dcrat | 5f1fa1d46b0a90a855db5a2b0100ae83164fc1168587373a2b62ee22f75cbe54

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2023 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
Size

215KB
MD5

64e1d7ec7103d1a04029c4db2941a8d3
SHA1

706a486a113041efd175ed05bf86fd5aad67083f
SHA256

10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f
SHA512

b38c7104b5406ef1ef212637c7bf201e182359f5bed078ca9718ebfbf0ed5f59927a612ce422e7eab692c591c9089c8c3231f49966e75e28af7c2ff0f675277d
SSDEEP

3072:paUIvLUh91b504gy5kJM0yD1h52aNfC6YQGJ58ZdIqxQYzEVb:sUwLk91sZyphoaNfLYrJ58FFzyb

Score

10^/10

dcrat redline smokeloader 02-700-2 2023 backdoor infostealer rat themida trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

2023

Extracted

Family

smokeloader

Version

2022

http://c3g6gx853u6j.xyz/

http://04yh16065cdi.xyz/

http://33qd2w560vnx.xyz/

http://neriir0f76gr.com/

http://b4y08hrp3jdb.com/

http://swp6fbywla09.com/

http://7iqt53dr345u.com/

http://mj4aj8r55mho.com/

http://ne4ym7bjn1ts.com/

rc4.i32

Extracted

Family

redline

Botnet

02-700-2

167.235.133.96:43849

Attributes

auth_value
8af50b3310e79fa317eef66b1e92900f

Extracted

Family

redline

37.220.87.13:40676

Attributes

auth_value
867b4fb099bee5476c9e3f8bc16937ad

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	1416	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	1416	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 24 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-223-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-222-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-226-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-231-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-235-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-237-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-239-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-241-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-246-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-249-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-254-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-257-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-271-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-273-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-275-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-263-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-277-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-283-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-281-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-285-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-288-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-290-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-293-0x0000000004C80000-0x0000000004CBE000-memory.dmp	family_redline
behavioral2/memory/2608-1011-0x0000000004E40000-0x0000000004E50000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4008-1565-0x0000000000400000-0x0000000000528000-memory.dmp	dcrat

Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

69F5.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 69F5.exe
Executes dropped EXE 7 IoCs

Processes:

69F5.exe76A8.exe7B3D.exe803F.exeEngine.exe8754.exe8C47.exe

pid process

748 69F5.exe
3524 76A8.exe
4020 7B3D.exe
2608 803F.exe
3656 Engine.exe
4992 8754.exe
4012 8C47.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	69F5.exe

pid	process
748	69F5.exe
3524	76A8.exe
4020	7B3D.exe
2608	803F.exe
3656	Engine.exe
4992	8754.exe
4012	8C47.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A9B3.exe	themida
C:\Users\Admin\AppData\Local\Temp\A9B3.exe	themida
behavioral2/memory/644-937-0x0000000000160000-0x0000000000638000-memory.dmp	themida
behavioral2/memory/644-1041-0x0000000000160000-0x0000000000638000-memory.dmp	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\Engine.exe	upx
behavioral2/memory/3656-227-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral2/memory/3656-1004-0x0000000000400000-0x00000000005AA000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1284 3464 WerFault.exe B359.exe
400 2608 WerFault.exe 803F.exe

pid	pid_target	process	target process
1284	3464	WerFault.exe	B359.exe
400	2608	WerFault.exe	803F.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
5104	schtasks.exe
4232	schtasks.exe
5104	schtasks.exe
2432	schtasks.exe
2556	schtasks.exe
4320	schtasks.exe
4208	schtasks.exe
1968	schtasks.exe
2188	schtasks.exe
1700	schtasks.exe
3792	schtasks.exe
4948	schtasks.exe
5076	schtasks.exe
656	schtasks.exe
3844	schtasks.exe
1872	schtasks.exe
4620	schtasks.exe
4236	schtasks.exe
1284	schtasks.exe
4180	schtasks.exe
3612	schtasks.exe
4300	schtasks.exe
1728	schtasks.exe
2320	schtasks.exe
2348	schtasks.exe
1484	schtasks.exe
2460	schtasks.exe
3452	schtasks.exe
4608	schtasks.exe
1768	schtasks.exe
4060	schtasks.exe
1456	schtasks.exe
1412	schtasks.exe
4744	schtasks.exe
3392	schtasks.exe
2876	schtasks.exe
4020	schtasks.exe
4228	schtasks.exe
3184	schtasks.exe
3172	schtasks.exe
4608	schtasks.exe
3128	schtasks.exe
2600	schtasks.exe
1976	schtasks.exe
3852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe

pid	process
412	10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
412	10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144
3144

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3144
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe

pid process

412 10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe

pid	process
3144

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exe803F.exe

description	pid	process
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeShutdownPrivilege	3144
Token: SeCreatePagefilePrivilege	3144
Token: SeShutdownPrivilege	3144
Token: SeCreatePagefilePrivilege	3144
Token: SeDebugPrivilege	2608	803F.exe
Token: SeShutdownPrivilege	3144
Token: SeCreatePagefilePrivilege	3144
Token: SeShutdownPrivilege	3144
Token: SeCreatePagefilePrivilege	3144
Token: SeShutdownPrivilege	3144
Token: SeCreatePagefilePrivilege	3144

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

69F5.exe76A8.exeEngine.exeCmD.exe

description	pid	process	target process
PID 3144 wrote to memory of 748	3144		69F5.exe
PID 3144 wrote to memory of 748	3144		69F5.exe
PID 748 wrote to memory of 2324	748	69F5.exe	powershell.exe
PID 748 wrote to memory of 2324	748	69F5.exe	powershell.exe
PID 3144 wrote to memory of 3524	3144		76A8.exe
PID 3144 wrote to memory of 3524	3144		76A8.exe
PID 3144 wrote to memory of 3524	3144		76A8.exe
PID 3144 wrote to memory of 4020	3144		7B3D.exe
PID 3144 wrote to memory of 4020	3144		7B3D.exe
PID 3144 wrote to memory of 4020	3144		7B3D.exe
PID 3144 wrote to memory of 2608	3144		803F.exe
PID 3144 wrote to memory of 2608	3144		803F.exe
PID 3144 wrote to memory of 2608	3144		803F.exe
PID 3524 wrote to memory of 3656	3524	76A8.exe	Engine.exe
PID 3524 wrote to memory of 3656	3524	76A8.exe	Engine.exe
PID 3524 wrote to memory of 3656	3524	76A8.exe	Engine.exe
PID 3144 wrote to memory of 4992	3144		8754.exe
PID 3144 wrote to memory of 4992	3144		8754.exe
PID 3144 wrote to memory of 4992	3144		8754.exe
PID 3144 wrote to memory of 4012	3144		8C47.exe
PID 3144 wrote to memory of 4012	3144		8C47.exe
PID 3144 wrote to memory of 4012	3144		8C47.exe
PID 3656 wrote to memory of 4668	3656	Engine.exe	CmD.exe
PID 3656 wrote to memory of 4668	3656	Engine.exe	CmD.exe
PID 3656 wrote to memory of 4668	3656	Engine.exe	CmD.exe
PID 4668 wrote to memory of 5048	4668	CmD.exe	cmd.exe
PID 4668 wrote to memory of 5048	4668	CmD.exe	cmd.exe
PID 4668 wrote to memory of 5048	4668	CmD.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe
"C:\Users\Admin\AppData\Local\Temp\10cb7d010c57f2cb568f4451e7c0b201ffb86dd17bdeda36c0d1e9bc68bcf55f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:412

C:\Users\Admin\AppData\Local\Temp\69F5.exe
C:\Users\Admin\AppData\Local\Temp\69F5.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Users\Admin\AppData\Local\Temp\69F5.exe
C:\Users\Admin\AppData\Local\Temp\69F5.exe
2⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\76A8.exe
C:\Users\Admin\AppData\Local\Temp\76A8.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\Temp\SETUP_32167\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\Engine.exe /TH_ID=_412 /OriginExe="C:\Users\Admin\AppData\Local\Temp\76A8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\CmD.exe
C:\Windows\system32\CmD.exe /c cmd < Celebrities
3⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\7B3D.exe
C:\Users\Admin\AppData\Local\Temp\7B3D.exe
1⤵
- Executes dropped EXE
PID:4020

C:\Users\Admin\AppData\Local\Temp\803F.exe
C:\Users\Admin\AppData\Local\Temp\803F.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1224
2⤵
- Program crash
PID:400

C:\Users\Admin\AppData\Local\Temp\8754.exe
C:\Users\Admin\AppData\Local\Temp\8754.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Users\Admin\AppData\Local\Temp\8C47.exe
C:\Users\Admin\AppData\Local\Temp\8C47.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Users\Admin\AppData\Local\Temp\8C47.exe
"{path}"
2⤵
PID:4008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'
3⤵
PID:4912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\sihost.exe'
3⤵
PID:4632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
3⤵
PID:1904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\76A8.exe'
3⤵
PID:2152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\System.exe'
3⤵
PID:4228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\dllhost.exe'
3⤵
PID:3788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\unsecapp.exe'
3⤵
PID:1048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\cmd.exe'
3⤵
PID:4724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
3⤵
PID:804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\dllhost.exe'
3⤵
PID:4120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'
3⤵
PID:5000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
3⤵
PID:4372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\en-US\backgroundTaskHost.exe'
3⤵
PID:2060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\conhost.exe'
3⤵
PID:3064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\shellbrd\RuntimeBroker.exe'
3⤵
PID:3952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8C47.exe'
3⤵
PID:2348

C:\Recovery\WindowsRE\System.exe
"C:\Recovery\WindowsRE\System.exe"
3⤵
PID:5280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\A9B3.exe
C:\Users\Admin\AppData\Local\Temp\A9B3.exe
1⤵
PID:644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:1960

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
2⤵
PID:3156

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:2060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
2⤵
PID:3064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:1820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:4608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:3816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:4036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:3904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:4056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:1640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:3792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
2⤵
PID:2272

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
2⤵
PID:4236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:4168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:3408

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:2912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\B359.exe
C:\Users\Admin\AppData\Local\Temp\B359.exe
1⤵
PID:3464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 256
2⤵
- Program crash
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3464 -ip 3464
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\B8E8.exe
C:\Users\Admin\AppData\Local\Temp\B8E8.exe
1⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\D54B.exe
C:\Users\Admin\AppData\Local\Temp\D54B.exe
1⤵
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\shellbrd\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\shellbrd\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\en-US\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Help\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Templates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Users\Admin\AppData\Local\Temp\2475.exe
C:\Users\Admin\AppData\Local\Temp\2475.exe
1⤵
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76A87" /sc MINUTE /mo 8 /tr "'C:\Windows\AppReadiness\76A8.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76A8" /sc ONLOGON /tr "'C:\Windows\AppReadiness\76A8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76A87" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\76A8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:628

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2608 -ip 2608
1⤵
PID:5064

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1232

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\System.exe
Filesize
1.1MB

MD5
381575becb66e3c53dfd1c498946cc7d

SHA1
e365815ad668bd6adbf6de37a35feb325dd9dd56

SHA256
c9f51801e6bdc8be950efbc69452a7491acd9f8ea4d7c61c0e4abde72bfd036e

SHA512
5792b236c8417169f3e792b3d2e7893b606234036f3df65650ccf4890ab6fe40b5c94baa44e8b1b21d514651dba74dcfcd9986fd5b33fb2ffeba672683c9acf4

Download Submit
C:\Recovery\WindowsRE\System.exe
Filesize
1.1MB

MD5
381575becb66e3c53dfd1c498946cc7d

SHA1
e365815ad668bd6adbf6de37a35feb325dd9dd56

SHA256
c9f51801e6bdc8be950efbc69452a7491acd9f8ea4d7c61c0e4abde72bfd036e

SHA512
5792b236c8417169f3e792b3d2e7893b606234036f3df65650ccf4890ab6fe40b5c94baa44e8b1b21d514651dba74dcfcd9986fd5b33fb2ffeba672683c9acf4

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8C47.exe.log
Filesize
1KB

MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2f996b44e71bcf8e9d9bd5ef2a96a963

SHA1
61a10fcfb7bad1271f7132c7491982a916489af0

SHA256
78d612ffa268c2871faf8e656889f9ec6475890ff2763410dbf434a343ad9a0d

SHA512
84815d678a672aa99d4834fa4c0a42089bec36da593caabc337dc66180a8ebd0131e65fb68ba645d3d68e80a5e7808e0dcf5b0ff1cb2a46786d532b088b44515

Download Submit
C:\Users\Admin\AppData\Local\Temp\2475.exe
Filesize
9.0MB

MD5
41e4f2606da2de646e84509d6f5613ba

SHA1
ef977a9e731a5179890ff49e9d74e5f2b852885c

SHA256
5af4253afb897e6068da48c5ad9e2ba547784afef9e8a05337194a719c37b96d

SHA512
4c5c6f89da3b1166958d169aa274a2b14b11fabb91dc88327a8f55b1894015817c59dd500b3771c42ddbf50cc3ab42c7d8c76dd5f5a69e585f36d67e04b87ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2475.exe
Filesize
9.0MB

MD5
41e4f2606da2de646e84509d6f5613ba

SHA1
ef977a9e731a5179890ff49e9d74e5f2b852885c

SHA256
5af4253afb897e6068da48c5ad9e2ba547784afef9e8a05337194a719c37b96d

SHA512
4c5c6f89da3b1166958d169aa274a2b14b11fabb91dc88327a8f55b1894015817c59dd500b3771c42ddbf50cc3ab42c7d8c76dd5f5a69e585f36d67e04b87ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5.exe
Filesize
2.5MB

MD5
3e83cfe5cd166c724ff586d9467c13f9

SHA1
159f4f7b658b7967babb83ffba43ce3c00ab76c0

SHA256
287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e

SHA512
621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5.exe
Filesize
2.5MB

MD5
3e83cfe5cd166c724ff586d9467c13f9

SHA1
159f4f7b658b7967babb83ffba43ce3c00ab76c0

SHA256
287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e

SHA512
621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F5.exe
Filesize
2.5MB

MD5
3e83cfe5cd166c724ff586d9467c13f9

SHA1
159f4f7b658b7967babb83ffba43ce3c00ab76c0

SHA256
287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e

SHA512
621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\76A8.exe
Filesize
1.3MB

MD5
ce68dfe4ef88bf53f178b8b7ee785609

SHA1
b646886f0f6e93e2112a3642b92e2788665e5130

SHA256
b2251b1badf6c0834aa2e614ab51967272391a03fe2f1e585415c30d3076003e

SHA512
8ac4315cf5377f333e9ab784cc121eadf3b4d13eaa165a9485c12ea1293822fa5aa1b2719b1e972ce2507c2da5fbb6009279364c29b21c830d4c26fbd57788b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\76A8.exe
Filesize
1.3MB

MD5
ce68dfe4ef88bf53f178b8b7ee785609

SHA1
b646886f0f6e93e2112a3642b92e2788665e5130

SHA256
b2251b1badf6c0834aa2e614ab51967272391a03fe2f1e585415c30d3076003e

SHA512
8ac4315cf5377f333e9ab784cc121eadf3b4d13eaa165a9485c12ea1293822fa5aa1b2719b1e972ce2507c2da5fbb6009279364c29b21c830d4c26fbd57788b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B3D.exe
Filesize
102KB

MD5
19468026f92b3efcfc92b1a0c9f48913

SHA1
8ade3bc4c79febe87f74674a4d90499d55ba21a8

SHA256
d0f797a4e2020680e6462f761249f067e7a57007bb821aaf2fda9eba47cffd16

SHA512
4b033ab117d15f09b64aace17b2405c9373c70bd817019419332184529ccdbf80779d4d19704337965eac63400047b5c70ff9924bb440aa01ac8de467d1f53a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B3D.exe
Filesize
102KB

MD5
19468026f92b3efcfc92b1a0c9f48913

SHA1
8ade3bc4c79febe87f74674a4d90499d55ba21a8

SHA256
d0f797a4e2020680e6462f761249f067e7a57007bb821aaf2fda9eba47cffd16

SHA512
4b033ab117d15f09b64aace17b2405c9373c70bd817019419332184529ccdbf80779d4d19704337965eac63400047b5c70ff9924bb440aa01ac8de467d1f53a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\803F.exe
Filesize
289KB

MD5
addadd44a657d8f48cdfcb5c26e4219b

SHA1
3d97e85c6a087a9d78477434a67a8f7da7c7bc32

SHA256
a4655626303cc7aad16cf9c32ba02b74a5950c73a89d41757817bcb38da141eb

SHA512
936c5dd3698f646344a2bbe9a7ff6722c5a30056d387a8db01cdca090da4bf1ce0c5127a809f2ad5f7f24249b8ded32f5497974e65d7f0fa64f178270f9a77c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\803F.exe
Filesize
289KB

MD5
addadd44a657d8f48cdfcb5c26e4219b

SHA1
3d97e85c6a087a9d78477434a67a8f7da7c7bc32

SHA256
a4655626303cc7aad16cf9c32ba02b74a5950c73a89d41757817bcb38da141eb

SHA512
936c5dd3698f646344a2bbe9a7ff6722c5a30056d387a8db01cdca090da4bf1ce0c5127a809f2ad5f7f24249b8ded32f5497974e65d7f0fa64f178270f9a77c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8754.exe
Filesize
94KB

MD5
6d915d2dbf98f0287fffe0adaab5072b

SHA1
9d809517660900b2b0d35afb87af9dfb8075def6

SHA256
47c03341e3f5d390b2be49283e173ea75982c5a215954f65ea5219dae14da728

SHA512
d510bb7112367c71cb4c5195cdcffd5e5f4a0943c0d11a875b1ef48b2f6c68d63a8081e27b9b863282b5bd295a0e32d54ef5eec5cb771429e8d941a9a30314d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8754.exe
Filesize
94KB

MD5
6d915d2dbf98f0287fffe0adaab5072b

SHA1
9d809517660900b2b0d35afb87af9dfb8075def6

SHA256
47c03341e3f5d390b2be49283e173ea75982c5a215954f65ea5219dae14da728

SHA512
d510bb7112367c71cb4c5195cdcffd5e5f4a0943c0d11a875b1ef48b2f6c68d63a8081e27b9b863282b5bd295a0e32d54ef5eec5cb771429e8d941a9a30314d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C47.exe
Filesize
1.1MB

MD5
381575becb66e3c53dfd1c498946cc7d

SHA1
e365815ad668bd6adbf6de37a35feb325dd9dd56

SHA256
c9f51801e6bdc8be950efbc69452a7491acd9f8ea4d7c61c0e4abde72bfd036e

SHA512
5792b236c8417169f3e792b3d2e7893b606234036f3df65650ccf4890ab6fe40b5c94baa44e8b1b21d514651dba74dcfcd9986fd5b33fb2ffeba672683c9acf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C47.exe
Filesize
1.1MB

MD5
381575becb66e3c53dfd1c498946cc7d

SHA1
e365815ad668bd6adbf6de37a35feb325dd9dd56

SHA256
c9f51801e6bdc8be950efbc69452a7491acd9f8ea4d7c61c0e4abde72bfd036e

SHA512
5792b236c8417169f3e792b3d2e7893b606234036f3df65650ccf4890ab6fe40b5c94baa44e8b1b21d514651dba74dcfcd9986fd5b33fb2ffeba672683c9acf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C47.exe
Filesize
1.1MB

MD5
381575becb66e3c53dfd1c498946cc7d

SHA1
e365815ad668bd6adbf6de37a35feb325dd9dd56

SHA256
c9f51801e6bdc8be950efbc69452a7491acd9f8ea4d7c61c0e4abde72bfd036e

SHA512
5792b236c8417169f3e792b3d2e7893b606234036f3df65650ccf4890ab6fe40b5c94baa44e8b1b21d514651dba74dcfcd9986fd5b33fb2ffeba672683c9acf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9B3.exe
Filesize
4.8MB

MD5
629fba033405361a0a0c920e68a30ab2

SHA1
8a93812cd551e2e37edc62341d058f16be1afdce

SHA256
4f345ef4d0cf286195c436488c0bf90a23955213c42cdf4ecc50152ea0184288

SHA512
4e1c1cfce5b8bdab5f5a59fd332fe0b82b5998a827711bd43d82c03303696ab0f5d7673c264f6599d5ff637595f53c2a2fa327d7bce93ea2e1d354acc125a0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9B3.exe
Filesize
4.8MB

MD5
629fba033405361a0a0c920e68a30ab2

SHA1
8a93812cd551e2e37edc62341d058f16be1afdce

SHA256
4f345ef4d0cf286195c436488c0bf90a23955213c42cdf4ecc50152ea0184288

SHA512
4e1c1cfce5b8bdab5f5a59fd332fe0b82b5998a827711bd43d82c03303696ab0f5d7673c264f6599d5ff637595f53c2a2fa327d7bce93ea2e1d354acc125a0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\B359.exe
Filesize
1.1MB

MD5
04d57588bd47f5715c8ca6f3949a3c2e

SHA1
7507e0972c08c9bea98326e6acbf1cd43c4e003e

SHA256
7ccd9eab08691f78b9c6422f2b420e56b3639b35bba7522dc40bdd4f8993e3b3

SHA512
1cbc9c48772543ee3666967c80c73d01b63b348aae3706d9c979af82d3bc758d14815b5ed4b2bfd469d77ac9962b6a3495439ffd446b03f23020208961cd6df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B359.exe
Filesize
1.1MB

MD5
04d57588bd47f5715c8ca6f3949a3c2e

SHA1
7507e0972c08c9bea98326e6acbf1cd43c4e003e

SHA256
7ccd9eab08691f78b9c6422f2b420e56b3639b35bba7522dc40bdd4f8993e3b3

SHA512
1cbc9c48772543ee3666967c80c73d01b63b348aae3706d9c979af82d3bc758d14815b5ed4b2bfd469d77ac9962b6a3495439ffd446b03f23020208961cd6df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8E8.exe
Filesize
237KB

MD5
b6ce3ca62dbe3be5817a5231eb56a624

SHA1
e64da1cd2fc838528930842ffc0e370ea2049ea5

SHA256
13ea9deef659665396675833d0ae5057dcd25d4059108fd19ac3b44b55a5267d

SHA512
a766dc989c441b29ee9a2cb19e2ac416209cb186c8d62e0d395d4ea5c9e0246b75a6d15431a7221be8e63e6342d7cf07bf961cd4d738efc01f86ced015010627

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8E8.exe
Filesize
237KB

MD5
b6ce3ca62dbe3be5817a5231eb56a624

SHA1
e64da1cd2fc838528930842ffc0e370ea2049ea5

SHA256
13ea9deef659665396675833d0ae5057dcd25d4059108fd19ac3b44b55a5267d

SHA512
a766dc989c441b29ee9a2cb19e2ac416209cb186c8d62e0d395d4ea5c9e0246b75a6d15431a7221be8e63e6342d7cf07bf961cd4d738efc01f86ced015010627

Download Submit
C:\Users\Admin\AppData\Local\Temp\D54B.exe
Filesize
6.0MB

MD5
102856ca9fd2bdaa182c91390b59348a

SHA1
36eac53629703b18aa1c5ebd1b36036c72cd44b2

SHA256
7a367543fbd9fb936375545586cc64932719c762236982287b9de09b489f1faa

SHA512
f9f4e6415ea924a61b1d70c9ece201dd7661260fe249daf4261b121c28230b0399f109a21c7a09c53cb52c4ddb220e1a865ad325ed24fa26724f08496be87769

Download Submit
C:\Users\Admin\AppData\Local\Temp\D54B.exe
Filesize
6.0MB

MD5
102856ca9fd2bdaa182c91390b59348a

SHA1
36eac53629703b18aa1c5ebd1b36036c72cd44b2

SHA256
7a367543fbd9fb936375545586cc64932719c762236982287b9de09b489f1faa

SHA512
f9f4e6415ea924a61b1d70c9ece201dd7661260fe249daf4261b121c28230b0399f109a21c7a09c53cb52c4ddb220e1a865ad325ed24fa26724f08496be87769

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\00000#Autos
Filesize
107KB

MD5
ef3d3608242de331da4ae4d929f20e28

SHA1
ba4b8aeb2e66fadfb06c695ab62def2d50420fae

SHA256
7251ed7efdd74375ee6dc1e542065bf64555197c628b4e2accf28fd91bc313b6

SHA512
632dbc4f6bb04764efa3ab08b12bcf05b5a82719315aa6d1655014f88728e3b199a4a1c9f1afc4d0e421a5022f3f5b2654cfa3154657dda7c600e33a8f5ca959

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\00001#Browsing
Filesize
141KB

MD5
07dbf4008e3f88198e601990cee1f905

SHA1
5959fa8c5af959ccb96b13a3e15052424ad070de

SHA256
0abc5e073e61517f9a3e994678c22a95660f9155e812a12743af5852d3d071e9

SHA512
b1b709a7bd81908de13c8273880ed1bcaf1df4fff8b1800461eeb5a7df90c7688aeb095fbfc42659d9ac828c6ab61f520c505cc06de3daf1247b184d7fb1333b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\00002#Celebrities
Filesize
15KB

MD5
4b6173c22f19fa627b28ddfe3ec05eef

SHA1
289b296193c74ec6ab9d2c92cfed2216094b3b46

SHA256
c00627289be228b22953cb31558a2ecb7719fa0a84c70b68add6007c80ce7acb

SHA512
518055b74071b2b4f41cc1dd26600270dc8cbe6772b182e2f5446d9d0dd3f8e1ba30d25bbbe78e6f87348b2fa6bb9c5ef0ee0cfa1adce3ac884fff91f28a76d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\00003#Dentists
Filesize
21KB

MD5
982d8fc7ac11e89f155182faf494422f

SHA1
c18d3e258517cef1b442b2628f00065c95fb5011

SHA256
96888f4f7a7097b9b5d1ba81fd9dbbf142009379ad60582c9c5dedd949d3edce

SHA512
57c45a64f3047c6d4f7d2c30eb400b3951638060944f6cdfaec0f2672d74f8f4fc4d25903e21a5c84461f7bf24ea7b5047488812513a0c9e53e786c1f886386e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\00004#Distinction
Filesize
172KB

MD5
5e086ed549d59d23a3e6b5dec3538fba

SHA1
3a4bef894c09d41e22edffcd21aed04ab46c8507

SHA256
365a000285b27c5a41b1c379028886d4ab5fd7c964314520c68cc8097aa84636

SHA512
4ca5a63c6c64fff387a4088c7098da09ac75cc6c11f95b66b3142e61b889a5282357009eb2049bea18b0552bd929217d4f5cea3c54b1488c0a8fa3fc7a237099

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\00005#Framed
Filesize
174KB

MD5
6aecfea8e1508bb4c7e3ec0ae8e90e71

SHA1
7f25abd0ed12079f3648c4aa7a9d026c5556f420

SHA256
c5241bec4d713325c1f00aed8aa62ce379af714a8f4363aea47c56cc010ed10f

SHA512
d351cfe54b8e8fee665f9ff68b2d997f39fa3c7c3ffde6b3fae71569ca48c98452267c935208223c8f57129d3b1918fb46590c4c4107b4bccca08b99ebe9d535

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\00006#Need
Filesize
145KB

MD5
f4571635decadcedec7bef8dc28b8869

SHA1
d1c6918fce9b6f240ece631ea4f755a891fb0d7e

SHA256
22ae1a4ec1ca40e25307be9cff70463874945798ee84170508000fc862859c03

SHA512
d69898947b1c902804a288eae44bd5249220714db92233f7393fae21ebf0c831a0b51facdbe096c4fb1cfac8c97fc867e7741289a381d57eab1e1482a1a62c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\00007#Omaha
Filesize
7KB

MD5
e7d95daabea0fa0b1d95060efebc8077

SHA1
1045f6428cde8cc90845c3cc70283384dd977fe3

SHA256
c26c586deedef69498c0b93aef9729ab39c7f655820398ee74e85524e9842a29

SHA512
aef4e8bd9f4ece1b9de101f7b0b8fc5b82e54c2c697cf8a96aaf96a6327016f954830e871e5e8c467d7c90c880f54066ee16ead5ef919f55d594b66f4eeaf0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\00008#Persons
Filesize
811KB

MD5
395f1c589ab35624a9381872243dbf2f

SHA1
d6244c39d1018190780db5ca4f1c71f0c3fc86f5

SHA256
5a78cbae50e40188ad7592099bfb7f6b56b645cec170fe21c67182dc2d15e142

SHA512
2894eebdb35b9db7ca73af9f30263a4baade150298875ea44ab63f925c15045a0c9a0d35532c422c1afe541314abadb1f61c42bfb981c4423782ec9eee946337

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\00009#Wanting
Filesize
158KB

MD5
9f749bab790169a58ab43e000e98f8e7

SHA1
9378249e111f6826defd2f5651ab7911e2257ae8

SHA256
5c3fa722de7e2b4448a925a5eef6337aa0cd6af1be7f9d1700165cb1443bd494

SHA512
42cfcbf50f4f2b2c9e0464ae164408ad2e15b35371933554aadae9dc02aeb772bd0eb4dceabd1467a8ebe951ee438bcb2505395714fcee25eb1758ed7dd19fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\Engine.exe
Filesize
649KB

MD5
52cf7043a1e833021bc58a1cc31e0e71

SHA1
f0047c9014b6103940a6d6cc883addb4b66b18fa

SHA256
493c9ef63b2d3f63f7e54a682d67a71b957aeaf055b4270f8c22d9819e2a5b3c

SHA512
4fec4011aaeccd5d9c5064eb279b0651e7024dcabdd2bec9e6f8084bf343c8297be54fff8f5937f0f0c448fc355676be0317956f8fd628026418dc052f3ee713

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\Engine.exe
Filesize
649KB

MD5
52cf7043a1e833021bc58a1cc31e0e71

SHA1
f0047c9014b6103940a6d6cc883addb4b66b18fa

SHA256
493c9ef63b2d3f63f7e54a682d67a71b957aeaf055b4270f8c22d9819e2a5b3c

SHA512
4fec4011aaeccd5d9c5064eb279b0651e7024dcabdd2bec9e6f8084bf343c8297be54fff8f5937f0f0c448fc355676be0317956f8fd628026418dc052f3ee713

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32167\Setup.txt
Filesize
2KB

MD5
9b3a791f304f1e5b9f5382a83912da88

SHA1
eac9fcf9c0a93783b35b28fc7c9b4f8a20264ec9

SHA256
7763b148c28a038d56156af454cd6315f7ef7a2c502990b29a7200f7a1f7bed1

SHA512
293baaf69e7a0b97b943433da9d242c7a5c1480a20dab18749580d296dfee117bfaa90780f9e701aaafc51093a795782d2405d716be9742dac4f0e6d58e9d793

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_15s5tonu.ulu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\Help\en-US\RCX426A.tmp
Filesize
1.1MB

MD5
ea79acd71ea76abc9c5adec8834048f1

SHA1
75580169b90016e37a223bedc8ae917417b56e3e

SHA256
3d95a8a4cdf155ea0ec2d0f8f31513ebed16e625118302dcacc9e4079c7668f9

SHA512
fead1716738f36df17aa5c9abdd06b13419bf5552da7643857406f6ca8993169e015862d238f8f34c5fcfda2c8b1ee3fa4196d5f212ad2ed14aba8dc4700d236

Download Submit
C:\Windows\Help\en-US\backgroundTaskHost.exe
Filesize
1.1MB

MD5
381575becb66e3c53dfd1c498946cc7d

SHA1
e365815ad668bd6adbf6de37a35feb325dd9dd56

SHA256
c9f51801e6bdc8be950efbc69452a7491acd9f8ea4d7c61c0e4abde72bfd036e

SHA512
5792b236c8417169f3e792b3d2e7893b606234036f3df65650ccf4890ab6fe40b5c94baa44e8b1b21d514651dba74dcfcd9986fd5b33fb2ffeba672683c9acf4

Download Submit
memory/412-134-0x0000000004780000-0x0000000004789000-memory.dmp

Filesize
36KB

Download
memory/412-136-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/644-934-0x0000000000160000-0x0000000000638000-memory.dmp

Filesize
4.8MB

Download
memory/644-956-0x000001C607930000-0x000001C60794E000-memory.dmp

Filesize
120KB

Download
memory/644-936-0x00007FFB00000000-0x00007FFB00002000-memory.dmp

Filesize
8KB

Download
memory/644-937-0x0000000000160000-0x0000000000638000-memory.dmp

Filesize
4.8MB

Download
memory/644-1041-0x0000000000160000-0x0000000000638000-memory.dmp

Filesize
4.8MB

Download
memory/644-943-0x000001C620BA0000-0x000001C620C16000-memory.dmp

Filesize
472KB

Download
memory/644-939-0x00007FFB00030000-0x00007FFB00031000-memory.dmp

Filesize
4KB

Download
memory/644-976-0x000001C607990000-0x000001C6079A0000-memory.dmp

Filesize
64KB

Download
memory/748-150-0x000001B24BE60000-0x000001B24BE70000-memory.dmp

Filesize
64KB

Download
memory/748-322-0x000001B24BE60000-0x000001B24BE70000-memory.dmp

Filesize
64KB

Download
memory/748-151-0x000001B24BD40000-0x000001B24BD62000-memory.dmp

Filesize
136KB

Download
memory/748-149-0x000001B249DE0000-0x000001B24A070000-memory.dmp

Filesize
2.6MB

Download
memory/836-1132-0x00000000057F0000-0x000000000580E000-memory.dmp

Filesize
120KB

Download
memory/836-1222-0x00000000065E0000-0x0000000006630000-memory.dmp

Filesize
320KB

Download
memory/836-1181-0x00000000069C0000-0x0000000006EEC000-memory.dmp

Filesize
5.2MB

Download
memory/836-1173-0x00000000062C0000-0x0000000006482000-memory.dmp

Filesize
1.8MB

Download
memory/836-1121-0x00000000058E0000-0x0000000005956000-memory.dmp

Filesize
472KB

Download
memory/836-1035-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2324-413-0x000001E29BB30000-0x000001E29BB40000-memory.dmp

Filesize
64KB

Download
memory/2324-163-0x000001E29BB30000-0x000001E29BB40000-memory.dmp

Filesize
64KB

Download
memory/2324-419-0x000001E29BB30000-0x000001E29BB40000-memory.dmp

Filesize
64KB

Download
memory/2324-416-0x000001E29BB30000-0x000001E29BB40000-memory.dmp

Filesize
64KB

Download
memory/2324-162-0x000001E29BB30000-0x000001E29BB40000-memory.dmp

Filesize
64KB

Download
memory/2324-161-0x000001E29BB30000-0x000001E29BB40000-memory.dmp

Filesize
64KB

Download
memory/2608-235-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-241-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-263-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-1844-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2608-1506-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2608-1008-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2608-254-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-277-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-249-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-283-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-281-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-285-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-246-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-218-0x0000000004E50000-0x00000000053F4000-memory.dmp

Filesize
5.6MB

Download
memory/2608-288-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-290-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-293-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-275-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-239-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-1011-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2608-273-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-271-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-237-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-1006-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2608-225-0x0000000000820000-0x000000000086B000-memory.dmp

Filesize
300KB

Download
memory/2608-257-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-230-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2608-232-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2608-231-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-228-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2608-226-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-223-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2608-222-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/2612-1087-0x0000000140000000-0x0000000140092000-memory.dmp

Filesize
584KB

Download
memory/2612-1110-0x0000023D2B680000-0x0000023D2B690000-memory.dmp

Filesize
64KB

Download
memory/2612-1466-0x0000023D2B680000-0x0000023D2B690000-memory.dmp

Filesize
64KB

Download
memory/3144-177-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-181-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-135-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download
memory/3144-173-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-189-0x0000000002EF0000-0x0000000002EFB000-memory.dmp

Filesize
44KB

Download
memory/3144-188-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/3144-183-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-182-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-168-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-174-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-172-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-180-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-179-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-171-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-176-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-175-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-178-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-169-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3144-170-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/3656-227-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3656-234-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3656-1004-0x0000000000400000-0x00000000005AA000-memory.dmp

Filesize
1.7MB

Download
memory/3656-1014-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3904-1209-0x0000000000640000-0x0000000000C52000-memory.dmp

Filesize
6.1MB

Download
memory/3904-1238-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4008-1565-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4008-1591-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/4012-255-0x0000000004D70000-0x0000000004E0C000-memory.dmp

Filesize
624KB

Download
memory/4012-250-0x0000000000380000-0x00000000004AC000-memory.dmp

Filesize
1.2MB

Download
memory/4012-1060-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4012-280-0x0000000004EB0000-0x0000000004F06000-memory.dmp

Filesize
344KB

Download
memory/4012-286-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4012-278-0x00000000027B0000-0x00000000027BA000-memory.dmp

Filesize
40KB

Download
memory/4992-221-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/4992-220-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/4992-219-0x0000000000CF0000-0x0000000000D0E000-memory.dmp

Filesize
120KB

Download
memory/5116-1340-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/5116-1030-0x0000000005530000-0x000000000563A000-memory.dmp

Filesize
1.0MB

Download
memory/5116-1028-0x00000000059C0000-0x0000000005FD8000-memory.dmp

Filesize
6.1MB

Download
memory/5116-1033-0x0000000005460000-0x0000000005472000-memory.dmp

Filesize
72KB

Download
memory/5116-1040-0x00000000054C0000-0x00000000054FC000-memory.dmp

Filesize
240KB

Download
memory/5116-1044-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/5116-1009-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download