dcrat | 1c2e46d685fdf5ee89fe9193e0ff0bf6dc7088014c29fe51f31e4e5613876eb6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24e4452c2fa32b490d57b57c307b8c2d.exe
Size

2.6MB
MD5

24e4452c2fa32b490d57b57c307b8c2d
SHA1

99570080bedc40498310a7044a47110a38637721
SHA256

1c2e46d685fdf5ee89fe9193e0ff0bf6dc7088014c29fe51f31e4e5613876eb6
SHA512

5a911f3046f58d58f2bbf3343965d46fe7d913d8ebb30488016cf6ff60ee307d8c9bc339b91b18dfe9e9e74f6f94b04c0ade7c1165709bf83149cf1c337d3f13
SSDEEP

49152:+pTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:+ZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5288	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5356	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5504	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5300	3340	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5412	3340	schtasks.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exedllhost.exe24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4532-132-0x0000000000B00000-0x0000000000DA4000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe	dcrat
C:\odt\RuntimeBroker.exe	dcrat
C:\Recovery\WindowsRE\RuntimeBroker.exe	dcrat
C:\Program Files\7-Zip\Lang\dllhost.exe	dcrat
C:\Program Files\7-Zip\Lang\dllhost.exe	dcrat

Executes dropped EXE 3 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exedllhost.exe

pid process

592 24e4452c2fa32b490d57b57c307b8c2d.exe
5488 24e4452c2fa32b490d57b57c307b8c2d.exe
5528 dllhost.exe

pid	process
592	24e4452c2fa32b490d57b57c307b8c2d.exe
5488	24e4452c2fa32b490d57b57c307b8c2d.exe
5528	dllhost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	24e4452c2fa32b490d57b57c307b8c2d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	24e4452c2fa32b490d57b57c307b8c2d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	24e4452c2fa32b490d57b57c307b8c2d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dllhost.exe24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ipinfo.io
32 ipinfo.io

flow	ioc
31	ipinfo.io
32	ipinfo.io

Drops file in Program Files directory 63 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\5b884080fd4f94	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\7-Zip\Lang\dllhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\24e4452c2fa32b490d57b57c307b8c2d.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\Windows Portable Devices\SearchApp.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXAC0C.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXC262.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\6203df4a6bafc7	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\7-Zip\Lang\5940a34987c991	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX9B2A.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX9BB7.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\smss.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Mail\System.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Mail\27d1bcfc3c54e0	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\7a0fd90576e088	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\5b884080fd4f94	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\lsass.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\886983d96e3d3e	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXC1D5.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\lsass.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\dllhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\System.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\RCXB859.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\upfc.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\0a1fd5f707cd16	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\69ddcba757bf72	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX8EED.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXB25A.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\RCXB8E6.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Internet Explorer\24e4452c2fa32b490d57b57c307b8c2d.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\9e8d7a4ca61bd9	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\smss.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RCXBC25.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX928A.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXB2D8.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\Windows Portable Devices\SearchApp.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Common Files\System\upfc.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX91FC.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Internet Explorer\981892e0c668f9	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\Windows Portable Devices\38384e6a620884	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Common Files\System\ea1d8f6d871115	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXA99A.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXACA9.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RCXBB97.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\5940a34987c991	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX8F7A.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXA90D.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe

Drops file in Windows directory 21 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
File opened for modification	C:\Windows\Downloaded Program Files\RCX88ED.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\ja-JP\services.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\CbsTemp\services.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\tracing\69ddcba757bf72	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\Registration\CRMLog\Idle.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\Downloaded Program Files\WmiPrvSE.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\ja-JP\c5b4cb5e9653cc	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX896B.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\Downloaded Program Files\WmiPrvSE.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\Downloaded Program Files\24dbde2999530e	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\System\Speech\taskhostw.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\ja-JP\RCXA2EE.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\CbsTemp\services.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\CbsTemp\c5b4cb5e9653cc	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\Registration\CRMLog\6ccacd8608530f	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\tracing\smss.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\Boot\StartMenuExperienceHost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\ja-JP\services.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\ja-JP\RCXA37C.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\tracing\smss.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\Registration\CRMLog\Idle.exe	24e4452c2fa32b490d57b57c307b8c2d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
5504	schtasks.exe
2304	schtasks.exe
444	schtasks.exe
5476	schtasks.exe
532	schtasks.exe
4232	schtasks.exe
4852	schtasks.exe
2052	schtasks.exe
3720	schtasks.exe
4868	schtasks.exe
5012	schtasks.exe
2196	schtasks.exe
620	schtasks.exe
1300	schtasks.exe
5772	schtasks.exe
4760	schtasks.exe
5860	schtasks.exe
4676	schtasks.exe
5188	schtasks.exe
4104	schtasks.exe
2432	schtasks.exe
4692	schtasks.exe
4768	schtasks.exe
1296	schtasks.exe
588	schtasks.exe
4124	schtasks.exe
5700	schtasks.exe
4616	schtasks.exe
2676	schtasks.exe
5636	schtasks.exe
4336	schtasks.exe
5016	schtasks.exe
4552	schtasks.exe
2596	schtasks.exe
5676	schtasks.exe
5736	schtasks.exe
4916	schtasks.exe
1136	schtasks.exe
2304	schtasks.exe
4252	schtasks.exe
5584	schtasks.exe
4668	schtasks.exe
1776	schtasks.exe
1260	schtasks.exe
1112	schtasks.exe
2844	schtasks.exe
1852	schtasks.exe
1980	schtasks.exe
2200	schtasks.exe
3840	schtasks.exe
976	schtasks.exe
2800	schtasks.exe
5128	schtasks.exe
1288	schtasks.exe
5760	schtasks.exe
2200	schtasks.exe
3792	schtasks.exe
704	schtasks.exe
3084	schtasks.exe
3116	schtasks.exe
1436	schtasks.exe
4608	schtasks.exe
5712	schtasks.exe
2148	schtasks.exe

Modifies registry class 2 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	24e4452c2fa32b490d57b57c307b8c2d.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	24e4452c2fa32b490d57b57c307b8c2d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe

pid	process
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe
4532	24e4452c2fa32b490d57b57c307b8c2d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

5528 dllhost.exe

pid	process
5528	dllhost.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe24e4452c2fa32b490d57b57c307b8c2d.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe24e4452c2fa32b490d57b57c307b8c2d.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4532	24e4452c2fa32b490d57b57c307b8c2d.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	592	24e4452c2fa32b490d57b57c307b8c2d.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	5928	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	5488	24e4452c2fa32b490d57b57c307b8c2d.exe
Token: SeDebugPrivilege	5224	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	5504	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	6140	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	5824	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	5332	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	5988	powershell.exe
Token: SeDebugPrivilege	5596	powershell.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeDebugPrivilege	5528	dllhost.exe
Token: SeBackupPrivilege	4436	vssvc.exe
Token: SeRestorePrivilege	4436	vssvc.exe
Token: SeAuditPrivilege	4436	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dllhost.exe

pid process

5528 dllhost.exe

pid	process
5528	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.execmd.exe24e4452c2fa32b490d57b57c307b8c2d.exe

description	pid	process	target process
PID 4532 wrote to memory of 3696	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 3696	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 3704	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 3704	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 2380	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 2380	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 1132	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 1132	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 3312	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 3312	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 3436	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 3436	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 2988	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 2988	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 532	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 532	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 5024	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 5024	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4972	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4972	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4376	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4376	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4820	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4820	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 632	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 632	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4580	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4580	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 1488	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 1488	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 2272	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 2272	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 732	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 732	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4852	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4852	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 1924	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 1924	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4756	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 4756	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 4532 wrote to memory of 3944	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	cmd.exe
PID 4532 wrote to memory of 3944	4532	24e4452c2fa32b490d57b57c307b8c2d.exe	cmd.exe
PID 3944 wrote to memory of 5716	3944	cmd.exe	w32tm.exe
PID 3944 wrote to memory of 5716	3944	cmd.exe	w32tm.exe
PID 3944 wrote to memory of 592	3944	cmd.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
PID 3944 wrote to memory of 592	3944	cmd.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
PID 592 wrote to memory of 4848	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 4848	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 4632	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 4632	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 4048	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 4048	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 5492	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 5492	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 5928	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 5928	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 2288	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 2288	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 3644	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 3644	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 3408	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 3408	592	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 592 wrote to memory of 5540	592	24e4452c2fa32b490d57b57c307b8c2d.exe	cmd.exe
PID 592 wrote to memory of 5540	592	24e4452c2fa32b490d57b57c307b8c2d.exe	cmd.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe24e4452c2fa32b490d57b57c307b8c2d.exedllhost.exe24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe
"C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\24e4452c2fa32b490d57b57c307b8c2d.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\wininit.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\SearchApp.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\System.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\services.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalLow\csrss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\upfc.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fpJnj91JYj.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe
"C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\SppExtComObj.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FZzxWSrsif.bat"
4⤵
PID:5540

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe
"C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\TrustedInstaller.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchApp.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\lsass.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dllhost.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\smss.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\Idle.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\dllhost.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\services.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Program Files\7-Zip\Lang\dllhost.exe
"C:\Program Files\7-Zip\Lang\dllhost.exe"
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d2" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\24e4452c2fa32b490d57b57c307b8c2d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\24e4452c2fa32b490d57b57c307b8c2d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d2" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\24e4452c2fa32b490d57b57c307b8c2d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Music\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\LocalLow\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\LocalLow\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\SppExtComObj.exe'" /f
1⤵
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
PID:5272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\services.exe'" /f
1⤵
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\CbsTemp\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\services.exe'" /rl HIGHEST /f
1⤵
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\TrustedInstaller.exe'" /f
1⤵
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:5576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:5816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\lsass.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /f
1⤵
PID:5172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /rl HIGHEST /f
1⤵
PID:5616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /rl HIGHEST /f
1⤵
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\odt\smss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f
1⤵
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /f
1⤵
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\dllhost.exe'" /f
1⤵
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\smss.exe'" /f
1⤵
PID:6080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f
1⤵
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f
1⤵
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
PID:6116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
PID:5768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\dllhost.exe
Filesize
2.6MB

MD5
24e4452c2fa32b490d57b57c307b8c2d

SHA1
99570080bedc40498310a7044a47110a38637721

SHA256
1c2e46d685fdf5ee89fe9193e0ff0bf6dc7088014c29fe51f31e4e5613876eb6

SHA512
5a911f3046f58d58f2bbf3343965d46fe7d913d8ebb30488016cf6ff60ee307d8c9bc339b91b18dfe9e9e74f6f94b04c0ade7c1165709bf83149cf1c337d3f13

Download Submit
C:\Program Files\7-Zip\Lang\dllhost.exe
Filesize
2.6MB

MD5
24e4452c2fa32b490d57b57c307b8c2d

SHA1
99570080bedc40498310a7044a47110a38637721

SHA256
1c2e46d685fdf5ee89fe9193e0ff0bf6dc7088014c29fe51f31e4e5613876eb6

SHA512
5a911f3046f58d58f2bbf3343965d46fe7d913d8ebb30488016cf6ff60ee307d8c9bc339b91b18dfe9e9e74f6f94b04c0ade7c1165709bf83149cf1c337d3f13

Download Submit
C:\Recovery\WindowsRE\9e8d7a4ca61bd9
Filesize
537B

MD5
c0b76049f646e455a3c1543955687a49

SHA1
bebaec82595463662a9451824fe8125ad188a34f

SHA256
e7f051b9a2a2233243316f6f33100acfbbce920e683ee37f0581527de129a59f

SHA512
a9f00975ba7c59cde3f8158c460c8cd753e4ce37659e06835424af8b328e81dc67d758d0769455eda609848b698328d76b2e588e7a3da0a71edd286c67b67923

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe
Filesize
2.6MB

MD5
24e4452c2fa32b490d57b57c307b8c2d

SHA1
99570080bedc40498310a7044a47110a38637721

SHA256
1c2e46d685fdf5ee89fe9193e0ff0bf6dc7088014c29fe51f31e4e5613876eb6

SHA512
5a911f3046f58d58f2bbf3343965d46fe7d913d8ebb30488016cf6ff60ee307d8c9bc339b91b18dfe9e9e74f6f94b04c0ade7c1165709bf83149cf1c337d3f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\24e4452c2fa32b490d57b57c307b8c2d.exe.log
Filesize
1KB

MD5
3dabc3a15559ada6586962e5d966af35

SHA1
b9e7ebe34532596154354f7130acafe8654016ef

SHA256
43f6fa295df0ae3976c919bdd314b17768768b6eb14514b2b3a3fe8e7e477c5b

SHA512
e828eb2af6cb4551e3174cfe8fbcd3c7923ad71c8d6dbf33432223bb230561f8145fc894f457f6660266c2658166fca486c557337f1bafc1b9973d19959fa348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
be95052f298019b83e11336567f385fc

SHA1
556e6abda268afaeeec5e1ee65adc01660b70534

SHA256
ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027

SHA512
233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3cf2800f99e09f816f2fd8a5c07bc1ed

SHA1
a9d0d470886e6a5407b94908e468dbf74f9f075a

SHA256
ae52557ee14fe108bd2f0b5e43b25f22ee4bc114e4b0b8714273f0bec657509c

SHA512
bd4d0c2cda37c0a8be85d0f4950f0dc8080bd54df7ca78024aa002759a57ba361f4c212397778fb9a0ede7d52e75fbef6d3ee5fa77ad872b4632d1163baea020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3cf2800f99e09f816f2fd8a5c07bc1ed

SHA1
a9d0d470886e6a5407b94908e468dbf74f9f075a

SHA256
ae52557ee14fe108bd2f0b5e43b25f22ee4bc114e4b0b8714273f0bec657509c

SHA512
bd4d0c2cda37c0a8be85d0f4950f0dc8080bd54df7ca78024aa002759a57ba361f4c212397778fb9a0ede7d52e75fbef6d3ee5fa77ad872b4632d1163baea020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3cf2800f99e09f816f2fd8a5c07bc1ed

SHA1
a9d0d470886e6a5407b94908e468dbf74f9f075a

SHA256
ae52557ee14fe108bd2f0b5e43b25f22ee4bc114e4b0b8714273f0bec657509c

SHA512
bd4d0c2cda37c0a8be85d0f4950f0dc8080bd54df7ca78024aa002759a57ba361f4c212397778fb9a0ede7d52e75fbef6d3ee5fa77ad872b4632d1163baea020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
b7b47377bcaba7a045dc11be31f711b3

SHA1
c915578f1139e3d0ca94d8ea73a17698771400e8

SHA256
23d457e05f8b8fc47e6617fee28d04a7e6fab993751b94514c9308e387c95a1a

SHA512
be381612f831f820e7fb04fa94c7a61954f4bba3d1b2d1112e455b41a6e9322b35e75311fbf24d5ff541a73d56bf79976e1462fee06d337341ad0953325636a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
dcee2c4799aaf7d786c7a18e235934c4

SHA1
92b08222812d2c4392cd5babf316c6509a1d202c

SHA256
33fb8b90e373768d57f2726dc808e2a6319dcea75ed4be819316a4bc3c2f85c1

SHA512
05986414ab12b9b52335528dc4dc1ef6fee378afa09a2858b0ea77cb0c9aaf4339ccae272bbc760ff63d31ad27e8a8206ae0152be82015f49c177cb62b515f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fdf15f7d08f3f7538ae67e5b3e5d23f4

SHA1
953ff0529053ce3a1930b4f5abba2364a8befbfc

SHA256
9f4964b9cf2c6d4915a8f2b9746dc5ff73d6f327c81370f92e0e7a611b28a707

SHA512
4fee933635376d1467e0be63d12fa897f83cbbf9cdd1ac79cce30dfaa2621d47e137e991b701f1ed9910767904dbfb6b89db2a02ce32edc410c83351f351d7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fdf15f7d08f3f7538ae67e5b3e5d23f4

SHA1
953ff0529053ce3a1930b4f5abba2364a8befbfc

SHA256
9f4964b9cf2c6d4915a8f2b9746dc5ff73d6f327c81370f92e0e7a611b28a707

SHA512
4fee933635376d1467e0be63d12fa897f83cbbf9cdd1ac79cce30dfaa2621d47e137e991b701f1ed9910767904dbfb6b89db2a02ce32edc410c83351f351d7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8d9b95fdab142bb52f794b152e9b8230

SHA1
badb1d4568eb62dca12181d0c7fb093779c9a4de

SHA256
b2b0ff5c6f0f0bbe286910bc2424d7b747fce3b7d7609cc6434aea99372aaa39

SHA512
3f05056bdec2e72f1342f45639c5a89aa175a3a4fdb8494dda31b346faf970b10cc0ab322533514d8f5b591e051a2a35595b0448918e25dbbc6cf02854276b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bf1cbedd91790c2be65fc829402dc0f1

SHA1
9f0e53c9cdd5ff915dde34c26119f027822ab08b

SHA256
7a48200a25d98070baaf5ffba058b4c32667910896d01f2ff95b490f09d961e6

SHA512
050dc81be09cb08e6944889809c1c6e4dda87ce6a47b78e8162a95efd5163b7e741b1ecec7662e77deeb36f6a47f20414766ce668f15074260d6f703c02e3d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8d9b95fdab142bb52f794b152e9b8230

SHA1
badb1d4568eb62dca12181d0c7fb093779c9a4de

SHA256
b2b0ff5c6f0f0bbe286910bc2424d7b747fce3b7d7609cc6434aea99372aaa39

SHA512
3f05056bdec2e72f1342f45639c5a89aa175a3a4fdb8494dda31b346faf970b10cc0ab322533514d8f5b591e051a2a35595b0448918e25dbbc6cf02854276b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8d9b95fdab142bb52f794b152e9b8230

SHA1
badb1d4568eb62dca12181d0c7fb093779c9a4de

SHA256
b2b0ff5c6f0f0bbe286910bc2424d7b747fce3b7d7609cc6434aea99372aaa39

SHA512
3f05056bdec2e72f1342f45639c5a89aa175a3a4fdb8494dda31b346faf970b10cc0ab322533514d8f5b591e051a2a35595b0448918e25dbbc6cf02854276b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bf1cbedd91790c2be65fc829402dc0f1

SHA1
9f0e53c9cdd5ff915dde34c26119f027822ab08b

SHA256
7a48200a25d98070baaf5ffba058b4c32667910896d01f2ff95b490f09d961e6

SHA512
050dc81be09cb08e6944889809c1c6e4dda87ce6a47b78e8162a95efd5163b7e741b1ecec7662e77deeb36f6a47f20414766ce668f15074260d6f703c02e3d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6b4e39689cee6c9a38f5a03b68b3df72

SHA1
af6cc92ac1532a1059151831885c2929d83f8107

SHA256
01bd20c1140847c1d579ca92531850535e5b0aaddfce3c8648716dc1cb811f8d

SHA512
9fb0e8c8ebd43525f8364eff0d18c02a34c044d14558cfbea351d283f03df9b84e3e32453e296b2cd844b785dcefef75adfeaff401d80462959104033fe7ba02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6b4e39689cee6c9a38f5a03b68b3df72

SHA1
af6cc92ac1532a1059151831885c2929d83f8107

SHA256
01bd20c1140847c1d579ca92531850535e5b0aaddfce3c8648716dc1cb811f8d

SHA512
9fb0e8c8ebd43525f8364eff0d18c02a34c044d14558cfbea351d283f03df9b84e3e32453e296b2cd844b785dcefef75adfeaff401d80462959104033fe7ba02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe
Filesize
2.6MB

MD5
24e4452c2fa32b490d57b57c307b8c2d

SHA1
99570080bedc40498310a7044a47110a38637721

SHA256
1c2e46d685fdf5ee89fe9193e0ff0bf6dc7088014c29fe51f31e4e5613876eb6

SHA512
5a911f3046f58d58f2bbf3343965d46fe7d913d8ebb30488016cf6ff60ee307d8c9bc339b91b18dfe9e9e74f6f94b04c0ade7c1165709bf83149cf1c337d3f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe
Filesize
2.6MB

MD5
24e4452c2fa32b490d57b57c307b8c2d

SHA1
99570080bedc40498310a7044a47110a38637721

SHA256
1c2e46d685fdf5ee89fe9193e0ff0bf6dc7088014c29fe51f31e4e5613876eb6

SHA512
5a911f3046f58d58f2bbf3343965d46fe7d913d8ebb30488016cf6ff60ee307d8c9bc339b91b18dfe9e9e74f6f94b04c0ade7c1165709bf83149cf1c337d3f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\861618fce7a13414d9661467cafea3df858c46384.5.332Rat01ae5043b4edcb8cf00c21396080e054436dcfb1
Filesize
500B

MD5
d1134b5721ec14892e871452bb5d44d7

SHA1
e61b5bf5bb4148e55f183a1d847f9744ce2ed505

SHA256
9de42cd48d99e1c58ab303f464533a7ae4f0fc051ce83c9d0997f92d59cc3e64

SHA512
b96a7ac5538208ef12af6bf0a59a476d40c3f661f0a40f1ec4efae5fb515a28702ce5621658b5fd4a88fad6fc76b2e2cd553255d624f064cf6c8b5328675453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\861618fce7a13414d9661467cafea3df858c46384.5.332Rat01ae5043b4edcb8cf00c21396080e054436dcfb1
Filesize
1KB

MD5
6cddebb1f3f9e438b805233f820fd3ff

SHA1
72dd3b4a3082da319d0732ea90957d9c011fc66e

SHA256
d91286f1e335f2a1edc2bb798e8200434bc0f1bd96aa195aab6bb194a4b3e2b6

SHA512
36cde812dbe87fd21ad36a78e6ea890d8b8a5c4cff71c4f7f35b7fe686c674fd75b9e13f5a05b43e5fe6938ab61488496c6e425abb032ec7b073e616795248ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\FZzxWSrsif.bat
Filesize
235B

MD5
ac70a68c23eadebd7a36177a85d1d739

SHA1
b326f9123840ac54cd67e3926ef69c184c56621b

SHA256
18c3b95e891bd649224f723601c34368a4e2160ce8052c1d3eb5127b4ac156dc

SHA512
b834bf25247bb11d557e7c4e625b30adc7ad9e2c97ae5bebb99911a9e278f712adbc9695ae4e4fe6989bbba61aebc288384fbf22b3783357b03812c744392bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpJnj91JYj.bat
Filesize
235B

MD5
98ba95b7898abc2b3f8c5e9d292a78c1

SHA1
230fd1905213aa437ff1a267362ff685f64cdf08

SHA256
7e9f2dba38ad5555380337561e270532bf16003848458178666e6fc6f1fcc13e

SHA512
5b4b128b92a1ee51c5b5e2feb8d462540ddc223d37d11d7dc3522fb7073c994a397ba3ec9f22eaaea5fe4013b048af5a3ae4b2913f6a6386782fb8141c7383b3

Download Submit
C:\odt\9e8d7a4ca61bd9
Filesize
455B

MD5
a3cfe5214686146035099cb39babbf14

SHA1
c252e56d85ecbf984e133b695a0d679b7cf2093f

SHA256
b3ed5a9a886ebadf2422b41d4cebb5e3056750cf801bdd673c333c25972bb316

SHA512
9913256d556c2f7b168e39e9a9c2393dae9bb4ac32561b6c240e9b0552134420e2618343eb6d551ea79e050f3ffa7e587991d9bbe2de8f4f2a045d13e5ddd19f

Download Submit
C:\odt\RuntimeBroker.exe
Filesize
2.6MB

MD5
24e4452c2fa32b490d57b57c307b8c2d

SHA1
99570080bedc40498310a7044a47110a38637721

SHA256
1c2e46d685fdf5ee89fe9193e0ff0bf6dc7088014c29fe51f31e4e5613876eb6

SHA512
5a911f3046f58d58f2bbf3343965d46fe7d913d8ebb30488016cf6ff60ee307d8c9bc339b91b18dfe9e9e74f6f94b04c0ade7c1165709bf83149cf1c337d3f13

Download Submit
memory/532-175-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/532-150-0x0000000000000000-mapping.dmp

Download
memory/532-211-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/592-237-0x000000001E050000-0x000000001E054000-memory.dmp

Filesize
16KB

Download
memory/592-250-0x000000001E050000-0x000000001E054000-memory.dmp

Filesize
16KB

Download
memory/592-234-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/592-249-0x000000001B7A9000-0x000000001B7AF000-memory.dmp

Filesize
24KB

Download
memory/592-236-0x000000001B7A9000-0x000000001B7AF000-memory.dmp

Filesize
24KB

Download
memory/592-231-0x0000000000000000-mapping.dmp

Download
memory/592-251-0x000000001E054000-0x000000001E057000-memory.dmp

Filesize
12KB

Download
memory/592-248-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/632-216-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/632-182-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/632-155-0x0000000000000000-mapping.dmp

Download
memory/732-187-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/732-159-0x0000000000000000-mapping.dmp

Download
memory/732-223-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/908-290-0x0000000000000000-mapping.dmp

Download
memory/1132-173-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/1132-146-0x0000000000000000-mapping.dmp

Download
memory/1132-198-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/1488-157-0x0000000000000000-mapping.dmp

Download
memory/1488-185-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/1488-220-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/1564-294-0x0000000000000000-mapping.dmp

Download
memory/1924-161-0x0000000000000000-mapping.dmp

Download
memory/1924-188-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/1924-228-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/2176-302-0x0000000000000000-mapping.dmp

Download
memory/2272-186-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/2272-227-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/2272-158-0x0000000000000000-mapping.dmp

Download
memory/2288-243-0x0000000000000000-mapping.dmp

Download
memory/2300-292-0x0000000000000000-mapping.dmp

Download
memory/2380-163-0x00000177C3FF0000-0x00000177C4012000-memory.dmp

Filesize
136KB

Download
memory/2380-165-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/2380-145-0x0000000000000000-mapping.dmp

Download
memory/2380-190-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/2448-298-0x0000000000000000-mapping.dmp

Download
memory/2988-214-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/2988-174-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/2988-149-0x0000000000000000-mapping.dmp

Download
memory/3216-295-0x0000000000000000-mapping.dmp

Download
memory/3236-291-0x0000000000000000-mapping.dmp

Download
memory/3312-194-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/3312-147-0x0000000000000000-mapping.dmp

Download
memory/3312-171-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/3408-245-0x0000000000000000-mapping.dmp

Download
memory/3436-199-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/3436-148-0x0000000000000000-mapping.dmp

Download
memory/3436-168-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/3644-244-0x0000000000000000-mapping.dmp

Download
memory/3696-143-0x0000000000000000-mapping.dmp

Download
memory/3696-176-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/3696-212-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/3704-166-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/3704-144-0x0000000000000000-mapping.dmp

Download
memory/3704-197-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/3752-253-0x0000000000000000-mapping.dmp

Download
memory/3944-164-0x0000000000000000-mapping.dmp

Download
memory/4048-254-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4048-240-0x0000000000000000-mapping.dmp

Download
memory/4240-297-0x0000000000000000-mapping.dmp

Download
memory/4376-218-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4376-181-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4376-153-0x0000000000000000-mapping.dmp

Download
memory/4532-141-0x000000001E7C0000-0x000000001E7C4000-memory.dmp

Filesize
16KB

Download
memory/4532-137-0x000000001E7C4000-0x000000001E7C7000-memory.dmp

Filesize
12KB

Download
memory/4532-133-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4532-134-0x000000001D740000-0x000000001DC68000-memory.dmp

Filesize
5.2MB

Download
memory/4532-132-0x0000000000B00000-0x0000000000DA4000-memory.dmp

Filesize
2.6MB

Download
memory/4532-172-0x000000001E7C7000-0x000000001E7CA000-memory.dmp

Filesize
12KB

Download
memory/4532-167-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4532-135-0x000000001B989000-0x000000001B98F000-memory.dmp

Filesize
24KB

Download
memory/4532-136-0x000000001E7C0000-0x000000001E7C4000-memory.dmp

Filesize
16KB

Download
memory/4532-142-0x000000001E7C4000-0x000000001E7C7000-memory.dmp

Filesize
12KB

Download
memory/4532-140-0x000000001B989000-0x000000001B98F000-memory.dmp

Filesize
24KB

Download
memory/4532-139-0x000000001E7C7000-0x000000001E7CA000-memory.dmp

Filesize
12KB

Download
memory/4532-169-0x000000001E7C0000-0x000000001E7C4000-memory.dmp

Filesize
16KB

Download
memory/4532-138-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4532-170-0x000000001E7C4000-0x000000001E7C7000-memory.dmp

Filesize
12KB

Download
memory/4580-183-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4580-156-0x0000000000000000-mapping.dmp

Download
memory/4580-215-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4632-239-0x0000000000000000-mapping.dmp

Download
memory/4756-189-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4756-230-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4756-162-0x0000000000000000-mapping.dmp

Download
memory/4820-180-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4820-154-0x0000000000000000-mapping.dmp

Download
memory/4820-209-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4848-238-0x0000000000000000-mapping.dmp

Download
memory/4852-160-0x0000000000000000-mapping.dmp

Download
memory/4852-225-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4852-202-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4972-207-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/4972-152-0x0000000000000000-mapping.dmp

Download
memory/4972-177-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/5024-205-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/5024-151-0x0000000000000000-mapping.dmp

Download
memory/5024-179-0x00007FF905BB0000-0x00007FF906671000-memory.dmp

Filesize
10.8MB

Download
memory/5224-289-0x0000000000000000-mapping.dmp

Download
memory/5232-304-0x0000000000000000-mapping.dmp

Download
memory/5332-299-0x0000000000000000-mapping.dmp

Download
memory/5488-275-0x0000000000000000-mapping.dmp

Download
memory/5492-241-0x0000000000000000-mapping.dmp

Download
memory/5504-296-0x0000000000000000-mapping.dmp

Download
memory/5528-315-0x0000000000000000-mapping.dmp

Download
memory/5540-246-0x0000000000000000-mapping.dmp

Download
memory/5596-303-0x0000000000000000-mapping.dmp

Download
memory/5716-184-0x0000000000000000-mapping.dmp

Download
memory/5824-300-0x0000000000000000-mapping.dmp

Download
memory/5928-242-0x0000000000000000-mapping.dmp

Download
memory/5988-301-0x0000000000000000-mapping.dmp

Download
memory/6140-293-0x0000000000000000-mapping.dmp

Download