dcrat | 70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

Analysis

max time kernel
42s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2023 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afb679b10d49b2052e1239c345dee646.exe
Size

3.0MB
MD5

afb679b10d49b2052e1239c345dee646
SHA1

5cc8ce5753431b0cc4901aa53d8489e37a91c672
SHA256

70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998
SHA512

14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967
SSDEEP

49152:hwQVR+A3rrXAafICZyKC5iEqpVJ2pfexGqjNJ8JrSwAca2R7TQALtMiTdUdvVSMt:hwQVP7x6iEgBxVr8lMfkT1DBUdvge9Gi

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	4324	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

afb679b10d49b2052e1239c345dee646.exeafb679b10d49b2052e1239c345dee646.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3064-132-0x0000000000A40000-0x0000000000D46000-memory.dmp	dcrat
C:\Recovery\WindowsRE\dllhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

fontdrvhost.exe

pid process

3408 fontdrvhost.exe

pid	process
3408	fontdrvhost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

afb679b10d49b2052e1239c345dee646.exeafb679b10d49b2052e1239c345dee646.exefontdrvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	afb679b10d49b2052e1239c345dee646.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	afb679b10d49b2052e1239c345dee646.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

afb679b10d49b2052e1239c345dee646.exeafb679b10d49b2052e1239c345dee646.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	afb679b10d49b2052e1239c345dee646.exe

Drops file in Program Files directory 25 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exeafb679b10d49b2052e1239c345dee646.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\afb679b10d49b2052e1239c345dee646.exe	afb679b10d49b2052e1239c345dee646.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\088424020bedd6	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows NT\taskhostw.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\sppsvc.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\upfc.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Java\dllhost.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Windows Mail\Idle.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\csrss.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\886983d96e3d3e	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows Mail\5b884080fd4f94	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\7-Zip\Lang\services.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Java\5940a34987c991	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\0a1fd5f707cd16	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\55b276f4edf653	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows NT\ea9f0e6c9e2dcd	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\7-Zip\Lang\c5b4cb5e9653cc	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ea1d8f6d871115	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Windows Mail\6ccacd8608530f	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\MSBuild\afb679b10d49b2052e1239c345dee646.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\MSBuild\32610baa705d49	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\32610baa705d49	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\conhost.exe	afb679b10d49b2052e1239c345dee646.exe

Drops file in Windows directory 6 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exe

description	ioc	process
File created	C:\Windows\INF\PNRPSvc\SearchApp.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\INF\PNRPSvc\38384e6a620884	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\LiveKernelReports\dllhost.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\LiveKernelReports\5940a34987c991	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\AppReadiness\StartMenuExperienceHost.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\AppReadiness\55b276f4edf653	afb679b10d49b2052e1239c345dee646.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4504	schtasks.exe
4744	schtasks.exe
4696	schtasks.exe
4828	schtasks.exe
3420	schtasks.exe
2088	schtasks.exe
204	schtasks.exe
3012	schtasks.exe
2932	schtasks.exe
4404	schtasks.exe
3296	schtasks.exe
960	schtasks.exe
1768	schtasks.exe
2528	schtasks.exe
4968	schtasks.exe
4940	schtasks.exe
3404	schtasks.exe
4748	schtasks.exe
4680	schtasks.exe
1188	schtasks.exe
112	schtasks.exe
4568	schtasks.exe
2856	schtasks.exe
2228	schtasks.exe
3988	schtasks.exe
4468	schtasks.exe
3252	schtasks.exe
1016	schtasks.exe
4968	schtasks.exe
3064	schtasks.exe
3484	schtasks.exe
5036	schtasks.exe
3472	schtasks.exe
2588	schtasks.exe
3772	schtasks.exe
3068	schtasks.exe
3660	schtasks.exe
4996	schtasks.exe
4108	schtasks.exe
4664	schtasks.exe
4356	schtasks.exe
1764	schtasks.exe
1804	schtasks.exe
1176	schtasks.exe
2400	schtasks.exe
4560	schtasks.exe
3820	schtasks.exe
4248	schtasks.exe
4116	schtasks.exe
4668	schtasks.exe
460	schtasks.exe
4208	schtasks.exe
4392	schtasks.exe
4588	schtasks.exe
3292	schtasks.exe
3412	schtasks.exe
732	schtasks.exe
3676	schtasks.exe
5100	schtasks.exe
2012	schtasks.exe
4480	schtasks.exe
4416	schtasks.exe
2424	schtasks.exe
4332	schtasks.exe

Modifies registry class 2 IoCs

Processes:

schtasks.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeschtasks.exeafb679b10d49b2052e1239c345dee646.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3064	afb679b10d49b2052e1239c345dee646.exe
3064	afb679b10d49b2052e1239c345dee646.exe
3064	afb679b10d49b2052e1239c345dee646.exe
3940	powershell.exe
4276	powershell.exe
3448	powershell.exe
3448	powershell.exe
4028	powershell.exe
4028	powershell.exe
2188	powershell.exe
2188	powershell.exe
624	powershell.exe
624	powershell.exe
5060	powershell.exe
5060	powershell.exe
2488	powershell.exe
2488	powershell.exe
4752	powershell.exe
4752	powershell.exe
3856	powershell.exe
3856	powershell.exe
4276	schtasks.exe
4276	schtasks.exe
3940	powershell.exe
3940	powershell.exe
4028
3448	powershell.exe
2188	powershell.exe
624	powershell.exe
2488	powershell.exe
5060	powershell.exe
3856	powershell.exe
4752	powershell.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
5064	afb679b10d49b2052e1239c345dee646.exe
1504	powershell.exe
1504	powershell.exe
2732	powershell.exe
2732	powershell.exe
1780	powershell.exe
1780	powershell.exe
3492	powershell.exe
3492	powershell.exe
3380	powershell.exe
3380	powershell.exe
3816	powershell.exe
3816	powershell.exe
2512	powershell.exe
2512	powershell.exe
4272	powershell.exe
4272	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeafb679b10d49b2052e1239c345dee646.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3064	afb679b10d49b2052e1239c345dee646.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	5064	afb679b10d49b2052e1239c345dee646.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	3408	fontdrvhost.exe
Token: SeDebugPrivilege	1764	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exeschtasks.execmd.exeafb679b10d49b2052e1239c345dee646.exe

description	pid	process	target process
PID 3064 wrote to memory of 3940	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 3940	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 4276	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 4276	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 2188	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 2188	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 3448	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 3448	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 4752	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 4752	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 4028	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 4028	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 2488	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 2488	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 5060	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 5060	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 624	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 624	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 3856	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 3856	3064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 3064 wrote to memory of 4872	3064	schtasks.exe	cmd.exe
PID 3064 wrote to memory of 4872	3064	schtasks.exe	cmd.exe
PID 4872 wrote to memory of 2676	4872	cmd.exe	w32tm.exe
PID 4872 wrote to memory of 2676	4872	cmd.exe	w32tm.exe
PID 4872 wrote to memory of 5064	4872	cmd.exe	afb679b10d49b2052e1239c345dee646.exe
PID 4872 wrote to memory of 5064	4872	cmd.exe	afb679b10d49b2052e1239c345dee646.exe
PID 5064 wrote to memory of 1504	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 1504	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 1780	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 1780	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 2732	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 2732	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3380	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3380	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3492	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3492	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 4272	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 4272	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3816	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3816	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 2512	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 2512	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 4240	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 4240	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 4528	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 4528	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3008	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3008	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 4760	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 4760	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 1412	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 1412	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 2228	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 2228	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 664	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 664	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 4568	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 4568	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 1764	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 1764	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3296	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3296	5064	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 5064 wrote to memory of 3408	5064	afb679b10d49b2052e1239c345dee646.exe	fontdrvhost.exe
PID 5064 wrote to memory of 3408	5064	afb679b10d49b2052e1239c345dee646.exe	fontdrvhost.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

afb679b10d49b2052e1239c345dee646.exeafb679b10d49b2052e1239c345dee646.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe
"C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\Idle.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\ja-JP\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\afb679b10d49b2052e1239c345dee646.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\afb679b10d49b2052e1239c345dee646.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AuxJqfrxDe.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe
"C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe"
3⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\.oracle_jre_usage\sppsvc.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\conhost.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\taskhostw.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\PNRPSvc\SearchApp.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\csrss.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\dllhost.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\dllhost.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\sppsvc.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\Registry.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9206bdeb-13de-4d76-a166-c719c3255649.vbs"
5⤵
PID:5884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\015d9f72-2a68-4eb0-b8d2-996e317a4903.vbs"
5⤵
PID:5924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\StartMenuExperienceHost.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\upfc.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\services.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\ado\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ado\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\ado\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "afb679b10d49b2052e1239c345dee646a" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\afb679b10d49b2052e1239c345dee646.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "afb679b10d49b2052e1239c345dee646" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\afb679b10d49b2052e1239c345dee646.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "afb679b10d49b2052e1239c345dee646a" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\afb679b10d49b2052e1239c345dee646.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "afb679b10d49b2052e1239c345dee646a" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\afb679b10d49b2052e1239c345dee646.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "afb679b10d49b2052e1239c345dee646" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\afb679b10d49b2052e1239c345dee646.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "afb679b10d49b2052e1239c345dee646a" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\afb679b10d49b2052e1239c345dee646.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\.oracle_jre_usage\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\.oracle_jre_usage\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\.oracle_jre_usage\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\INF\PNRPSvc\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\INF\PNRPSvc\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\PNRPSvc\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\sppsvc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\Registry.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\Registry.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\Registry.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 208 -ip 208
1⤵
PID:5208

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\5940a34987c991
Filesize
162B

MD5
4e5e0b7dfb1bfe7dc54f274da6df7cb1

SHA1
5cd378ae2e897582e649bc8a20486a7f156b236e

SHA256
ad72f5ed8966b7330ee05244298deb3d66bffd898afc9bfce97adad42647c984

SHA512
6c2e67b9365237f64dbd7aebc7740c88e03b4b9cdfc3b16c28750f1ab107f4fadcd0ba55c2fa706ad64797a4c23ed2efa7f6ce64aac7a34844ff52f58005ca8e

Download Submit
C:\Recovery\WindowsRE\dllhost.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\afb679b10d49b2052e1239c345dee646.exe.log
Filesize
1KB

MD5
655010c15ea0ca05a6e5ddcd84986b98

SHA1
120bf7e516aeed462c07625fbfcdab5124ad05d3

SHA256
2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

SHA512
e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
df66851358945fb5123a2c3b00c893ad

SHA1
0f969495c179a6fefe84b127b11a9a3721881ce8

SHA256
7b87e7fc2f0b3fc06e0fd88d075d982aaaeea224200183bb9ca724cfaa93a330

SHA512
6f7dcdd9ab49e7d95a9f4a29c7e223b59d1b03e6d9ee99d4ecf06e2b71f05e3fe1ccdd3ddd3ac397c6216b2f16507a3445080af4711c7cbf9f6d05b50a2323fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d172e372dcab22c18ba11abb01c1490b

SHA1
5586e51701498ef77144ba8099a69ab0705c51e2

SHA256
942acff2c24221236e8680721925ff29daba985b24acfed0f5258214696911e6

SHA512
04a39ea0a022dd085df37b175a491ba2ea72dca529ce4607ce7fa8a534e6f4fd099ed5c776be0a9f300da48d94809237bd8fd9d67354548a14f33ea1e5be86b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d172e372dcab22c18ba11abb01c1490b

SHA1
5586e51701498ef77144ba8099a69ab0705c51e2

SHA256
942acff2c24221236e8680721925ff29daba985b24acfed0f5258214696911e6

SHA512
04a39ea0a022dd085df37b175a491ba2ea72dca529ce4607ce7fa8a534e6f4fd099ed5c776be0a9f300da48d94809237bd8fd9d67354548a14f33ea1e5be86b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d172e372dcab22c18ba11abb01c1490b

SHA1
5586e51701498ef77144ba8099a69ab0705c51e2

SHA256
942acff2c24221236e8680721925ff29daba985b24acfed0f5258214696911e6

SHA512
04a39ea0a022dd085df37b175a491ba2ea72dca529ce4607ce7fa8a534e6f4fd099ed5c776be0a9f300da48d94809237bd8fd9d67354548a14f33ea1e5be86b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1139cd1d39138458ba9e9e2a0002cf2f

SHA1
9a9d31c01aebe036d72cc581a7493045ce355985

SHA256
802761bfb70ef242f113b453e1539c038b1024f6d415040d885a19a5f970f30c

SHA512
a9633895a87524ada2e0ac22aff0d09fb13aec2060ddb7cfbc420ad1e5db37c483b43c0fdfaead71335e0d7cc0cb0f2e9775938d97b619664d7f4460d8dbd0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bb187be56f87492fe5b5c4c20aaff78f

SHA1
cabdbadf2195e1d01607fdabd9669c959c0759c9

SHA256
227068bd9152463777654ec8fa3b3b0f54891d2ae1205db3463116e1bdddc0c1

SHA512
af9644a6daaf87abc97c7baefbbf18ed2a55e94e4922fcbfb9a2edbf2537c96c335572bd6790e4ce3f8a5907165ced6a5e84d50c1ed61ba1fe90c76e5e4607df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bb187be56f87492fe5b5c4c20aaff78f

SHA1
cabdbadf2195e1d01607fdabd9669c959c0759c9

SHA256
227068bd9152463777654ec8fa3b3b0f54891d2ae1205db3463116e1bdddc0c1

SHA512
af9644a6daaf87abc97c7baefbbf18ed2a55e94e4922fcbfb9a2edbf2537c96c335572bd6790e4ce3f8a5907165ced6a5e84d50c1ed61ba1fe90c76e5e4607df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bb187be56f87492fe5b5c4c20aaff78f

SHA1
cabdbadf2195e1d01607fdabd9669c959c0759c9

SHA256
227068bd9152463777654ec8fa3b3b0f54891d2ae1205db3463116e1bdddc0c1

SHA512
af9644a6daaf87abc97c7baefbbf18ed2a55e94e4922fcbfb9a2edbf2537c96c335572bd6790e4ce3f8a5907165ced6a5e84d50c1ed61ba1fe90c76e5e4607df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8dec19c2539dcc17ac88b3796045ed12

SHA1
2f6030676d8214e41a8e253c4b86b85924701d6d

SHA256
b518efdee07e243e5a1b954eac36964871774ca9390eba09bbbf624a07c40f7b

SHA512
eefa3c9938f19bb15d780c1a53223c8d5db9a70d966375297c52b47e1177c07855e15d96d9ac03faea19b8f26dc2d227bb018fb10f2b973398785ce12b16ccd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
646e31a47f8415e5ca40f6625074d5ae

SHA1
fc3f60573809294b4ae766039c27a63a058ec72c

SHA256
a6f85706f253384462a5120536ddbaa8a4bd1de5db80abcd72a01509f2772754

SHA512
94724b25cf36ee4d7ab6216649e8e4670c6b4df30ea6e2d54299586699f17141a195294a0c0585a51b7b5d2d96cae83d0275ce23c940df4db050b1370c669528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
174ee3eb2a195cb2fb7a08930e5e3d64

SHA1
83505b16e9deb08919ad4600502272c36f8270e8

SHA256
f3cf2d850fcd88530cc2d76f327749074f4da3f20230cedf62cd5f2dea77e814

SHA512
f9f0c64b36e92975ed0da80d3314773798e876e0adb5323155800ef7a1101a5f1ddca2a761c4488f15216010c03d81958c0bf2ec02213c7d0cb0f0b341c2fd24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
286f1df5a3008c8b4266a519326f1d51

SHA1
ce8a44e17ffc62f90af5120dcf312288471586c1

SHA256
509f6f942550eead6247a12cfda48268ff99e438fee902561dc9a5a0e180adb4

SHA512
89022aa82560719d862a1d49dbc0755278d78570fc18c9e6afe71f8acac084e8ffe4446563e26cfe3aceae8d867de902db9f65ff3b4eeb0dfd2c4d40c184a5c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
286f1df5a3008c8b4266a519326f1d51

SHA1
ce8a44e17ffc62f90af5120dcf312288471586c1

SHA256
509f6f942550eead6247a12cfda48268ff99e438fee902561dc9a5a0e180adb4

SHA512
89022aa82560719d862a1d49dbc0755278d78570fc18c9e6afe71f8acac084e8ffe4446563e26cfe3aceae8d867de902db9f65ff3b4eeb0dfd2c4d40c184a5c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
286f1df5a3008c8b4266a519326f1d51

SHA1
ce8a44e17ffc62f90af5120dcf312288471586c1

SHA256
509f6f942550eead6247a12cfda48268ff99e438fee902561dc9a5a0e180adb4

SHA512
89022aa82560719d862a1d49dbc0755278d78570fc18c9e6afe71f8acac084e8ffe4446563e26cfe3aceae8d867de902db9f65ff3b4eeb0dfd2c4d40c184a5c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
286f1df5a3008c8b4266a519326f1d51

SHA1
ce8a44e17ffc62f90af5120dcf312288471586c1

SHA256
509f6f942550eead6247a12cfda48268ff99e438fee902561dc9a5a0e180adb4

SHA512
89022aa82560719d862a1d49dbc0755278d78570fc18c9e6afe71f8acac084e8ffe4446563e26cfe3aceae8d867de902db9f65ff3b4eeb0dfd2c4d40c184a5c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
286f1df5a3008c8b4266a519326f1d51

SHA1
ce8a44e17ffc62f90af5120dcf312288471586c1

SHA256
509f6f942550eead6247a12cfda48268ff99e438fee902561dc9a5a0e180adb4

SHA512
89022aa82560719d862a1d49dbc0755278d78570fc18c9e6afe71f8acac084e8ffe4446563e26cfe3aceae8d867de902db9f65ff3b4eeb0dfd2c4d40c184a5c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d4b259805f4551077fbcc879c8937a83

SHA1
9e3ad573c7f530b578af7e97732d51b0e2e2963a

SHA256
e1c872206786549c3175018f9849c1a2a3f9de77e658f8399c35d482237f63bb

SHA512
5d70ca0114e03323201680ca6c702975aec289c75326b7a46e54e1799c4a11bcf33ec3d5baab293987a174c3502d53160c6e64cc5afc60f5193ba380a374f81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\015d9f72-2a68-4eb0-b8d2-996e317a4903.vbs
Filesize
474B

MD5
61f0fc3fc41d59a6d277b058f8bc6258

SHA1
2b20082b71b6da624a8d1a3c2354d89c5d3e9e8f

SHA256
44d98c70fdca1e175b3f53a689fef5e452c8e4dd63ed2448eb446644d82c281c

SHA512
5f5f08a51b3abe88184fb2cdfb31ad72d9f17f597080621ec8180a7eff3ab980435fe9b4c6d475576f1afb3807a37f904257d474ee55ae789bfff09026c14e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\9206bdeb-13de-4d76-a166-c719c3255649.vbs
Filesize
698B

MD5
6790b954445d763eaa6f6ba5c4c58797

SHA1
d0892ece06ef8e8348e30923778822b7d07d2d06

SHA256
f825477a199bcb814a054f322af5df7837a8f8922c28a3d6c13ec0a3bb9ef627

SHA512
2d361f7f0f5cbf3e9877796e48801074c634a5b38248323be727815d4777733595bb44bc6b994b1166538885f125ade4010da0841e1ad49189bda497e5a6d210

Download Submit
C:\Users\Admin\AppData\Local\Temp\AuxJqfrxDe.bat
Filesize
235B

MD5
9e2217e7ad3082ae20fa4e6f9f0dafb8

SHA1
9204d86c2f8e8ff6412da10ea4878ea48665040b

SHA256
44d7a089fd2ce9528e0d88c261d0390b3171ff5c123d17c22983f0c6a91179ee

SHA512
4bfd2fd78998cbe3a8bd6e7d1737165600f0f505bf045437dd94bcc8d632429031f5f79f7ad84086cc66b1016a9d6d845add0ada43dcb6e7c85d67b879c89d32

Download Submit
C:\odt\fontdrvhost.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\odt\fontdrvhost.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
memory/624-158-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/624-174-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/624-144-0x0000000000000000-mapping.dmp

Download
memory/664-264-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/664-227-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/664-200-0x0000000000000000-mapping.dmp

Download
memory/1412-255-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/1412-198-0x0000000000000000-mapping.dmp

Download
memory/1412-221-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/1504-208-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/1504-236-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/1504-186-0x0000000000000000-mapping.dmp

Download
memory/1764-225-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/1764-202-0x0000000000000000-mapping.dmp

Download
memory/1780-187-0x0000000000000000-mapping.dmp

Download
memory/1780-209-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/1780-239-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2188-138-0x0000000000000000-mapping.dmp

Download
memory/2188-176-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2188-152-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2228-222-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2228-199-0x0000000000000000-mapping.dmp

Download
memory/2228-260-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2488-155-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2488-142-0x0000000000000000-mapping.dmp

Download
memory/2488-180-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2512-245-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2512-193-0x0000000000000000-mapping.dmp

Download
memory/2512-217-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2676-156-0x0000000000000000-mapping.dmp

Download
memory/2732-234-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2732-204-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/2732-188-0x0000000000000000-mapping.dmp

Download
memory/3008-252-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3008-196-0x0000000000000000-mapping.dmp

Download
memory/3008-220-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3064-135-0x000000001D600000-0x000000001DB28000-memory.dmp

Filesize
5.2MB

Download
memory/3064-132-0x0000000000A40000-0x0000000000D46000-memory.dmp

Filesize
3.0MB

Download
memory/3064-134-0x000000001CFF0000-0x000000001D040000-memory.dmp

Filesize
320KB

Download
memory/3064-133-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3064-149-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3296-226-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3296-263-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3296-203-0x0000000000000000-mapping.dmp

Download
memory/3380-189-0x0000000000000000-mapping.dmp

Download
memory/3380-211-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3380-243-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3408-205-0x0000000000000000-mapping.dmp

Download
memory/3408-224-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3448-139-0x0000000000000000-mapping.dmp

Download
memory/3448-168-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3448-153-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3492-238-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3492-212-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3492-190-0x0000000000000000-mapping.dmp

Download
memory/3816-214-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3816-192-0x0000000000000000-mapping.dmp

Download
memory/3816-241-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3856-145-0x0000000000000000-mapping.dmp

Download
memory/3856-175-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3856-160-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3940-148-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/3940-146-0x0000020A7E150000-0x0000020A7E172000-memory.dmp

Filesize
136KB

Download
memory/3940-136-0x0000000000000000-mapping.dmp

Download
memory/3940-164-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4028-141-0x0000000000000000-mapping.dmp

Download
memory/4028-154-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4028-173-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4240-247-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4240-194-0x0000000000000000-mapping.dmp

Download
memory/4240-218-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4272-191-0x0000000000000000-mapping.dmp

Download
memory/4272-215-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4272-248-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4276-150-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4276-163-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4276-137-0x0000000000000000-mapping.dmp

Download
memory/4528-195-0x0000000000000000-mapping.dmp

Download
memory/4528-250-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4528-216-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4568-223-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4568-262-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4568-201-0x0000000000000000-mapping.dmp

Download
memory/4752-157-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4752-178-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4752-140-0x0000000000000000-mapping.dmp

Download
memory/4760-219-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4760-197-0x0000000000000000-mapping.dmp

Download
memory/4760-256-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/4872-147-0x0000000000000000-mapping.dmp

Download
memory/5060-143-0x0000000000000000-mapping.dmp

Download
memory/5060-169-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/5060-159-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/5064-183-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/5064-210-0x00007FF8B3180000-0x00007FF8B3C41000-memory.dmp

Filesize
10.8MB

Download
memory/5064-181-0x0000000000000000-mapping.dmp

Download
memory/5884-228-0x0000000000000000-mapping.dmp

Download
memory/5924-229-0x0000000000000000-mapping.dmp

Download