token: SeSecurityPrivilege	2612	7z.exe
Token: SeSecurityPrivilege	2612	7z.exe
Token: SeRestorePrivilege	2976	7z.exe
Token: 35	2976	7z.exe
Token: SeSecurityPrivilege	2976	7z.exe
Token: SeSecurityPrivilege	2976	7z.exe
Token: SeRestorePrivilege	1636	7z.exe
Token: 35	1636	7z.exe
Token: SeSecurityPrivilege	1636	7z.exe
Token: SeSecurityPrivilege	1636	7z.exe
Token: SeRestorePrivilege	2180	7z.exe
Token: 35	2180	7z.exe
Token: SeSecurityPrivilege	2180	7z.exe
Token: SeSecurityPrivilege	2180	7z.exe
Token: SeRestorePrivilege	2840	7z.exe
Token: 35	2840	7z.exe
Token: SeSecurityPrivilege	2840	7z.exe
Token: SeSecurityPrivilege	2840	7z.exe
Token: SeDebugPrivilege	2960	msdriverruntime.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2940	msdriverruntime.exe
Token: SeDebugPrivilege	1976	msdriverruntime.exe
Token: SeDebugPrivilege	2444	msdriverruntime.exe
Token: SeDebugPrivilege	2320	msdriverruntime.exe
Token: SeDebugPrivilege	2640	msdriverruntime.exe
Token: SeDebugPrivilege	2272	msdriverruntime.exe
Token: SeDebugPrivilege	1636	msdriverruntime.exe
Token: SeDebugPrivilege	2832	msdriverruntime.exe
Token: SeDebugPrivilege	1508	msdriverruntime.exe
Token: SeDebugPrivilege	352	msdriverruntime.exe
Token: SeDebugPrivilege	2104	msdriverruntime.exe
Token: SeDebugPrivilege	3032	msdriverruntime.exe
Token: SeDebugPrivilege	3008	msdriverruntime.exe
Token: SeDebugPrivilege	1308	msdriverruntime.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2764	2676	kdmapper.exe	31
PID 2676 wrote to memory of 2764	2676	kdmapper.exe	31
PID 2676 wrote to memory of 2764	2676	kdmapper.exe	31
PID 2676 wrote to memory of 2764	2676	kdmapper.exe	31
PID 2676 wrote to memory of 2764	2676	kdmapper.exe	31
PID 2676 wrote to memory of 2764	2676	kdmapper.exe	31
PID 2676 wrote to memory of 2764	2676	kdmapper.exe	31
PID 2764 wrote to memory of 2680	2764	main_2024-08-02_17-05-17.exe	32
PID 2764 wrote to memory of 2680	2764	main_2024-08-02_17-05-17.exe	32
PID 2764 wrote to memory of 2680	2764	main_2024-08-02_17-05-17.exe	32
PID 2764 wrote to memory of 2680	2764	main_2024-08-02_17-05-17.exe	32
PID 2680 wrote to memory of 2572	2680	cmd.exe	34
PID 2680 wrote to memory of 2572	2680	cmd.exe	34
PID 2680 wrote to memory of 2572	2680	cmd.exe	34
PID 2680 wrote to memory of 2584	2680	cmd.exe	35
PID 2680 wrote to memory of 2584	2680	cmd.exe	35
PID 2680 wrote to memory of 2584	2680	cmd.exe	35
PID 2680 wrote to memory of 1560	2680	cmd.exe	36
PID 2680 wrote to memory of 1560	2680	cmd.exe	36
PID 2680 wrote to memory of 1560	2680	cmd.exe	36
PID 2680 wrote to memory of 2612	2680	cmd.exe	37
PID 2680 wrote to memory of 2612	2680	cmd.exe	37
PID 2680 wrote to memory of 2612	2680	cmd.exe	37
PID 2680 wrote to memory of 2976	2680	cmd.exe	38
PID 2680 wrote to memory of 2976	2680	cmd.exe	38
PID 2680 wrote to memory of 2976	2680	cmd.exe	38
PID 2680 wrote to memory of 1636	2680	cmd.exe	39
PID 2680 wrote to memory of 1636	2680	cmd.exe	39
PID 2680 wrote to memory of 1636	2680	cmd.exe	39
PID 2680 wrote to memory of 2180	2680	cmd.exe	40
PID 2680 wrote to memory of 2180	2680	cmd.exe	40
PID 2680 wrote to memory of 2180	2680	cmd.exe	40
PID 2680 wrote to memory of 2840	2680	cmd.exe	41
PID 2680 wrote to memory of 2840	2680	cmd.exe	41
PID 2680 wrote to memory of 2840	2680	cmd.exe	41
PID 2680 wrote to memory of 2932	2680	cmd.exe	42
PID 2680 wrote to memory of 2932	2680	cmd.exe	42
PID 2680 wrote to memory of 2932	2680	cmd.exe	42
PID 2680 wrote to memory of 2960	2680	cmd.exe	43
PID 2680 wrote to memory of 2960	2680	cmd.exe	43
PID 2680 wrote to memory of 2960	2680	cmd.exe	43
PID 2960 wrote to memory of 1768	2960	msdriverruntime.exe	48
PID 2960 wrote to memory of 1768	2960	msdriverruntime.exe	48
PID 2960 wrote to memory of 1768	2960	msdriverruntime.exe	48
PID 1768 wrote to memory of 668	1768	csc.exe	50
PID 1768 wrote to memory of 668	1768	csc.exe	50
PID 1768 wrote to memory of 668	1768	csc.exe	50
PID 2960 wrote to memory of 1516	2960	msdriverruntime.exe	66
PID 2960 wrote to memory of 1516	2960	msdriverruntime.exe	66
PID 2960 wrote to memory of 1516	2960	msdriverruntime.exe	66
PID 2960 wrote to memory of 2036	2960	msdriverruntime.exe	67
PID 2960 wrote to memory of 2036	2960	msdriverruntime.exe	67
PID 2960 wrote to memory of 2036	2960	msdriverruntime.exe	67
PID 2960 wrote to memory of 1752	2960	msdriverruntime.exe	68
PID 2960 wrote to memory of 1752	2960	msdriverruntime.exe	68
PID 2960 wrote to memory of 1752	2960	msdriverruntime.exe	68
PID 2960 wrote to memory of 1804	2960	msdriverruntime.exe	70
PID 2960 wrote to memory of 1804	2960	msdriverruntime.exe	70
PID 2960 wrote to memory of 1804	2960	msdriverruntime.exe	70
PID 2960 wrote to memory of 1224	2960	msdriverruntime.exe	71
PID 2960 wrote to memory of 1224	2960	msdriverruntime.exe	71
PID 2960 wrote to memory of 1224	2960	msdriverruntime.exe	71
PID 2960 wrote to memory of 868	2960	msdriverruntime.exe	73
PID 2960 wrote to memory of 868	2960	msdriverruntime.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2932	attrib.exe

C:\Users\Admin\AppData\Local\Temp\kdmapper.exe
"C:\Users\Admin\AppData\Local\Temp\kdmapper.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\main_2024-08-02_17-05-17.exe
  "C:\Users\Admin\AppData\Local\Temp\main_2024-08-02_17-05-17.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p25203326322559820124957532645 -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_6.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_5.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_4.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_3.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Windows\system32\attrib.exe
      attrib +H "msdriverruntime.exe"
      4⤵
      Views/modifies file attributes
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\main\msdriverruntime.exe
      "msdriverruntime.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oadouqku\oadouqku.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF364.tmp" "c:\Windows\System32\CSC41A12F883B974151B61EC5297BB396C2.TMP"
        6⤵
        
        PID:668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\main\msdriverruntime.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Km0ujrRelP.bat"
        5⤵
        
        PID:2396
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1840
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2612
      - C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat"
        7⤵
        
        PID:568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IEEHJvrHBO.bat"
        9⤵
        
        PID:1196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2448
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mLBZigXOC1.bat"
        11⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:804
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e4kjvfRyFL.bat"
        13⤵
        
        PID:2020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2068
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hBPD0AFikm.bat"
        15⤵
        
        PID:2256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2728
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat"
        17⤵
        
        PID:1828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NVJoNfH6eh.bat"
        19⤵
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\079l6K9pbh.bat"
        21⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:568
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat"
        23⤵
        
        PID:1304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1196
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AeLHIw7ndo.bat"
        25⤵
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2268
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBqx2BHh5U.bat"
        27⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3060
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TqMgut2j0M.bat"
        29⤵
        
        PID:920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1732
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FiOhdEFLkG.bat"
        31⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2272
        
        C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe
        
        "C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\285J1A1WUD.bat"
        33⤵
        
        PID:1828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msdriverruntimem" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msdriverruntime" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msdriverruntimem" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Framework64\3082\msdriverruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msdriverruntimem" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\main\msdriverruntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msdriverruntime" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\main\msdriverruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msdriverruntimem" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\main\msdriverruntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\079l6K9pbh.bat

Filesize
237B

MD5
9d880efb48133150eb1f2be42e090dbd

SHA1
9a1fb94442ace11f67c0147e68258134bc5db712

SHA256
a63d4395f8111ca3276385dcf5028c1a5f50df857826a29cb5166c75545d52ec

SHA512
ada37132a3dd2b342cdbd86d9e9e072850ee7fef9f9f57d62a209e1ec92f75fbd3841f1f466679dc4f146503e7bf5124f63ab4fd4081bd3343b987ac69143145

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEEHJvrHBO.bat

Filesize
237B

MD5
21cd9f971735adea04e4880fc9747e17

SHA1
e753788b7a3a1395de7b8df9867b2ff39994c474

SHA256
e204a4fb62a31319a1a734cfb71665c19122707a328c20a67a1b68bc3892beb8

SHA512
0e4d517548130640481808c7072bb36a4424fdf7e1dadaff9fb7c692e677abf736d285b481d32cc984a80b6a3a76a52f5f2ad93653f165198de8657975286910

Download Submit
C:\Users\Admin\AppData\Local\Temp\Km0ujrRelP.bat

Filesize
189B

MD5
12a4d2d953312263f6aa4a136db59dba

SHA1
c7c1de97be2fc97dc59ec33da67daee88503ebc1

SHA256
5ec36e3202f7f68bec3e35115e707dfb0e917dda07f527823bf61256625e60cb

SHA512
b2492e8fa68b4312af449187ced2cc0b1e7a31269ff6c003000264d8fc5c81eac04e2a3cf9fac144a29468ca98138e994d2f9d3bd7324b20658352b37878fe91

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVJoNfH6eh.bat

Filesize
189B

MD5
fc2ee112a5400bbbf2bf01b857f53661

SHA1
5511c919af420c486464a6b62d104bdb3ca7fe5e

SHA256
132d0b8039125e6555cdf70253428bb804af0eb20a69f09de843a4dcab70c095

SHA512
77d290dd3ce525fde7b89eb8f869cb0cd1c7a39b63aab5a85193d98f6d4b5191b23e44da279e9b6bdaa6357e5317333d264335e6e1e95acf2adad1832caf248c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF364.tmp

Filesize
1KB

MD5
f453e99211cc1a8a4f532e6692111845

SHA1
476c7fd82c74accf8507ed1673b42214379a75f5

SHA256
efac17ef73f2016e7f2b6b5828a0176596acc8049e44ed384b01a89f137b46af

SHA512
a64cf8a54a60d31dc6d8626f182a4bed470717700e1cb5fa6e00d7894fc465f1950164e38f16e3fbb378a1fb2eaf84e7e8cf41e54e5be85ce818dde671f8df6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4kjvfRyFL.bat

Filesize
189B

MD5
4e92c28d8546e58fa1c589af2ff6b988

SHA1
2c280467f8cc915ab3141de33703404f83b148fd

SHA256
f523d0e24b7aa3dc864bbd8e8fbb25be6807c59038dbec72c230f9eb3b5c6bbe

SHA512
e97f7474cd0cdf5eb40eb777eb967e513c9d1f690b8289bdb5279d7804238f867458a6c5f4ab02ecd0fd126a262cf24693a0545a1d11215a9a1234eb15bfb031

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat

Filesize
189B

MD5
e0abc150375336faa293d155061c014a

SHA1
4185e1a36ce10d83e912169ccfbae5e0917edc07

SHA256
fb70c7cbd4e999cd812aca55746786d8a5ebad79f17d4327d3ccc311a47c9ed6

SHA512
87a87491334dcc8ffd3eb62b857cb4f2956588554dfe329ffa23ce1349b5297336cf5d79bf22fd9be0fb8723aca4a007fea9e2d018644a362df5672e7a86ed26

Download Submit
C:\Users\Admin\AppData\Local\Temp\hBPD0AFikm.bat

Filesize
237B

MD5
2bb6ed4a035aa715ce4e79ce9e11ae5e

SHA1
d3764bfbd2bdadd50e09b97c169dbcde0e93f6a3

SHA256
ba8829925231da955d84acc6b1f68ad6deac7511eb67c780c90ab031bcead3cd

SHA512
4df1bdc2f01d212d86e9cf49dc04b82e6814bfc4b00ebf2c06656e4a92f766e5ca1ed9a080bfed1ca322ce844f79167b0a7c5f5662917aecf760265f89ff747a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mLBZigXOC1.bat

Filesize
237B

MD5
5e511a624706412f57f21a9f6e554efe

SHA1
4feaf74eeb9e41807fc188ed922afc5f0d5476f7

SHA256
e9fe580e3db09edc3e906a5053f6ce3c6519768516202a2939f690a65f944fdd

SHA512
2084ee380410a241b96eb14e00bde283a31a2a07c72a6b0398023dea81b1313ca8bc47c6ca4d19b9f6a07782c1bc411a55c7a3711a320e0c3f111822e1b1c5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
69335538328d6708de7b6ccd85d628ea

SHA1
451200a635a90a951e03147314568f3691a94a5a

SHA256
9c0acb89d78613739aa990affc48eb5b910099e33ee45dce37757a476af069cc

SHA512
8260ad5feef48fcd3d8e40e21b1cb1bb8709c0da9b474c8f2e21bd29874225345ca0a64acc87fc3021e83cdfd2e2f8f9f85d306bbb0e003ffb9e8e6ed4585903

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
311KB

MD5
877fbc2d3c154407e2398f56908a4480

SHA1
98eb6b1a7fad8a145dafb5d70b061a71b70cf55c

SHA256
2aa7f166f0d2dc490488eb613c455952f38573aeb441d4b95dc6d006eb099cfe

SHA512
de3b0d55878df26c2f3a966c02c4c29e91a95d4f13b47d865634e1a5b6a0fb785f0a03cde517f08723445c75493879032d8771009c438897c8ee3f54f742f18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
310KB

MD5
ab40dd752af0974d933b28ba20d211b3

SHA1
34653fc28941e40ee3acdf1f1f659990d9a7d24b

SHA256
94ee280bcfe8deec458e010bc83b4dd65a90f913acecfd671362941051f1afe3

SHA512
0b2b7a3a55ce3f65be905a8bc791da7087ff72ed19cc48f9ad72509adba717d2e869debdeb9b51e57b53650df0d846cf8d2fca92321d6c8e8ae437fe812cfee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
310KB

MD5
43a3fa14cb0d20a86010d8229c0e97c3

SHA1
cb3aa60bf7b7cf718087e0861e02c3e0caaf1f22

SHA256
9a8a5f02ca5254b526d93faea5bd097a72b3c41d46e10296d13b95fc327dcaef

SHA512
3ae65a4fbdf2f528626253ed8524484e781b54b4aed0a7fcf3fe36d22b6933b10fcd9494883798069492a59fded40c7ed349f68fcbcbc7865668775270810ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
310KB

MD5
56ea0cd7b52ab028597943f082b5043f

SHA1
0732d4f67965bbb7d3e174dcc0a9f7fa03430e94

SHA256
93acb211e4475b8fbfe3356720b67ae2dd6420d40ef6a224ce61c4b24ca1661c

SHA512
7c1a0637c4ca886f50617998b16f3be38134482671cce5163ad354afe07a54d460c289ff7094ef806058f3fbaa1288d2b1eb2b0e4332b8027acf907aa756af56

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
311KB

MD5
eb0f6c7534ca2c51db8fbb8a0d5ecbd8

SHA1
788944d442b3139bfe004204415f7a0173da476a

SHA256
2b3619764794ddc69c5886c0105f93d8ebdd071507ae6b47a4ea52afd16faf56

SHA512
b8c508a9f15d5f67df5d45cbad96d75e2262b14e64e1960982dd139d67aa445a539b4152969b54d0729198639ac840a74bfcfed03d5054a3d6a3395532e991ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
1.9MB

MD5
e31a485452aef6961ea1d27e4fcc182c

SHA1
ac85c835531cdd243507c7139a872f3141c94469

SHA256
4d1b10aada6d29f3d06e956db6cf29404c948fb11492f8062421f48aed53ca1d

SHA512
f7dd6c7ac8eb78197866582e41f5ff0f49d6d5fb9e23ac51b08413e7bd7147259cdbbf6fbc414ca0a6b80c692b41d89884397ee63f420f563a5555e98b50c547

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\msdriverruntime.exe

Filesize
783KB

MD5
cc5b4ee77315ecd151675f2ac0dee966

SHA1
005a5075ea2d8f7056bcc36f10c0cb1a1c94a648

SHA256
cbe83d350376a7b56d63e3712d062652365ae69a63f8cd32d4d89921a9c75dd5

SHA512
b8b6b6159c30dfe4ac87994225896de86378767a880c5168c0e978843d928b9823995dfc5389162ba7206f543fbfd8cc802272c32af3eea8dafdcd2d2ba52feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.9MB

MD5
357df3ab8fadc58198dd36c3986a3860

SHA1
f103b37344d930cf0dcd3f08ab7939a0c106acf0

SHA256
9df20a9e993e67d5c976abe8528aa0caa239fb4f11499e0291e1aee60e69fc9f

SHA512
7b7a258bdbbcced66c732df079549ac3e72529a77f88a02b7c86ee828a03707ed5289e09a1626c1337b5bab96d7dc441a8b410b005ccd52efc5320cfbf295f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
505B

MD5
66513e8a6a4b8dac0051c184718bae44

SHA1
cb2faacd4419a885e17d97edb866f480a3596f0d

SHA256
aa8a2aa8ee801d0a0e63253fc7b6da710c5e27f03629350c7caf6a5ebcf9a05d

SHA512
e341b61edbfa63e8a07da5e300a5742dd3617752e063fd6d986713e8cedac3ba56f97aef2069f57407dabba3f700eb59dcc942757479e73cdc3311216b6faead

Download Submit
C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat

Filesize
237B

MD5
900151e8e9bea8207fef5338904dbbb4

SHA1
8b30a5d5da6bfacbe2c9ca6154f42102633e2820

SHA256
935a6042b22ad79103c1db672009aa9843e1f5e209d7430e8ac454938c8f1ad6

SHA512
0cc8b02afe03a9c85034dbb01df2f2c76cbbfa5ba7b77398f77edf512305334f1307a6e9d7503de69541642a402d808187db9cfba85f02b1475e629eeb64474f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
26befc04a7ba14e2b8709da567d82368

SHA1
54c636535dd2d69c650b39e427612ffd6f566e33

SHA256
13d83a1dd9bef659266b922ae3cfe6f4c54cb664b49b9a663c9669f96595abc7

SHA512
3345f26d7973a9549c9852790aaf118d85672d4ab8fc7b2dc341cae82ba5dc730dfe5d5e2edae803b284c07f8be8658fdcc1060698fab8d85d6c2e64fd66c971

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oadouqku\oadouqku.0.cs

Filesize
394B

MD5
5ff24d3399e12255907815bd10ace551

SHA1
cc815e1bce0a898644170fece6b5ff1ae6c4affa

SHA256
71f6d481054051a61d4e438c980d86e33a78ebda7b7d55853d50a61711b78ab6

SHA512
9428b0bd229e835faa1eb1391dd7b4f825fbe553d4ba4b91290f9814a3334b65ae3fcea385d00369a510b557ebddc76d34fb906696d5ad6f6bb252956e9bd415

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oadouqku\oadouqku.cmdline

Filesize
235B

MD5
8f94469c093b57b07d7f76152df70fd1

SHA1
43110b5034c58f8428e6be41c03b2133de4364fc

SHA256
0eb1098971524d127590719fa38f30028fc14349f8b44933658e6910975f410e

SHA512
46c9fdf469bb203cc4e560f1469eff6d7a77b096b583cd0c3e76fb9f8f6073c0c0d99ff4aedd412f664a442c89cb7eddbe2fec13d467abf6b5c3edf4da52d7c1

Download Submit
\??\c:\Windows\System32\CSC41A12F883B974151B61EC5297BB396C2.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
\Users\Admin\AppData\Local\Temp\main_2024-08-02_17-05-17.exe

Filesize
2.8MB

MD5
b981912180fd214e229a48786b29f084

SHA1
457fcfa0fef95d072e7dde5e6aa566722b3b0d38

SHA256
194967828837f0f35ef2250ab0da5f89b9d6279e860ae20d47c3873069f6bb64

SHA512
4578b6b80dd4eda68957e35bd8c5878b04e63df90b1da748c5f6cfa88c0dd146287fa78e2d7c0bada48e684a4aba70c4cc60af26865c6806f7b38b0ba7620048

Download Submit
memory/352-259-0x00000000001E0000-0x00000000002AA000-memory.dmp

Filesize
808KB

Download
memory/1308-299-0x0000000000390000-0x000000000045A000-memory.dmp

Filesize
808KB

Download
memory/1508-249-0x0000000000220000-0x00000000002EA000-memory.dmp

Filesize
808KB

Download
memory/1516-141-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/1636-225-0x0000000000160000-0x000000000022A000-memory.dmp

Filesize
808KB

Download
memory/1752-136-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1976-167-0x00000000001A0000-0x000000000026A000-memory.dmp

Filesize
808KB

Download
memory/2104-269-0x00000000013A0000-0x000000000146A000-memory.dmp

Filesize
808KB

Download
memory/2320-191-0x0000000000A00000-0x0000000000ACA000-memory.dmp

Filesize
808KB

Download
memory/2444-179-0x0000000000200000-0x00000000002CA000-memory.dmp

Filesize
808KB

Download
memory/2676-0-0x0000000000400000-0x0000000000867000-memory.dmp

Filesize
4.4MB

Download
memory/2832-237-0x0000000000920000-0x00000000009EA000-memory.dmp

Filesize
808KB

Download
memory/2940-155-0x00000000012E0000-0x00000000013AA000-memory.dmp

Filesize
808KB

Download
memory/2960-92-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2960-88-0x0000000000550000-0x0000000000568000-memory.dmp

Filesize
96KB

Download
memory/2960-82-0x0000000000FA0000-0x000000000106A000-memory.dmp

Filesize
808KB

Download
memory/2960-84-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2960-86-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2960-90-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/3008-289-0x0000000000A40000-0x0000000000B0A000-memory.dmp

Filesize
808KB

Download
memory/3032-279-0x00000000001F0000-0x00000000002BA000-memory.dmp

Filesize
808KB

Download