dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
1797s
max time network
1802s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
26/08/2023, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	164	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	164	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	712	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	712	schtasks.exe	75

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000800000001af6a-11.dat	dcrat
behavioral2/files/0x000800000001af6a-14.dat	dcrat
behavioral2/files/0x000700000001b00b-32.dat	dcrat
behavioral2/files/0x000700000001b00b-33.dat	dcrat
behavioral2/memory/1796-34-0x00000000007F0000-0x0000000000970000-memory.dmp	dcrat
behavioral2/files/0x000600000001b010-48.dat	dcrat
behavioral2/files/0x000700000001b00b-464.dat	dcrat
behavioral2/files/0x000700000001b044-675.dat	dcrat
behavioral2/files/0x000700000001b044-677.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3316	Loader.exe
1796	MsServerfont.exe
4504	MsServerfont.exe
5504	MsServerfont.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1884	YammiBeta.exe
1884	YammiBeta.exe
1884	YammiBeta.exe
1884	YammiBeta.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\3416ca5bd162c5	MsServerfont.exe
File created	C:\Program Files\Google\Chrome\SearchUI.exe	MsServerfont.exe
File created	C:\Program Files\Google\Chrome\dab4d89cac03ec	MsServerfont.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72	MsServerfont.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\MsServerfont.exe	MsServerfont.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\csrss.exe	MsServerfont.exe
File created	C:\Windows\Resources\spoolsv.exe	MsServerfont.exe
File created	C:\Windows\diagnostics\system\fontdrvhost.exe	MsServerfont.exe
File created	C:\Windows\tracing\ea9f0e6c9e2dcd	MsServerfont.exe
File created	C:\Windows\System\Speech\cmd.exe	MsServerfont.exe
File created	C:\Windows\Performance\WinSAT\dwm.exe	MsServerfont.exe
File created	C:\Windows\Performance\WinSAT\6cb0b6c459d5d3	MsServerfont.exe
File created	C:\Windows\LiveKernelReports\886983d96e3d3e	MsServerfont.exe
File created	C:\Windows\Resources\f3b6ecef712a24	MsServerfont.exe
File created	C:\Windows\tracing\taskhostw.exe	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4116	schtasks.exe
1636	schtasks.exe
164	schtasks.exe
4836	schtasks.exe
3220	schtasks.exe
2868	schtasks.exe
2132	schtasks.exe
2104	schtasks.exe
4892	schtasks.exe
924	schtasks.exe
2504	schtasks.exe
4844	schtasks.exe
4180	schtasks.exe
1864	schtasks.exe
3492	schtasks.exe
1384	schtasks.exe
5072	schtasks.exe
4988	schtasks.exe
5092	schtasks.exe
2240	schtasks.exe
3512	schtasks.exe
2696	schtasks.exe
2416	schtasks.exe
1616	schtasks.exe
3664	schtasks.exe
2780	schtasks.exe
1952	schtasks.exe
3912	schtasks.exe
4156	schtasks.exe
1560	schtasks.exe
2852	schtasks.exe
4900	schtasks.exe
1448	schtasks.exe
4900	schtasks.exe
820	schtasks.exe
1956	schtasks.exe
4024	schtasks.exe
512	schtasks.exe
2188	schtasks.exe
3236	schtasks.exe
3384	schtasks.exe
4252	schtasks.exe
164	schtasks.exe
4264	schtasks.exe
2200	schtasks.exe
2104	schtasks.exe
1460	schtasks.exe
3356	schtasks.exe
212	schtasks.exe
1008	schtasks.exe
4120	schtasks.exe
1640	schtasks.exe
2180	schtasks.exe
844	schtasks.exe
4544	schtasks.exe
2876	schtasks.exe
4108	schtasks.exe
752	schtasks.exe
4316	schtasks.exe
4940	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings	MsServerfont.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1796	MsServerfont.exe
1548	powershell.exe
1548	powershell.exe
1456	powershell.exe
1456	powershell.exe
3780	powershell.exe
3780	powershell.exe
1624	powershell.exe
1624	powershell.exe
1740	powershell.exe
1740	powershell.exe
3652	powershell.exe
3652	powershell.exe
3896	powershell.exe
3896	powershell.exe
2632	powershell.exe
2632	powershell.exe
4236	powershell.exe
4236	powershell.exe
2984	powershell.exe
2984	powershell.exe
364	powershell.exe
364	powershell.exe
3380	powershell.exe
3380	powershell.exe
3780	powershell.exe
1548	powershell.exe
2984	powershell.exe
2632	powershell.exe
1456	powershell.exe
1624	powershell.exe
1740	powershell.exe
3652	powershell.exe
3896	powershell.exe
364	powershell.exe
3380	powershell.exe
4236	powershell.exe
3780	powershell.exe
2984	powershell.exe
1548	powershell.exe
2632	powershell.exe
1456	powershell.exe
364	powershell.exe
1740	powershell.exe
1624	powershell.exe
3652	powershell.exe
3380	powershell.exe
3896	powershell.exe
4236	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5504	MsServerfont.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	YammiBeta.exe
Token: SeDebugPrivilege	1796	MsServerfont.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeIncreaseQuotaPrivilege	3780	powershell.exe
Token: SeSecurityPrivilege	3780	powershell.exe
Token: SeTakeOwnershipPrivilege	3780	powershell.exe
Token: SeLoadDriverPrivilege	3780	powershell.exe
Token: SeSystemProfilePrivilege	3780	powershell.exe
Token: SeSystemtimePrivilege	3780	powershell.exe
Token: SeProfSingleProcessPrivilege	3780	powershell.exe
Token: SeIncBasePriorityPrivilege	3780	powershell.exe
Token: SeCreatePagefilePrivilege	3780	powershell.exe
Token: SeBackupPrivilege	3780	powershell.exe
Token: SeRestorePrivilege	3780	powershell.exe
Token: SeShutdownPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeSystemEnvironmentPrivilege	3780	powershell.exe
Token: SeRemoteShutdownPrivilege	3780	powershell.exe
Token: SeUndockPrivilege	3780	powershell.exe
Token: SeManageVolumePrivilege	3780	powershell.exe
Token: 33	3780	powershell.exe
Token: 34	3780	powershell.exe
Token: 35	3780	powershell.exe
Token: 36	3780	powershell.exe
Token: SeIncreaseQuotaPrivilege	2984	powershell.exe
Token: SeSecurityPrivilege	2984	powershell.exe
Token: SeTakeOwnershipPrivilege	2984	powershell.exe
Token: SeLoadDriverPrivilege	2984	powershell.exe
Token: SeSystemProfilePrivilege	2984	powershell.exe
Token: SeSystemtimePrivilege	2984	powershell.exe
Token: SeProfSingleProcessPrivilege	2984	powershell.exe
Token: SeIncBasePriorityPrivilege	2984	powershell.exe
Token: SeCreatePagefilePrivilege	2984	powershell.exe
Token: SeBackupPrivilege	2984	powershell.exe
Token: SeRestorePrivilege	2984	powershell.exe
Token: SeShutdownPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeSystemEnvironmentPrivilege	2984	powershell.exe
Token: SeRemoteShutdownPrivilege	2984	powershell.exe
Token: SeUndockPrivilege	2984	powershell.exe
Token: SeManageVolumePrivilege	2984	powershell.exe
Token: 33	2984	powershell.exe
Token: 34	2984	powershell.exe
Token: 35	2984	powershell.exe
Token: 36	2984	powershell.exe
Token: SeDebugPrivilege	4504	MsServerfont.exe
Token: SeIncreaseQuotaPrivilege	1548	powershell.exe
Token: SeSecurityPrivilege	1548	powershell.exe
Token: SeTakeOwnershipPrivilege	1548	powershell.exe
Token: SeLoadDriverPrivilege	1548	powershell.exe
Token: SeSystemProfilePrivilege	1548	powershell.exe
Token: SeSystemtimePrivilege	1548	powershell.exe
Token: SeProfSingleProcessPrivilege	1548	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1884	YammiBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3316	1884	YammiBeta.exe	70
PID 1884 wrote to memory of 3316	1884	YammiBeta.exe	70
PID 1884 wrote to memory of 3316	1884	YammiBeta.exe	70
PID 3316 wrote to memory of 1188	3316	Loader.exe	71
PID 3316 wrote to memory of 1188	3316	Loader.exe	71
PID 3316 wrote to memory of 1188	3316	Loader.exe	71
PID 1188 wrote to memory of 4144	1188	WScript.exe	72
PID 1188 wrote to memory of 4144	1188	WScript.exe	72
PID 1188 wrote to memory of 4144	1188	WScript.exe	72
PID 4144 wrote to memory of 1796	4144	cmd.exe	74
PID 4144 wrote to memory of 1796	4144	cmd.exe	74
PID 1796 wrote to memory of 1548	1796	MsServerfont.exe	121
PID 1796 wrote to memory of 1548	1796	MsServerfont.exe	121
PID 1796 wrote to memory of 2632	1796	MsServerfont.exe	122
PID 1796 wrote to memory of 2632	1796	MsServerfont.exe	122
PID 1796 wrote to memory of 1624	1796	MsServerfont.exe	144
PID 1796 wrote to memory of 1624	1796	MsServerfont.exe	144
PID 1796 wrote to memory of 1456	1796	MsServerfont.exe	143
PID 1796 wrote to memory of 1456	1796	MsServerfont.exe	143
PID 1796 wrote to memory of 4236	1796	MsServerfont.exe	142
PID 1796 wrote to memory of 4236	1796	MsServerfont.exe	142
PID 1796 wrote to memory of 3652	1796	MsServerfont.exe	141
PID 1796 wrote to memory of 3652	1796	MsServerfont.exe	141
PID 1796 wrote to memory of 2984	1796	MsServerfont.exe	140
PID 1796 wrote to memory of 2984	1796	MsServerfont.exe	140
PID 1796 wrote to memory of 1740	1796	MsServerfont.exe	139
PID 1796 wrote to memory of 1740	1796	MsServerfont.exe	139
PID 1796 wrote to memory of 3780	1796	MsServerfont.exe	138
PID 1796 wrote to memory of 3780	1796	MsServerfont.exe	138
PID 1796 wrote to memory of 3896	1796	MsServerfont.exe	137
PID 1796 wrote to memory of 3896	1796	MsServerfont.exe	137
PID 1796 wrote to memory of 364	1796	MsServerfont.exe	136
PID 1796 wrote to memory of 364	1796	MsServerfont.exe	136
PID 1796 wrote to memory of 3380	1796	MsServerfont.exe	123
PID 1796 wrote to memory of 3380	1796	MsServerfont.exe	123
PID 1796 wrote to memory of 1648	1796	MsServerfont.exe	146
PID 1796 wrote to memory of 1648	1796	MsServerfont.exe	146
PID 1648 wrote to memory of 2780	1648	cmd.exe	164
PID 1648 wrote to memory of 2780	1648	cmd.exe	164
PID 1648 wrote to memory of 4504	1648	cmd.exe	148
PID 1648 wrote to memory of 4504	1648	cmd.exe	148
PID 4504 wrote to memory of 4508	4504	MsServerfont.exe	165
PID 4504 wrote to memory of 4508	4504	MsServerfont.exe	165
PID 4504 wrote to memory of 5084	4504	MsServerfont.exe	166
PID 4504 wrote to memory of 5084	4504	MsServerfont.exe	166
PID 4504 wrote to memory of 5128	4504	MsServerfont.exe	167
PID 4504 wrote to memory of 5128	4504	MsServerfont.exe	167
PID 4504 wrote to memory of 5136	4504	MsServerfont.exe	168
PID 4504 wrote to memory of 5136	4504	MsServerfont.exe	168
PID 4504 wrote to memory of 5144	4504	MsServerfont.exe	169
PID 4504 wrote to memory of 5144	4504	MsServerfont.exe	169
PID 4504 wrote to memory of 5152	4504	MsServerfont.exe	170
PID 4504 wrote to memory of 5152	4504	MsServerfont.exe	170
PID 4504 wrote to memory of 5160	4504	MsServerfont.exe	171
PID 4504 wrote to memory of 5160	4504	MsServerfont.exe	171
PID 4504 wrote to memory of 5168	4504	MsServerfont.exe	188
PID 4504 wrote to memory of 5168	4504	MsServerfont.exe	188
PID 4504 wrote to memory of 5180	4504	MsServerfont.exe	187
PID 4504 wrote to memory of 5180	4504	MsServerfont.exe	187
PID 4504 wrote to memory of 5188	4504	MsServerfont.exe	186
PID 4504 wrote to memory of 5188	4504	MsServerfont.exe	186
PID 4504 wrote to memory of 5200	4504	MsServerfont.exe	185
PID 4504 wrote to memory of 5200	4504	MsServerfont.exe	185
PID 4504 wrote to memory of 5208	4504	MsServerfont.exe	184

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gbWziF9tIc.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        8⤵
        
        PID:4508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        8⤵
        
        PID:5084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        8⤵
        
        PID:5128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        8⤵
        
        PID:5136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        8⤵
        
        PID:5144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        8⤵
        
        PID:5152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        8⤵
        
        PID:5160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        8⤵
        
        PID:5208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        8⤵
        
        PID:5200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        8⤵
        
        PID:5188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        8⤵
        
        PID:5180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        8⤵
        
        PID:5168
        
        C:\Users\All Users\Microsoft OneDrive\setup\MsServerfont.exe
        
        "C:\Users\All Users\Microsoft OneDrive\setup\MsServerfont.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Oracle\Java\javapath\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\javapath\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Oracle\Java\javapath\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\tracing\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\MsServerfont.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfont" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\MsServerfont.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfont" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerfontM" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\MsServerfont.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Resources\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\Downloads\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft OneDrive\setup\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\ProgramData\Microsoft\winlogon.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MsServerfont.exe.log

Filesize
1KB

MD5
dc165da52c9ab2920b0130ff15992d1b

SHA1
9adc2325af7c2a2c4142d9dfdd62becb948882b6

SHA256
03027449eb7537e6e3bd1b435dd699ad8ced7b036cac426f5e87a774bed3b540

SHA512
a6aa4e4e1570822888c25ae6d2ded984f216509a2f185aa0adecc611da40e40afd3a74c507d22793fa4fe4a7189cc9add4d24eaf13d264cd3aa85ed234a0eb5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f8354e79919b551d8803ba9253ae50c

SHA1
5741db9a2c9cb3dde4b1cb2f39ca455dd0126ec9

SHA256
b3778c84888ab7b22473919cce130e7a4b1a41032c8752d94fc9c822006678aa

SHA512
a996e666bae609ee88f8e3e2c6a422b8cf5f0cf56e0128dc5b5da8dd8a6d5a15165580714181492969a97e07ad64a3edadc511397b1ccb2bd587909b2747cbfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f8354e79919b551d8803ba9253ae50c

SHA1
5741db9a2c9cb3dde4b1cb2f39ca455dd0126ec9

SHA256
b3778c84888ab7b22473919cce130e7a4b1a41032c8752d94fc9c822006678aa

SHA512
a996e666bae609ee88f8e3e2c6a422b8cf5f0cf56e0128dc5b5da8dd8a6d5a15165580714181492969a97e07ad64a3edadc511397b1ccb2bd587909b2747cbfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8db6c59c276929148c300f995f3da3a

SHA1
ff26efb375680bb5e98b67007a90da8f4d101632

SHA256
5be57a6a73b88b945d96019241e10de649213318cfcda32c6d9ea841d86f1122

SHA512
3bf2a1ccce22d2dabdc1cc222bb0721f2501038a9eb1e335f25fbe6a4022c0ceb36a9b012a447625075c6caccf56af4633250f67d7c642dcd55343cd58f9601c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ac0036cdb08633a4a1b3bd8e6d3b561

SHA1
c4d83c1baf4500aa0074a93b1979cf5c7e5dd03d

SHA256
d201b840bb0b24c8cd5a41fa1d018acbf92d5b64582b48e5bb8c6248da7fd881

SHA512
105abea29aff2707e58be0b490debb22a8d82eb18d05fe6a7561afc02ed9c78b4c4fbd9d7018780c0b3931397c029163f05be678fd2f2f009e8533a410f198aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8db6c59c276929148c300f995f3da3a

SHA1
ff26efb375680bb5e98b67007a90da8f4d101632

SHA256
5be57a6a73b88b945d96019241e10de649213318cfcda32c6d9ea841d86f1122

SHA512
3bf2a1ccce22d2dabdc1cc222bb0721f2501038a9eb1e335f25fbe6a4022c0ceb36a9b012a447625075c6caccf56af4633250f67d7c642dcd55343cd58f9601c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af5587648b5fa26b5c919be69af3473b

SHA1
327015e7294cc44c7d52b8b687dd2759b48c96da

SHA256
d0c4ac5bc5f7debfb22eef85c14cba0d2d94f4457ff9cbebb06516dcc50d6e13

SHA512
6f505b450a3fab2e5efc4cc7768cfb7d71be952020dff2a0ba45081dbaa2a770aee3eef0eda36d262e1d70203564556af43ff59c18372900c2b5cfdc271efc68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a6b5dbdbcc20646d19dcf87dfc523c8

SHA1
6ca0f15d221c8a241e32b7aed729290318635706

SHA256
4e32cb660741183dccc56ac40f0603e27c7f250f0f4649693662ad80df9548a1

SHA512
f2e10f942ea79fc66472f5d07f0739ba4add438d79a6d8f1735eacf27b6304e3b44603117d3790e6177959c29dc0942d704427f462856db8d3eb75a97cb2cbd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a6b5dbdbcc20646d19dcf87dfc523c8

SHA1
6ca0f15d221c8a241e32b7aed729290318635706

SHA256
4e32cb660741183dccc56ac40f0603e27c7f250f0f4649693662ad80df9548a1

SHA512
f2e10f942ea79fc66472f5d07f0739ba4add438d79a6d8f1735eacf27b6304e3b44603117d3790e6177959c29dc0942d704427f462856db8d3eb75a97cb2cbd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a6b5dbdbcc20646d19dcf87dfc523c8

SHA1
6ca0f15d221c8a241e32b7aed729290318635706

SHA256
4e32cb660741183dccc56ac40f0603e27c7f250f0f4649693662ad80df9548a1

SHA512
f2e10f942ea79fc66472f5d07f0739ba4add438d79a6d8f1735eacf27b6304e3b44603117d3790e6177959c29dc0942d704427f462856db8d3eb75a97cb2cbd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb1585056c55d4e1b6b1d401e5c7a6f7

SHA1
ffb4407fb766dc15e9b15a59055b37694e04351d

SHA256
1f2fa3567d1119ab1967dad35e8b7b73827dfe1af4a441ffdcad432a6f34ad47

SHA512
d103f51ffc06d2994fa5ce8b59698773314527145e763fb12d92dbed7cb8d666b21621060cec08a23b94ccd7a38e94214e417058f92ad0ba02f4464367085cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ce9a0eb6859659cd1851ccc56f995c6

SHA1
166db32340ffe6687df95b35ecd0f2685abbebb7

SHA256
8ca1de7331e2f866b552aec99e0778f4125cc84c601e0201186a39908ac6824f

SHA512
9eee542e1dfc950a0356c052870af5ef57cc609d647dbcfcdf16973bdf1ab53a07319660e01201f8a0282caec19d6ffd4b72cab35b69d8bff938cc8397a9e741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12906e1d79adae19cc190ec41cfc08c8

SHA1
d34540be80b19521d9959556771d6bb2683adafc

SHA256
5e45ddbcb455f3f4407f314b84d7f212bed64f34a221660f1326aa8f0978aa70

SHA512
495ef1a3d1918fb9cfbb5c8c33bf1ad4b5089b5f68cf0b39a18b9058f50a8c1ae2ecbb905a8d20b152960cfdba97d15f4ea30fb9e033416e34fec20b300a629d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12906e1d79adae19cc190ec41cfc08c8

SHA1
d34540be80b19521d9959556771d6bb2683adafc

SHA256
5e45ddbcb455f3f4407f314b84d7f212bed64f34a221660f1326aa8f0978aa70

SHA512
495ef1a3d1918fb9cfbb5c8c33bf1ad4b5089b5f68cf0b39a18b9058f50a8c1ae2ecbb905a8d20b152960cfdba97d15f4ea30fb9e033416e34fec20b300a629d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
44d499ea4f53b00de498b9d4a73e1413

SHA1
c96926306939f571728422769b251fd07b3f79cc

SHA256
13ff096ff97fb1fbd0d730f3f1372768e04c6e959b9db769ba1fd8c3c94da5c1

SHA512
0c44258f65949ab1eafa5af60b66a4689e94c5222e11fc35cf7768a56e300b6f2af449c5687e8e2e9d7f9c3802506c2b0ae2fba1e76943aed7c64ca22ba850bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d857072f03c741479ee0c5ee9110aa99

SHA1
0568a3aa25b28a31575c921b66f118e479a069b2

SHA256
bd238bdb7d66a604cd5697134d6db72bae5992c9196a86ea37374e9ae8781e76

SHA512
6deafdea0211d481e8f9d60358f92ad4ad3707929b72583306b410da82e020ededb3065033633e00316e422a8ba0524da466ef90cf6ee765f8ae3a39dc2553e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c99fce4602a175c3e957524d9a47dbf4

SHA1
0e3302c746f7fe0d93104b877f92fb163c900823

SHA256
eb5051a86e0787e0a66ce64d68b4264551581fb0c482579450ac39ae860d08f8

SHA512
b14a9c5adab73f7dd0a5ea3a06cc9acf8bde5ed81ac4a1cce82b2a203969abb143107078790eab8e85bf5b41ba4d7fbd436e1c5c0251ca2260d4c43fc8f5033a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c99fce4602a175c3e957524d9a47dbf4

SHA1
0e3302c746f7fe0d93104b877f92fb163c900823

SHA256
eb5051a86e0787e0a66ce64d68b4264551581fb0c482579450ac39ae860d08f8

SHA512
b14a9c5adab73f7dd0a5ea3a06cc9acf8bde5ed81ac4a1cce82b2a203969abb143107078790eab8e85bf5b41ba4d7fbd436e1c5c0251ca2260d4c43fc8f5033a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c41dbdd8a6ddf57f4c09e9d24f8feeb0

SHA1
11f15fb9b5c34af0e15a46ac58fc88d8e00492b0

SHA256
2c964658bf7c0f308334f4d7ccde05ea756b8671e237db78f83c6897ecb274d6

SHA512
efac93ecb7939f1134e42126418a62682ec57f15e01e6c7bab0585722b9aeada1b3d401e99d51d245bc526dd8e1aa6d48a28644c39399a45c884dd33d626feb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c41dbdd8a6ddf57f4c09e9d24f8feeb0

SHA1
11f15fb9b5c34af0e15a46ac58fc88d8e00492b0

SHA256
2c964658bf7c0f308334f4d7ccde05ea756b8671e237db78f83c6897ecb274d6

SHA512
efac93ecb7939f1134e42126418a62682ec57f15e01e6c7bab0585722b9aeada1b3d401e99d51d245bc526dd8e1aa6d48a28644c39399a45c884dd33d626feb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2d9d57d81ae5abe9884320288e61f602

SHA1
e00cf9f9cd59a06b75c03ab1ce871acbee8e23c3

SHA256
d5ba8ee5534160354c4f9fc9a08b2340b891a56218c56f17406fc70ff52e609e

SHA512
4626d3bfe41af880585a7d4a38f1e399c7abfc12b14fdf99c79463624f0b6123281ebde0df66c34274fcb933ec6863344442316ee5e366827398cc04aabebe65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d17d6ae65103f3697f6e3d424cfef71f

SHA1
9f929b507699e1022173dfeb10c078a913e80855

SHA256
e34586eb88daeef2ea0900b57f922d738a7be013494b68d6d10b0d8d62d4cd62

SHA512
34529fea6f91acc333fe117c0b4b15141047f4bb25cf0f37a258d2e4c0937b57ffd708cc3034ce67ad819e16a063a035fdf92e7e6af0bd3e7133ca867cf67fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CjAXshwZLO

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijcdgibe.dom.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fE3ijSHxyQ

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbWziF9tIc.bat

Filesize
227B

MD5
04d7738f6792c42e091a68f79a58f914

SHA1
7d6a54d3ae7216fc95cabb1a9e19bd08b0ce52e2

SHA256
ede37795e6ac10c49e9515a9fd1b143408b1a6c4f34c29f86c434d0febe3357b

SHA512
d2e4de1e2cda53e95b141404dd171fccd22f5e21e337dedcfaf9c0bea5a8c448d349ef221c683a7759e11d435270035a81f2f0490366367e37dae9e3eccc9e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\jK89f7GHWs

Filesize
92KB

MD5
33ae79d3bcafa213e6c8073df86546c9

SHA1
15066de921825ef56bec973a27610ba83e092761

SHA256
3f23c06a927006a219dd96188e16aa7c27a41405bb6f999150e0a1d1fcc07a56

SHA512
52114cbfe517f144d7070244d0ea6d67e74a337eb04282020fec20789e1b7a02da955fa6c3f52708edb87938dc59f79708526c0811ef2d59598d2d0c0d3e6e99

Download Submit
C:\Users\All Users\Microsoft OneDrive\setup\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
memory/364-158-0x000001E499340000-0x000001E499350000-memory.dmp

Filesize
64KB

Download
memory/364-138-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/364-156-0x000001E499340000-0x000001E499350000-memory.dmp

Filesize
64KB

Download
memory/1456-151-0x000002A2018A0000-0x000002A2018B0000-memory.dmp

Filesize
64KB

Download
memory/1456-150-0x000002A2018A0000-0x000002A2018B0000-memory.dmp

Filesize
64KB

Download
memory/1456-131-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-83-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-140-0x0000026F6B560000-0x0000026F6B570000-memory.dmp

Filesize
64KB

Download
memory/1548-142-0x0000026F6B560000-0x0000026F6B570000-memory.dmp

Filesize
64KB

Download
memory/1624-147-0x0000020E7D820000-0x0000020E7D830000-memory.dmp

Filesize
64KB

Download
memory/1624-146-0x0000020E7D820000-0x0000020E7D830000-memory.dmp

Filesize
64KB

Download
memory/1624-119-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-153-0x000001C3920D0000-0x000001C3920E0000-memory.dmp

Filesize
64KB

Download
memory/1740-154-0x000001C3920D0000-0x000001C3920E0000-memory.dmp

Filesize
64KB

Download
memory/1740-133-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/1796-42-0x0000000002B00000-0x0000000002B0E000-memory.dmp

Filesize
56KB

Download
memory/1796-35-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/1796-34-0x00000000007F0000-0x0000000000970000-memory.dmp

Filesize
1.5MB

Download
memory/1796-36-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/1796-37-0x000000001B550000-0x000000001B56C000-memory.dmp

Filesize
112KB

Download
memory/1796-38-0x000000001BAD0000-0x000000001BB20000-memory.dmp

Filesize
320KB

Download
memory/1796-39-0x000000001BA80000-0x000000001BA96000-memory.dmp

Filesize
88KB

Download
memory/1796-40-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/1796-41-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

Filesize
48KB

Download
memory/1796-43-0x0000000002B10000-0x0000000002B1E000-memory.dmp

Filesize
56KB

Download
memory/1796-44-0x0000000002B20000-0x0000000002B2A000-memory.dmp

Filesize
40KB

Download
memory/1796-45-0x0000000002B30000-0x0000000002B3C000-memory.dmp

Filesize
48KB

Download
memory/1796-130-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-0-0x0000000000EB0000-0x000000000122E000-memory.dmp

Filesize
3.5MB

Download
memory/1884-1-0x0000000000EB0000-0x000000000122E000-memory.dmp

Filesize
3.5MB

Download
memory/1884-2-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1884-3-0x00000000037A0000-0x00000000037B0000-memory.dmp

Filesize
64KB

Download
memory/1884-4-0x0000000000EB0000-0x000000000122E000-memory.dmp

Filesize
3.5MB

Download
memory/1884-6-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/1884-7-0x00000000037A0000-0x00000000037B0000-memory.dmp

Filesize
64KB

Download
memory/1884-24-0x0000000006D20000-0x000000000721E000-memory.dmp

Filesize
5.0MB

Download
memory/1884-25-0x0000000006910000-0x00000000069A2000-memory.dmp

Filesize
584KB

Download
memory/1884-28-0x0000000000EB0000-0x000000000122E000-memory.dmp

Filesize
3.5MB

Download
memory/1884-29-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-137-0x000001C9F4F80000-0x000001C9F4FA2000-memory.dmp

Filesize
136KB

Download
memory/2632-145-0x000001C9F4FF0000-0x000001C9F5000000-memory.dmp

Filesize
64KB

Download
memory/2632-99-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-196-0x000001C9F4FF0000-0x000001C9F5000000-memory.dmp

Filesize
64KB

Download
memory/2984-288-0x0000021A31BE0000-0x0000021A31BF0000-memory.dmp

Filesize
64KB

Download
memory/2984-143-0x0000021A31BE0000-0x0000021A31BF0000-memory.dmp

Filesize
64KB

Download
memory/2984-139-0x0000021A31BE0000-0x0000021A31BF0000-memory.dmp

Filesize
64KB

Download
memory/2984-193-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/3380-144-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/3380-166-0x00000155DABB0000-0x00000155DABC0000-memory.dmp

Filesize
64KB

Download
memory/3380-162-0x00000155DABB0000-0x00000155DABC0000-memory.dmp

Filesize
64KB

Download
memory/3652-195-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/3652-149-0x0000025FC3B20000-0x0000025FC3B30000-memory.dmp

Filesize
64KB

Download
memory/3652-148-0x0000025FC3B20000-0x0000025FC3B30000-memory.dmp

Filesize
64KB

Download
memory/3780-168-0x0000021377F80000-0x0000021377FF6000-memory.dmp

Filesize
472KB

Download
memory/3780-136-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/3780-155-0x0000021377DF0000-0x0000021377E00000-memory.dmp

Filesize
64KB

Download
memory/3780-206-0x0000021377DF0000-0x0000021377E00000-memory.dmp

Filesize
64KB

Download
memory/3780-178-0x0000021377DF0000-0x0000021377E00000-memory.dmp

Filesize
64KB

Download
memory/3896-135-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/3896-175-0x000002894DEE0000-0x000002894DEF0000-memory.dmp

Filesize
64KB

Download
memory/3896-197-0x000002894DEE0000-0x000002894DEF0000-memory.dmp

Filesize
64KB

Download
memory/4236-152-0x00007FFB10C40000-0x00007FFB1162C000-memory.dmp

Filesize
9.9MB

Download
memory/4236-169-0x000002AD68890000-0x000002AD688A0000-memory.dmp

Filesize
64KB

Download
memory/4236-200-0x000002AD68890000-0x000002AD688A0000-memory.dmp

Filesize
64KB

Download