colibri | 1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2022 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37aa26e9208b0930fb1068d718d2e32e.exe
Size

4.9MB
MD5

37aa26e9208b0930fb1068d718d2e32e
SHA1

89a3c8a1f0288b0cb6797d0e17ddaa7961d65acc
SHA256

1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3
SHA512

5c2645f16f8a0ba54c31128fc5f0f8b7b5e81ce208f42798904d39fd6de08e6f1378f9665e70412f5ba6b575dd90ca90191a8cbcdbf24511337a0ecf422d7fc8
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 evasion infostealer loader rat spyware stealer trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe37aa26e9208b0930fb1068d718d2e32e.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3900	schtasks.exe
2160	schtasks.exe
4600	schtasks.exe
4136	schtasks.exe
4020	schtasks.exe
5496	schtasks.exe
4660	schtasks.exe
4040	schtasks.exe
5980	schtasks.exe
File created	C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3	37aa26e9208b0930fb1068d718d2e32e.exe
3508	schtasks.exe
4956	schtasks.exe
5976	schtasks.exe
1092	schtasks.exe
6024	schtasks.exe
File created	C:\Program Files (x86)\Windows Mail\c5b4cb5e9653cc	37aa26e9208b0930fb1068d718d2e32e.exe
2632	schtasks.exe
5420	schtasks.exe
3432	schtasks.exe
3540	schtasks.exe
5752	schtasks.exe
5824	schtasks.exe
5356	schtasks.exe
4656	schtasks.exe
4732	schtasks.exe
3088	schtasks.exe
3824	schtasks.exe
File created	C:\Windows\tracing\5b884080fd4f94	37aa26e9208b0930fb1068d718d2e32e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37aa26e9208b0930fb1068d718d2e32e.exe
2428	schtasks.exe
4688	schtasks.exe
3620	schtasks.exe
2328	schtasks.exe
5468	schtasks.exe
5388	schtasks.exe
2820	schtasks.exe
5444	schtasks.exe
5704	schtasks.exe
4256	schtasks.exe
224	schtasks.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6203df4a6bafc7	37aa26e9208b0930fb1068d718d2e32e.exe
5436	schtasks.exe
2340	schtasks.exe
5016	schtasks.exe
4632	schtasks.exe
5452	schtasks.exe
2464	schtasks.exe
4680	schtasks.exe
2116	schtasks.exe
2700	schtasks.exe
5320	schtasks.exe
1312	schtasks.exe
3320	schtasks.exe
5900	schtasks.exe
4320	schtasks.exe
620	schtasks.exe
4560	schtasks.exe
5020	schtasks.exe
5404	schtasks.exe
2060	schtasks.exe
5344	schtasks.exe
5304	schtasks.exe
2228	schtasks.exe
3752	schtasks.exe

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	176	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5420	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5436	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5468	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5452	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5404	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5388	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5444	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5752	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5976	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6024	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5980	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5344	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5304	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	528	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5356	528	schtasks.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37aa26e9208b0930fb1068d718d2e32e.exe

Executes dropped EXE 11 IoCs

Processes:

tmp8BBA.tmp.exetmp8BBA.tmp.exe37aa26e9208b0930fb1068d718d2e32e.exetmpD45C.tmp.exetmpD45C.tmp.exe37aa26e9208b0930fb1068d718d2e32e.exetmp101D.tmp.exetmp101D.tmp.exeexplorer.exetmp33C2.tmp.exetmp33C2.tmp.exe

pid	process
4216	tmp8BBA.tmp.exe
3496	tmp8BBA.tmp.exe
5260	37aa26e9208b0930fb1068d718d2e32e.exe
5680	tmpD45C.tmp.exe
5740	tmpD45C.tmp.exe
216	37aa26e9208b0930fb1068d718d2e32e.exe
5264	tmp101D.tmp.exe
3432	tmp101D.tmp.exe
5572	explorer.exe
628	tmp33C2.tmp.exe
4136	tmp33C2.tmp.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	37aa26e9208b0930fb1068d718d2e32e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	37aa26e9208b0930fb1068d718d2e32e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	37aa26e9208b0930fb1068d718d2e32e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

explorer.exe37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 ipinfo.io
51 ipinfo.io

flow	ioc
50	ipinfo.io
51	ipinfo.io

Suspicious use of SetThreadContext 4 IoCs

Processes:

tmp8BBA.tmp.exetmpD45C.tmp.exetmp101D.tmp.exetmp33C2.tmp.exe

description	pid	process	target process
PID 4216 set thread context of 3496	4216	tmp8BBA.tmp.exe	tmp8BBA.tmp.exe
PID 5680 set thread context of 5740	5680	tmpD45C.tmp.exe	tmpD45C.tmp.exe
PID 5264 set thread context of 3432	5264	tmp101D.tmp.exe	tmp101D.tmp.exe
PID 628 set thread context of 4136	628	tmp33C2.tmp.exe	tmp33C2.tmp.exe

Drops file in Program Files directory 24 IoCs

Processes:

37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\sihost.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files\Windows Defender\it-IT\taskhostw.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files\Windows Defender\it-IT\ea9f0e6c9e2dcd	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files\Internet Explorer\en-US\9e8d7a4ca61bd9	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files (x86)\Windows Mail\c5b4cb5e9653cc	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\taskhostw.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXABD2.tmp	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\sihost.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\66fc9ff0ee96c2	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6203df4a6bafc7	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX99CA.tmp	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\services.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\RCX9C5B.tmp	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files (x86)\Windows Mail\services.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\9e8d7a4ca61bd9	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\1f93f77a7f4778	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe	37aa26e9208b0930fb1068d718d2e32e.exe

Drops file in Windows directory 8 IoCs

Processes:

37aa26e9208b0930fb1068d718d2e32e.exe

description	ioc	process
File opened for modification	C:\Windows\tracing\fontdrvhost.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Windows\Prefetch\ReadyBoot\dwm.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\dwm.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Windows\Prefetch\ReadyBoot\6cb0b6c459d5d3	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Windows\tracing\fontdrvhost.exe	37aa26e9208b0930fb1068d718d2e32e.exe
File created	C:\Windows\tracing\5b884080fd4f94	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX8F85.tmp	37aa26e9208b0930fb1068d718d2e32e.exe
File opened for modification	C:\Windows\tracing\RCX9EFC.tmp	37aa26e9208b0930fb1068d718d2e32e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4136	schtasks.exe
3824	schtasks.exe
4020	schtasks.exe
2340	schtasks.exe
5444	schtasks.exe
1312	schtasks.exe
2060	schtasks.exe
2160	schtasks.exe
224	schtasks.exe
4256	schtasks.exe
2116	schtasks.exe
3620	schtasks.exe
2632	schtasks.exe
5900	schtasks.exe
3320	schtasks.exe
4600	schtasks.exe
5980	schtasks.exe
5304	schtasks.exe
5976	schtasks.exe
2328	schtasks.exe
4732	schtasks.exe
4656	schtasks.exe
3088	schtasks.exe
3508	schtasks.exe
4360	schtasks.exe
2228	schtasks.exe
3540	schtasks.exe
2428	schtasks.exe
4680	schtasks.exe
5420	schtasks.exe
5752	schtasks.exe
5356	schtasks.exe
5404	schtasks.exe
6024	schtasks.exe
4688	schtasks.exe
4560	schtasks.exe
176	schtasks.exe
2464	schtasks.exe
1092	schtasks.exe
4368	schtasks.exe
3088	schtasks.exe
5468	schtasks.exe
4040	schtasks.exe
5016	schtasks.exe
2700	schtasks.exe
5824	schtasks.exe
5320	schtasks.exe
3432	schtasks.exe
2820	schtasks.exe
620	schtasks.exe
5452	schtasks.exe
4660	schtasks.exe
5496	schtasks.exe
5344	schtasks.exe
4956	schtasks.exe
3900	schtasks.exe
5020	schtasks.exe
5704	schtasks.exe
5388	schtasks.exe
4632	schtasks.exe
4320	schtasks.exe
3752	schtasks.exe
5436	schtasks.exe

Modifies registry class 4 IoCs

Processes:

37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	37aa26e9208b0930fb1068d718d2e32e.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	37aa26e9208b0930fb1068d718d2e32e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	37aa26e9208b0930fb1068d718d2e32e.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
3112	37aa26e9208b0930fb1068d718d2e32e.exe
1768	powershell.exe
1768	powershell.exe
2000	powershell.exe
2000	powershell.exe
4060	powershell.exe
4060	powershell.exe
4312	powershell.exe
4312	powershell.exe
4056	powershell.exe
4056	powershell.exe
5100	powershell.exe
5100	powershell.exe
4612	powershell.exe
4612	powershell.exe
5116	powershell.exe
5116	powershell.exe
4220	powershell.exe
4220	powershell.exe
2744	powershell.exe
2744	powershell.exe
4660	schtasks.exe
4660	schtasks.exe
4540	powershell.exe
4540	powershell.exe
4660	schtasks.exe
4540	powershell.exe
4220	powershell.exe
4312	powershell.exe
5116	powershell.exe
2000	powershell.exe
4060	powershell.exe
2744	powershell.exe
5100	powershell.exe
4056	powershell.exe
4612	powershell.exe
1768	powershell.exe
1768	powershell.exe
5260	37aa26e9208b0930fb1068d718d2e32e.exe
5260	37aa26e9208b0930fb1068d718d2e32e.exe
5260	37aa26e9208b0930fb1068d718d2e32e.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

37aa26e9208b0930fb1068d718d2e32e.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeschtasks.exepowershell.exe37aa26e9208b0930fb1068d718d2e32e.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe37aa26e9208b0930fb1068d718d2e32e.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3112	37aa26e9208b0930fb1068d718d2e32e.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	4660	schtasks.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	5260	37aa26e9208b0930fb1068d718d2e32e.exe
Token: SeDebugPrivilege	5788	powershell.exe
Token: SeDebugPrivilege	5764	powershell.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeDebugPrivilege	5828	powershell.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeDebugPrivilege	5912	powershell.exe
Token: SeDebugPrivilege	5944	Conhost.exe
Token: SeDebugPrivilege	6028	powershell.exe
Token: SeDebugPrivilege	6092	powershell.exe
Token: SeDebugPrivilege	6132	powershell.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	216	37aa26e9208b0930fb1068d718d2e32e.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	5540	powershell.exe
Token: SeDebugPrivilege	6016	powershell.exe
Token: SeDebugPrivilege	6060	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	5572	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

5572 explorer.exe

pid	process
5572	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

37aa26e9208b0930fb1068d718d2e32e.exetmp8BBA.tmp.exe37aa26e9208b0930fb1068d718d2e32e.exetmpD45C.tmp.exe

description	pid	process	target process
PID 3112 wrote to memory of 4216	3112	37aa26e9208b0930fb1068d718d2e32e.exe	tmp8BBA.tmp.exe
PID 3112 wrote to memory of 4216	3112	37aa26e9208b0930fb1068d718d2e32e.exe	tmp8BBA.tmp.exe
PID 3112 wrote to memory of 4216	3112	37aa26e9208b0930fb1068d718d2e32e.exe	tmp8BBA.tmp.exe
PID 4216 wrote to memory of 3496	4216	tmp8BBA.tmp.exe	tmp8BBA.tmp.exe
PID 4216 wrote to memory of 3496	4216	tmp8BBA.tmp.exe	tmp8BBA.tmp.exe
PID 4216 wrote to memory of 3496	4216	tmp8BBA.tmp.exe	tmp8BBA.tmp.exe
PID 4216 wrote to memory of 3496	4216	tmp8BBA.tmp.exe	tmp8BBA.tmp.exe
PID 4216 wrote to memory of 3496	4216	tmp8BBA.tmp.exe	tmp8BBA.tmp.exe
PID 4216 wrote to memory of 3496	4216	tmp8BBA.tmp.exe	tmp8BBA.tmp.exe
PID 4216 wrote to memory of 3496	4216	tmp8BBA.tmp.exe	tmp8BBA.tmp.exe
PID 3112 wrote to memory of 4660	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4660	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 2000	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 2000	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 1768	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 1768	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 5100	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 5100	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4312	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4312	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4056	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4056	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4060	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4060	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 5116	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 5116	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4612	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4612	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 2744	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 2744	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4220	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4220	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4540	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 4540	3112	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 3112 wrote to memory of 5260	3112	37aa26e9208b0930fb1068d718d2e32e.exe	37aa26e9208b0930fb1068d718d2e32e.exe
PID 3112 wrote to memory of 5260	3112	37aa26e9208b0930fb1068d718d2e32e.exe	37aa26e9208b0930fb1068d718d2e32e.exe
PID 5260 wrote to memory of 5680	5260	37aa26e9208b0930fb1068d718d2e32e.exe	tmpD45C.tmp.exe
PID 5260 wrote to memory of 5680	5260	37aa26e9208b0930fb1068d718d2e32e.exe	tmpD45C.tmp.exe
PID 5260 wrote to memory of 5680	5260	37aa26e9208b0930fb1068d718d2e32e.exe	tmpD45C.tmp.exe
PID 5680 wrote to memory of 5740	5680	tmpD45C.tmp.exe	tmpD45C.tmp.exe
PID 5680 wrote to memory of 5740	5680	tmpD45C.tmp.exe	tmpD45C.tmp.exe
PID 5680 wrote to memory of 5740	5680	tmpD45C.tmp.exe	tmpD45C.tmp.exe
PID 5680 wrote to memory of 5740	5680	tmpD45C.tmp.exe	tmpD45C.tmp.exe
PID 5680 wrote to memory of 5740	5680	tmpD45C.tmp.exe	tmpD45C.tmp.exe
PID 5680 wrote to memory of 5740	5680	tmpD45C.tmp.exe	tmpD45C.tmp.exe
PID 5680 wrote to memory of 5740	5680	tmpD45C.tmp.exe	tmpD45C.tmp.exe
PID 5260 wrote to memory of 5764	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5764	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5788	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5788	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5828	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5828	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5856	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5856	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5876	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5876	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5912	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5912	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 5944	5260	37aa26e9208b0930fb1068d718d2e32e.exe	Conhost.exe
PID 5260 wrote to memory of 5944	5260	37aa26e9208b0930fb1068d718d2e32e.exe	Conhost.exe
PID 5260 wrote to memory of 6028	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 6028	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 6092	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe
PID 5260 wrote to memory of 6092	5260	37aa26e9208b0930fb1068d718d2e32e.exe	powershell.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exe37aa26e9208b0930fb1068d718d2e32e.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37aa26e9208b0930fb1068d718d2e32e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

C:\Users\Admin\AppData\Local\Temp\37aa26e9208b0930fb1068d718d2e32e.exe
"C:\Users\Admin\AppData\Local\Temp\37aa26e9208b0930fb1068d718d2e32e.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3112

C:\Users\Admin\AppData\Local\Temp\tmp8BBA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8BBA.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\tmp8BBA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8BBA.tmp.exe"
3⤵
- Executes dropped EXE
PID:3496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Users\Admin\AppData\Local\Temp\37aa26e9208b0930fb1068d718d2e32e.exe
"C:\Users\Admin\AppData\Local\Temp\37aa26e9208b0930fb1068d718d2e32e.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5260

C:\Users\Admin\AppData\Local\Temp\tmpD45C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD45C.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5680

C:\Users\Admin\AppData\Local\Temp\tmpD45C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD45C.tmp.exe"
4⤵
- Executes dropped EXE
PID:5740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
3⤵
PID:5944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sGBfOUR3su.bat"
3⤵
PID:5544

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\37aa26e9208b0930fb1068d718d2e32e.exe
"C:\Users\Admin\AppData\Local\Temp\37aa26e9208b0930fb1068d718d2e32e.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:216

C:\Users\Admin\AppData\Local\Temp\tmp101D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp101D.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5264

C:\Users\Admin\AppData\Local\Temp\tmp101D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp101D.tmp.exe"
6⤵
- Executes dropped EXE
PID:3432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\odt\explorer.exe
"C:\odt\explorer.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5572

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3b97a7f-381d-4835-aa1d-69ee0270f627.vbs"
6⤵
PID:5872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86ac4136-bc1b-4f56-9d5f-de816af0b5ec.vbs"
6⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\tmp33C2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp33C2.tmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\odt\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\tracing\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\odt\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\odt\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Templates\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5356

C:\Users\Admin\AppData\Local\Temp\tmp33C2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp33C2.tmp.exe"
1⤵
- Executes dropped EXE
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\37aa26e9208b0930fb1068d718d2e32e.exe.log
Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
46bf20e17dec660ef09b16e41372a7c3

SHA1
cf8daa89a45784a385b75cf5e90d3f59706ac5d5

SHA256
719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17

SHA512
91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
46bf20e17dec660ef09b16e41372a7c3

SHA1
cf8daa89a45784a385b75cf5e90d3f59706ac5d5

SHA256
719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17

SHA512
91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d35e2d7e3fea8b113ff956aabf1bdfce

SHA1
342953736ea3e8b6f506d5af4b22f60dd6ebae59

SHA256
49492284b10dff790303a2bbd13eb4335b58a093253671ac4b66d13795df62e9

SHA512
231cfe33efb22e4c9eefd3cf9a9ba49abffe9ce1c4a60a2b8bbf7e4072b2ba6eb9eecede4cfae4f049fab451cc30996f5c765eeaff321329f7e9b8cb408ecda7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d35e2d7e3fea8b113ff956aabf1bdfce

SHA1
342953736ea3e8b6f506d5af4b22f60dd6ebae59

SHA256
49492284b10dff790303a2bbd13eb4335b58a093253671ac4b66d13795df62e9

SHA512
231cfe33efb22e4c9eefd3cf9a9ba49abffe9ce1c4a60a2b8bbf7e4072b2ba6eb9eecede4cfae4f049fab451cc30996f5c765eeaff321329f7e9b8cb408ecda7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d14ccefeb263594e60b1765e131f7a3

SHA1
4a9ebdc0dff58645406c40b7b140e1b174756721

SHA256
57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

SHA512
2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
484ea5e8fbe44c2bfdeb945ec3776217

SHA1
d9e54400c65dab5c54091c94de599dd2ec753d64

SHA256
a879c04d3cf56084f80a1a93bd6924d3655b9df22a7ba7e57239c575aac13691

SHA512
44c1f4e31e8df8795f171ea1695d12598d80b64d91531ed221f098206eb1114ad3edde29dbd053c2f8ebc2cfa990e7478f29cab60f425b5c32098c039cb64a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8d9b95fdab142bb52f794b152e9b8230

SHA1
badb1d4568eb62dca12181d0c7fb093779c9a4de

SHA256
b2b0ff5c6f0f0bbe286910bc2424d7b747fce3b7d7609cc6434aea99372aaa39

SHA512
3f05056bdec2e72f1342f45639c5a89aa175a3a4fdb8494dda31b346faf970b10cc0ab322533514d8f5b591e051a2a35595b0448918e25dbbc6cf02854276b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bc113211a3e72478c93989952aee3251

SHA1
5eeb2f2e4642ef5f147dd118742ea3c3dcf0cd16

SHA256
c6059355503eca5b35ac8446442eb5031ab610b7353cd2e8a3cf07dc99469fae

SHA512
c0748cc3a4b701f5cefeeaf9ac1bdbae28cfcf1dad8e89a2db2c756b908011ee8e945b6d02bef816763fc5acc38a72657316f5cd56c62342c8e779a50f4f4460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
f6b5bbcd2386512d0b9af775e45d3770

SHA1
a3f6c4f46c10ce9d9b7d8a0a7b8a922dbbdd3d43

SHA256
50adabd48c94301dd4c4338e23583a702f7626abf793e6ae2eb919a18c8db999

SHA512
3775a27e3ad5a6149b88214f8bc6e45335e02af4589468ca8c140db758f152a59adf3c56361523b09c6ac2b316bd6c66886f9755a1823fc2c4468a1fad417add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bc113211a3e72478c93989952aee3251

SHA1
5eeb2f2e4642ef5f147dd118742ea3c3dcf0cd16

SHA256
c6059355503eca5b35ac8446442eb5031ab610b7353cd2e8a3cf07dc99469fae

SHA512
c0748cc3a4b701f5cefeeaf9ac1bdbae28cfcf1dad8e89a2db2c756b908011ee8e945b6d02bef816763fc5acc38a72657316f5cd56c62342c8e779a50f4f4460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8fbdf20dd30b6ccf91308090184986d8

SHA1
fde6e3a60582552e322af16289c63d6943a18a78

SHA256
3b67692f7e6b5569626ecbf266289b9ae7cb4dc40ee5165eb6c6ea70c5f1f78b

SHA512
3ceefad823f555c522d46b266a6c77ea51002f1fb7426992f8a4ea70f0b9cf1ab6979db319c480cfcd51dc393407d3de5e111368b951a6d15766aa296045ffee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cf79136142125a14a0d763b303b2effd

SHA1
20c496b9c84ddb9c365d6c59823660768c9dfdf7

SHA256
38297561076f05a1d94b8c6273098acc6866a563466e6a62e1c75846210715e3

SHA512
37e871507b221658b17bc7b1e100a695ed2ddcd5fa39176dc0ee858c7ef78d279699cd493532e1c95774f3b8a869d6a1d8fa3096314ba17025ec0041e2033522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cf79136142125a14a0d763b303b2effd

SHA1
20c496b9c84ddb9c365d6c59823660768c9dfdf7

SHA256
38297561076f05a1d94b8c6273098acc6866a563466e6a62e1c75846210715e3

SHA512
37e871507b221658b17bc7b1e100a695ed2ddcd5fa39176dc0ee858c7ef78d279699cd493532e1c95774f3b8a869d6a1d8fa3096314ba17025ec0041e2033522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cf79136142125a14a0d763b303b2effd

SHA1
20c496b9c84ddb9c365d6c59823660768c9dfdf7

SHA256
38297561076f05a1d94b8c6273098acc6866a563466e6a62e1c75846210715e3

SHA512
37e871507b221658b17bc7b1e100a695ed2ddcd5fa39176dc0ee858c7ef78d279699cd493532e1c95774f3b8a869d6a1d8fa3096314ba17025ec0041e2033522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
816d03b14553d8d2cd19771bf135873f

SHA1
3efdd566ca724299705e7c30d4cbb84349b7a1ae

SHA256
70d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304

SHA512
365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\37aa26e9208b0930fb1068d718d2e32e.exe
Filesize
4.9MB

MD5
37aa26e9208b0930fb1068d718d2e32e

SHA1
89a3c8a1f0288b0cb6797d0e17ddaa7961d65acc

SHA256
1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3

SHA512
5c2645f16f8a0ba54c31128fc5f0f8b7b5e81ce208f42798904d39fd6de08e6f1378f9665e70412f5ba6b575dd90ca90191a8cbcdbf24511337a0ecf422d7fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\37aa26e9208b0930fb1068d718d2e32e.exe
Filesize
4.9MB

MD5
37aa26e9208b0930fb1068d718d2e32e

SHA1
89a3c8a1f0288b0cb6797d0e17ddaa7961d65acc

SHA256
1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3

SHA512
5c2645f16f8a0ba54c31128fc5f0f8b7b5e81ce208f42798904d39fd6de08e6f1378f9665e70412f5ba6b575dd90ca90191a8cbcdbf24511337a0ecf422d7fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\86ac4136-bc1b-4f56-9d5f-de816af0b5ec.vbs
Filesize
471B

MD5
e2044d3fabb52bcbbf11b094e31a1ded

SHA1
5d69629d94f2d7126134824edd088ffd0d921b98

SHA256
505c7bd163f18f0456c369b2bcff99c2b8ebdab543c953038dfec648fd655656

SHA512
f247a2ec580a784304cec74491989918d24106934f45fed16ecffd94b9fd3243f712d0f82a28bb93a15097d6ed70b1b9762f47bc322050f05f39af9d904cc52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3b97a7f-381d-4835-aa1d-69ee0270f627.vbs
Filesize
695B

MD5
0715cfaf2706de56ee0ca5629556d57a

SHA1
4fd4698d0a6aa48bd6ca2c47d6119844214e8300

SHA256
110b223955c7c2d132e26a301b2954825fe78e30c9faa416b52d85bfa530fca0

SHA512
9951b7052c0e8e87e2db3a683a4d4d0fec5a069a2578273643d4baa69a51a88d3b37ae286667a8a23291b8b930df9827b8ab41a12b53c523225fed56d3b5c2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sGBfOUR3su.bat
Filesize
235B

MD5
fcfd872ff133c4dbce92e2b7bb75c79f

SHA1
7777ee5d16521cff9cbdbbab4be25821942972cc

SHA256
d735f468f259bec007311b356c6911806429de33b186e144a0e9246e38eac7d3

SHA512
c35c8fb38a2f49ef1eb1b5a948eb388d33877a0d047902158aa34e587f7a1a1e53c1fd70a07a06738ee667c74971c70ddd10ae9a1cbdf2c589ec5e7005bf566c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp101D.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp101D.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp101D.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp33C2.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp33C2.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp33C2.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BBA.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BBA.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BBA.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD45C.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD45C.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD45C.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\odt\explorer.exe
Filesize
4.9MB

MD5
37aa26e9208b0930fb1068d718d2e32e

SHA1
89a3c8a1f0288b0cb6797d0e17ddaa7961d65acc

SHA256
1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3

SHA512
5c2645f16f8a0ba54c31128fc5f0f8b7b5e81ce208f42798904d39fd6de08e6f1378f9665e70412f5ba6b575dd90ca90191a8cbcdbf24511337a0ecf422d7fc8

Download Submit
C:\odt\explorer.exe
Filesize
4.9MB

MD5
37aa26e9208b0930fb1068d718d2e32e

SHA1
89a3c8a1f0288b0cb6797d0e17ddaa7961d65acc

SHA256
1a93d204cd4bf9b77434af18be074c47ad7fcebdd109ecc87f77d6b78a9ff2b3

SHA512
5c2645f16f8a0ba54c31128fc5f0f8b7b5e81ce208f42798904d39fd6de08e6f1378f9665e70412f5ba6b575dd90ca90191a8cbcdbf24511337a0ecf422d7fc8

Download Submit
memory/216-259-0x00007FFE35950000-0x00007FFE36411000-memory.dmp

Filesize
10.8MB

Download
memory/216-257-0x0000000000000000-mapping.dmp

Download
memory/628-320-0x0000000000000000-mapping.dmp

Download
memory/628-323-0x00000000010A0000-0x00000000010A2000-memory.dmp

Filesize
8KB

Download
memory/1080-283-0x00007FFE35950000-0x00007FFE36411000-memory.dmp

Filesize
10.8MB

Download
memory/1080-270-0x0000000000000000-mapping.dmp

Download
memory/1200-267-0x0000000000000000-mapping.dmp

Download
memory/1200-280-0x00007FFE35950000-0x00007FFE36411000-memory.dmp

Filesize
10.8MB

Download
memory/1768-147-0x0000000000000000-mapping.dmp

Download
memory/1768-157-0x000002A5A86E0000-0x000002A5A8702000-memory.dmp

Filesize
136KB

Download
memory/1768-195-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/1768-158-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/1808-276-0x0000000000000000-mapping.dmp

Download
memory/1868-281-0x00007FFE35950000-0x00007FFE36411000-memory.dmp

Filesize
10.8MB

Download
memory/1868-268-0x0000000000000000-mapping.dmp

Download
memory/2000-159-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/2000-146-0x0000000000000000-mapping.dmp

Download
memory/2000-191-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/2696-274-0x0000000000000000-mapping.dmp

Download
memory/2724-271-0x0000000000000000-mapping.dmp

Download
memory/2744-187-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/2744-170-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/2744-154-0x0000000000000000-mapping.dmp

Download
memory/3112-132-0x00000000008D0000-0x0000000000DC4000-memory.dmp

Filesize
5.0MB

Download
memory/3112-144-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/3112-171-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/3112-133-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/3112-134-0x0000000002F10000-0x0000000002F60000-memory.dmp

Filesize
320KB

Download
memory/3112-135-0x000000001D620000-0x000000001DB48000-memory.dmp

Filesize
5.2MB

Download
memory/3432-264-0x0000000000000000-mapping.dmp

Download
memory/3496-140-0x0000000000000000-mapping.dmp

Download
memory/3496-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3496-143-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3536-228-0x0000000000000000-mapping.dmp

Download
memory/3756-282-0x00007FFE35950000-0x00007FFE36411000-memory.dmp

Filesize
10.8MB

Download
memory/3756-269-0x0000000000000000-mapping.dmp

Download
memory/3840-328-0x0000000000000000-mapping.dmp

Download
memory/3932-233-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/3932-241-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/3932-215-0x0000000000000000-mapping.dmp

Download
memory/4056-163-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4056-190-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4056-150-0x0000000000000000-mapping.dmp

Download
memory/4060-162-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4060-151-0x0000000000000000-mapping.dmp

Download
memory/4060-192-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4136-324-0x0000000000000000-mapping.dmp

Download
memory/4216-136-0x0000000000000000-mapping.dmp

Download
memory/4216-139-0x0000000000D2B000-0x0000000000D31000-memory.dmp

Filesize
24KB

Download
memory/4220-172-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4220-155-0x0000000000000000-mapping.dmp

Download
memory/4220-197-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4312-161-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4312-149-0x0000000000000000-mapping.dmp

Download
memory/4312-193-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4540-196-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4540-156-0x0000000000000000-mapping.dmp

Download
memory/4540-173-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4612-189-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4612-169-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4612-153-0x0000000000000000-mapping.dmp

Download
memory/4660-145-0x0000000000000000-mapping.dmp

Download
memory/4660-194-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4660-164-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/4696-278-0x0000000000000000-mapping.dmp

Download
memory/5100-186-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5100-160-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5100-148-0x0000000000000000-mapping.dmp

Download
memory/5116-165-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5116-152-0x0000000000000000-mapping.dmp

Download
memory/5116-188-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5116-277-0x0000000000000000-mapping.dmp

Download
memory/5260-198-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5260-222-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5260-166-0x0000000000000000-mapping.dmp

Download
memory/5264-260-0x0000000000000000-mapping.dmp

Download
memory/5264-263-0x0000000001410000-0x0000000001413000-memory.dmp

Filesize
12KB

Download
memory/5492-225-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5492-217-0x0000000000000000-mapping.dmp

Download
memory/5492-256-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5540-273-0x0000000000000000-mapping.dmp

Download
memory/5544-219-0x0000000000000000-mapping.dmp

Download
memory/5572-286-0x0000000000000000-mapping.dmp

Download
memory/5680-199-0x0000000000000000-mapping.dmp

Download
memory/5740-202-0x0000000000000000-mapping.dmp

Download
memory/5764-253-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5764-218-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5764-204-0x0000000000000000-mapping.dmp

Download
memory/5788-216-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5788-206-0x0000000000000000-mapping.dmp

Download
memory/5788-244-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5828-220-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5828-252-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5828-207-0x0000000000000000-mapping.dmp

Download
memory/5856-254-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5856-208-0x0000000000000000-mapping.dmp

Download
memory/5856-221-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5872-327-0x0000000000000000-mapping.dmp

Download
memory/5876-248-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5876-209-0x0000000000000000-mapping.dmp

Download
memory/5876-223-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5912-229-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5912-234-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5912-210-0x0000000000000000-mapping.dmp

Download
memory/5944-239-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/5944-211-0x0000000000000000-mapping.dmp

Download
memory/5944-230-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/6016-272-0x0000000000000000-mapping.dmp

Download
memory/6016-284-0x00007FFE35950000-0x00007FFE36411000-memory.dmp

Filesize
10.8MB

Download
memory/6028-212-0x0000000000000000-mapping.dmp

Download
memory/6028-231-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/6028-236-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/6060-275-0x0000000000000000-mapping.dmp

Download
memory/6092-213-0x0000000000000000-mapping.dmp

Download
memory/6092-224-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/6092-243-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/6132-214-0x0000000000000000-mapping.dmp

Download
memory/6132-232-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download
memory/6132-246-0x00007FFE358D0000-0x00007FFE36391000-memory.dmp

Filesize
10.8MB

Download