dcrat | 815e613e725aeea4768051d514ff32771f971043566b3546bd60bd78b8ab5d92

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2023, 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd02daf2ff34081162d522b24104e15.exe
Size

3.1MB
MD5

2fd02daf2ff34081162d522b24104e15
SHA1

23425727070610fe467db4c1bae8716c703b9500
SHA256

815e613e725aeea4768051d514ff32771f971043566b3546bd60bd78b8ab5d92
SHA512

0e4141ad308ae0b0bcd81a563e484e775f6225e91e68dd7ffe7972b56147df1bd36e68579515b6be0cc00c4274d16c5293df00eed5e5f4a9e67c28fd97f5ccd3
SSDEEP

49152:YxTVTFx3B6z7Q08ZkfCnUceiGcErH7hZs9JrDrIo9k33kRHaG+:6BFxQ7j88YUncBrDrR9k3eHaG+

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	176	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	4244	schtasks.exe	24
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	4244	schtasks.exe	24

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5088-132-0x0000000000570000-0x000000000088C000-memory.dmp	dcrat
behavioral2/files/0x000700000002318e-168.dat	dcrat
behavioral2/files/0x000700000002318e-167.dat	dcrat
behavioral2/memory/5328-170-0x0000000000DA0000-0x00000000010BC000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	2fd02daf2ff34081162d522b24104e15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 1 IoCs

pid	Process
5328	fontdrvhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	ipinfo.io
62	ipinfo.io

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXAE40.tmp	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230214220219.pma	setup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\lsass.exe	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXB7CB.tmp	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\RCXC176.tmp	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files\Windows Mail\f3b6ecef712a24	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Windows Mail\RCX8EED.tmp	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\6203df4a6bafc7	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Uninstall Information\fontdrvhost.exe	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Windows Mail\spoolsv.exe	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXADB2.tmp	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\55b276f4edf653	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Windows Mail\RCX8F7A.tmp	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\56085415360792	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXB16E.tmp	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXB73E.tmp	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\lsass.exe	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bf884209-a3a0-467f-bc46-a1455a684cd6.tmp	setup.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXB0D1.tmp	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\taskhostw.exe	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files\Windows Defender\it-IT\taskhostw.exe	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files\Windows Defender\it-IT\ea9f0e6c9e2dcd	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\RCX9925.tmp	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Program Files\Windows Mail\spoolsv.exe	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\RCX9897.tmp	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\RCXC0E8.tmp	2fd02daf2ff34081162d522b24104e15.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\5b884080fd4f94	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Windows\fr-FR\RCXAB21.tmp	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Windows\fr-FR\fontdrvhost.exe	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXB4AC.tmp	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Windows\fr-FR\fontdrvhost.exe	2fd02daf2ff34081162d522b24104e15.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\5940a34987c991	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Windows\fr-FR\RCXAA93.tmp	2fd02daf2ff34081162d522b24104e15.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXB40F.tmp	2fd02daf2ff34081162d522b24104e15.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3880	schtasks.exe
5056	schtasks.exe
3272	schtasks.exe
1564	schtasks.exe
1676	schtasks.exe
212	schtasks.exe
1212	schtasks.exe
4732	schtasks.exe
2948	schtasks.exe
4156	schtasks.exe
4604	schtasks.exe
1268	schtasks.exe
2176	schtasks.exe
1568	schtasks.exe
5092	schtasks.exe
2172	schtasks.exe
1828	schtasks.exe
988	schtasks.exe
1764	schtasks.exe
1504	schtasks.exe
4712	schtasks.exe
1544	schtasks.exe
3296	schtasks.exe
1520	schtasks.exe
516	schtasks.exe
2012	schtasks.exe
4140	schtasks.exe
3476	schtasks.exe
5116	schtasks.exe
4336	schtasks.exe
4884	schtasks.exe
4656	schtasks.exe
4100	schtasks.exe
2028	schtasks.exe
1556	schtasks.exe
4448	schtasks.exe
1064	schtasks.exe
1468	schtasks.exe
2632	schtasks.exe
4528	schtasks.exe
208	schtasks.exe
1760	schtasks.exe
3504	schtasks.exe
3784	schtasks.exe
4364	schtasks.exe
1848	schtasks.exe
3668	schtasks.exe
3488	schtasks.exe
904	schtasks.exe
2680	schtasks.exe
176	schtasks.exe
4544	schtasks.exe
3560	schtasks.exe
4264	schtasks.exe
3424	schtasks.exe
4888	schtasks.exe
4132	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2fd02daf2ff34081162d522b24104e15.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
5088	2fd02daf2ff34081162d522b24104e15.exe
2684	powershell.exe
2684	powershell.exe
524	powershell.exe
524	powershell.exe
2888	powershell.exe
2888	powershell.exe
3972	powershell.exe
3972	powershell.exe
1656	powershell.exe
1656	powershell.exe
4008	powershell.exe
4008	powershell.exe
3404	powershell.exe
3404	powershell.exe
548	powershell.exe
548	powershell.exe
4248	powershell.exe
4248	powershell.exe
3124	powershell.exe
3124	powershell.exe
1700	powershell.exe
1700	powershell.exe
4092	powershell.exe
4092	powershell.exe
4176	powershell.exe
4176	powershell.exe
3412	powershell.exe
3412	powershell.exe
3172	powershell.exe
3172	powershell.exe
3056	powershell.exe
3056	powershell.exe
208	powershell.exe
208	powershell.exe
2172	powershell.exe
2172	powershell.exe
1648	powershell.exe
1648	powershell.exe
3900	powershell.exe
3900	powershell.exe
2684	powershell.exe
2684	powershell.exe
524	powershell.exe
524	powershell.exe
2888	powershell.exe
2888	powershell.exe
3972	powershell.exe
3972	powershell.exe
1656	powershell.exe
1656	powershell.exe
4008	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5328	fontdrvhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	2fd02daf2ff34081162d522b24104e15.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	5328	fontdrvhost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 524	5088	2fd02daf2ff34081162d522b24104e15.exe	143
PID 5088 wrote to memory of 524	5088	2fd02daf2ff34081162d522b24104e15.exe	143
PID 5088 wrote to memory of 2684	5088	2fd02daf2ff34081162d522b24104e15.exe	145
PID 5088 wrote to memory of 2684	5088	2fd02daf2ff34081162d522b24104e15.exe	145
PID 5088 wrote to memory of 2888	5088	2fd02daf2ff34081162d522b24104e15.exe	154
PID 5088 wrote to memory of 2888	5088	2fd02daf2ff34081162d522b24104e15.exe	154
PID 5088 wrote to memory of 1656	5088	2fd02daf2ff34081162d522b24104e15.exe	153
PID 5088 wrote to memory of 1656	5088	2fd02daf2ff34081162d522b24104e15.exe	153
PID 5088 wrote to memory of 4008	5088	2fd02daf2ff34081162d522b24104e15.exe	148
PID 5088 wrote to memory of 4008	5088	2fd02daf2ff34081162d522b24104e15.exe	148
PID 5088 wrote to memory of 3404	5088	2fd02daf2ff34081162d522b24104e15.exe	149
PID 5088 wrote to memory of 3404	5088	2fd02daf2ff34081162d522b24104e15.exe	149
PID 5088 wrote to memory of 3972	5088	2fd02daf2ff34081162d522b24104e15.exe	150
PID 5088 wrote to memory of 3972	5088	2fd02daf2ff34081162d522b24104e15.exe	150
PID 5088 wrote to memory of 4248	5088	2fd02daf2ff34081162d522b24104e15.exe	155
PID 5088 wrote to memory of 4248	5088	2fd02daf2ff34081162d522b24104e15.exe	155
PID 5088 wrote to memory of 548	5088	2fd02daf2ff34081162d522b24104e15.exe	156
PID 5088 wrote to memory of 548	5088	2fd02daf2ff34081162d522b24104e15.exe	156
PID 5088 wrote to memory of 3124	5088	2fd02daf2ff34081162d522b24104e15.exe	157
PID 5088 wrote to memory of 3124	5088	2fd02daf2ff34081162d522b24104e15.exe	157
PID 5088 wrote to memory of 1700	5088	2fd02daf2ff34081162d522b24104e15.exe	160
PID 5088 wrote to memory of 1700	5088	2fd02daf2ff34081162d522b24104e15.exe	160
PID 5088 wrote to memory of 4176	5088	2fd02daf2ff34081162d522b24104e15.exe	170
PID 5088 wrote to memory of 4176	5088	2fd02daf2ff34081162d522b24104e15.exe	170
PID 5088 wrote to memory of 4092	5088	2fd02daf2ff34081162d522b24104e15.exe	169
PID 5088 wrote to memory of 4092	5088	2fd02daf2ff34081162d522b24104e15.exe	169
PID 5088 wrote to memory of 3412	5088	2fd02daf2ff34081162d522b24104e15.exe	164
PID 5088 wrote to memory of 3412	5088	2fd02daf2ff34081162d522b24104e15.exe	164
PID 5088 wrote to memory of 3172	5088	2fd02daf2ff34081162d522b24104e15.exe	165
PID 5088 wrote to memory of 3172	5088	2fd02daf2ff34081162d522b24104e15.exe	165
PID 5088 wrote to memory of 208	5088	2fd02daf2ff34081162d522b24104e15.exe	166
PID 5088 wrote to memory of 208	5088	2fd02daf2ff34081162d522b24104e15.exe	166
PID 5088 wrote to memory of 3056	5088	2fd02daf2ff34081162d522b24104e15.exe	175
PID 5088 wrote to memory of 3056	5088	2fd02daf2ff34081162d522b24104e15.exe	175
PID 5088 wrote to memory of 2172	5088	2fd02daf2ff34081162d522b24104e15.exe	178
PID 5088 wrote to memory of 2172	5088	2fd02daf2ff34081162d522b24104e15.exe	178
PID 5088 wrote to memory of 1648	5088	2fd02daf2ff34081162d522b24104e15.exe	177
PID 5088 wrote to memory of 1648	5088	2fd02daf2ff34081162d522b24104e15.exe	177
PID 5088 wrote to memory of 3900	5088	2fd02daf2ff34081162d522b24104e15.exe	181
PID 5088 wrote to memory of 3900	5088	2fd02daf2ff34081162d522b24104e15.exe	181
PID 5088 wrote to memory of 5328	5088	2fd02daf2ff34081162d522b24104e15.exe	183
PID 5088 wrote to memory of 5328	5088	2fd02daf2ff34081162d522b24104e15.exe	183
PID 5328 wrote to memory of 5388	5328	fontdrvhost.exe	185
PID 5328 wrote to memory of 5388	5328	fontdrvhost.exe	185
PID 5328 wrote to memory of 1996	5328	fontdrvhost.exe	186
PID 5328 wrote to memory of 1996	5328	fontdrvhost.exe	186
PID 5328 wrote to memory of 2084	5328	fontdrvhost.exe	189
PID 5328 wrote to memory of 2084	5328	fontdrvhost.exe	189
PID 2084 wrote to memory of 2388	2084	msedge.exe	190
PID 2084 wrote to memory of 2388	2084	msedge.exe	190
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193
PID 2084 wrote to memory of 5840	2084	msedge.exe	193

C:\Users\Admin\AppData\Local\Temp\2fd02daf2ff34081162d522b24104e15.exe
"C:\Users\Admin\AppData\Local\Temp\2fd02daf2ff34081162d522b24104e15.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2fd02daf2ff34081162d522b24104e15.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\es-ES\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\fontdrvhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\fontdrvhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Registry.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\sppsvc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\it-IT\taskhostw.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Program Files\Uninstall Information\fontdrvhost.exe
  "C:\Program Files\Uninstall Information\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5328
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0d654c5-62f2-49e9-b5fd-17b35f6c8f85.vbs"
    3⤵
    PID:5388
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6fc4ecb-a75a-4f57-9a96-e83cb586e3fa.vbs"
    3⤵
    PID:1996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13207/
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc67646f8,0x7ffbc6764708,0x7ffbc6764718
      4⤵
      PID:2388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:5840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
      4⤵
      PID:4948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 /prefetch:8
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:1504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      PID:2800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 /prefetch:8
      4⤵
      PID:2960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
      4⤵
      PID:5852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5524 /prefetch:8
      4⤵
      PID:5092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
      4⤵
      PID:5056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff691f25460,0x7ff691f25470,0x7ff691f25480
        5⤵
        
        PID:3060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
      4⤵
      PID:5364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
      4⤵
      PID:1352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
      4⤵
      PID:5436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
      4⤵
      PID:5268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
      4⤵
      PID:6024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
      4⤵
      PID:2816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,10919190882904263161,11883262835692687490,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
      4⤵
      PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\System\ado\es-ES\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ado\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\ado\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\it-IT\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\fontdrvhost.exe

Filesize
3.1MB

MD5
ef9637dc60a689077a6afb0f23218a00

SHA1
9d6dee32fb32586f8e6f22ece6d2cbf9744f894d

SHA256
814ccbe819be43339c5bffe1ba6a06d7901ff048b4f2dd9d0db158e501b7d9e5

SHA512
95b88a8a3c8a71c4ea7348bcbaa10d6d00819a6088b7d99e34837e999d4b8efe0c405f77c40cd6962b2c3f232b360d4d2c58c7bf8d9b9e882f3950f8648fcee5

Download Submit
C:\Program Files\Uninstall Information\fontdrvhost.exe

Filesize
3.1MB

MD5
ef9637dc60a689077a6afb0f23218a00

SHA1
9d6dee32fb32586f8e6f22ece6d2cbf9744f894d

SHA256
814ccbe819be43339c5bffe1ba6a06d7901ff048b4f2dd9d0db158e501b7d9e5

SHA512
95b88a8a3c8a71c4ea7348bcbaa10d6d00819a6088b7d99e34837e999d4b8efe0c405f77c40cd6962b2c3f232b360d4d2c58c7bf8d9b9e882f3950f8648fcee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6fc4ecb-a75a-4f57-9a96-e83cb586e3fa.vbs

Filesize
506B

MD5
9c0f04142694a0e02d12a97b288ed11a

SHA1
879ae9f40fd1eb8c641b16f093f8a7095464556c

SHA256
80c2a809dac8a00e3f740181a3ca04c27add0bd30b7d4331155345762011dac4

SHA512
1afbdb515687dd77564a61a695384ab30b53c897c25ba28393dba7375fd59f7511ce6aabc71eb0a754cf0bc59dda459fd553f8e38302ed60f1d3556577d6a243

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0d654c5-62f2-49e9-b5fd-17b35f6c8f85.vbs

Filesize
730B

MD5
4d3ffeb2547c6f30b3f89d33e2568b15

SHA1
1ccc4403927a2e65bc5943e0a542d2cbf6797a6b

SHA256
f6ad974d8bd2ed8a96c075762053dfc35d15cd7151f6e314b2b5a5f681759658

SHA512
9742179a74ae13965092a7deb5731ff853ed77cf1afe69f3a76395f1c92a61969a63e693590d2facfa9fec99f63c2abb13380d8aaec7136694c15b0229d08828

Download Submit
memory/208-176-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/208-205-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/524-192-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/524-158-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/548-165-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/548-211-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/1648-222-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/1648-178-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/1656-191-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/1656-161-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/1700-180-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/1700-216-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/2172-182-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/2172-223-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/2684-184-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/2684-159-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/2684-155-0x00000273D6B60000-0x00000273D6B82000-memory.dmp

Filesize
136KB

Download
memory/2888-160-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/2888-193-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3056-177-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3056-212-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3124-171-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3124-203-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3172-175-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3172-213-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3404-195-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3404-163-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3412-181-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3412-217-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3900-221-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3900-179-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3972-164-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/3972-190-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/4008-162-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/4008-198-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/4092-215-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/4092-173-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/4176-174-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/4176-210-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/4248-169-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/4248-199-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/5088-134-0x000000001CB50000-0x000000001CBA0000-memory.dmp

Filesize
320KB

Download
memory/5088-135-0x000000001D250000-0x000000001D778000-memory.dmp

Filesize
5.2MB

Download
memory/5088-172-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/5088-133-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/5088-136-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/5088-132-0x0000000000570000-0x000000000088C000-memory.dmp

Filesize
3.1MB

Download
memory/5328-170-0x0000000000DA0000-0x00000000010BC000-memory.dmp

Filesize
3.1MB

Download
memory/5328-183-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download
memory/5328-230-0x00007FFBCE250000-0x00007FFBCED11000-memory.dmp

Filesize
10.8MB

Download