orcus | 1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca

Analysis

max time kernel
145s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
Size

918KB
MD5

beff93c13a3839484a3248f3a1702516
SHA1

77d2620d977c1b7730a599da82efd7360898f309
SHA256

1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca
SHA512

fdf7ad1b65283101b1852badc92d09507a82eb13771d0676452f712fa26b649f20b18d970cf7c5f9bd43bf87b9252bd2ae76d9e11ef1addc0778565342a19a28
SSDEEP

24576:k1I4MROxnFi3ArIrZlI0AilFEvxHi18D:k1rMioAMrZlI0AilFEvxHi

Score

10^/10

orcus hack rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Hack

127.0.0.1:10134

Mutex

d7904e4fe3184c208642abe8f5cf9293

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
C:\Windows\System32\tаskmgr.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
GoogleUpdateTaskMachine
watchdog_path
AppData\smss.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\System32\tаskmgr.exe	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Windows\System32\tаskmgr.exe	orcus
behavioral2/memory/4812-53-0x0000000000CB0000-0x0000000000D9C000-memory.dmp	orcus

Checks computer location settings 2 TTPs 57 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exetаskmgr.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	tаskmgr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 64 IoCs

Processes:

tаskmgr.exetаskmgr.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
4812	tаskmgr.exe
212	tаskmgr.exe
4004	smss.exe
4540	smss.exe
2856	smss.exe
4612	smss.exe
1328	smss.exe
2396	smss.exe
4392	smss.exe
4908	smss.exe
4888	smss.exe
3944	smss.exe
1620	smss.exe
2724	smss.exe
3976	smss.exe
3608	smss.exe
4980	smss.exe
4432	smss.exe
2216	smss.exe
1956	smss.exe
1916	smss.exe
4936	smss.exe
3496	smss.exe
2712	smss.exe
4164	smss.exe
1352	smss.exe
3392	smss.exe
1688	smss.exe
1000	smss.exe
2280	smss.exe
60	smss.exe
3944	smss.exe
1512	smss.exe
3092	smss.exe
2036	smss.exe
864	smss.exe
2484	smss.exe
4376	smss.exe
4916	smss.exe
2416	smss.exe
3132	smss.exe
1256	smss.exe
1676	smss.exe
1864	smss.exe
2920	smss.exe
1744	smss.exe
4404	smss.exe
3592	smss.exe
4440	smss.exe
4796	smss.exe
3916	smss.exe
556	smss.exe
1800	smss.exe
4752	smss.exe
3188	smss.exe
460	smss.exe
3368	smss.exe
2900	smss.exe
5076	smss.exe
2584	smss.exe
1300	smss.exe
2892	smss.exe
884	smss.exe
3592	smss.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe

Drops file in System32 directory 3 IoCs

Processes:

1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe

description	ioc	process
File opened for modification	C:\Windows\System32\tаskmgr.exe	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
File created	C:\Windows\System32\tаskmgr.exe.config	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
File created	C:\Windows\System32\tаskmgr.exe	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe

Drops file in Windows directory 3 IoCs

Processes:

1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
File created	C:\Windows\assembly\Desktop.ini	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4816	4540	WerFault.exe	smss.exe
460	4612	WerFault.exe	smss.exe
3100	2396	WerFault.exe	smss.exe
3404	4908	WerFault.exe	smss.exe
2056	3944	WerFault.exe	smss.exe
1300	2724	WerFault.exe	smss.exe
1512	3608	WerFault.exe	smss.exe
1132	4432	WerFault.exe	smss.exe
3760	1956	WerFault.exe	smss.exe
2424	4936	WerFault.exe	smss.exe
400	2712	WerFault.exe	smss.exe
4992	1352	WerFault.exe	smss.exe
4972	1688	WerFault.exe	smss.exe
3472	2280	WerFault.exe	smss.exe
4440	3944	WerFault.exe	smss.exe
3104	3092	WerFault.exe	smss.exe
2584	864	WerFault.exe	smss.exe
2500	4376	WerFault.exe	smss.exe
2364	2416	WerFault.exe	smss.exe
3428	1256	WerFault.exe	smss.exe
1068	1864	WerFault.exe	smss.exe
1984	1744	WerFault.exe	smss.exe
3944	3592	WerFault.exe	smss.exe
2916	4796	WerFault.exe	smss.exe
2496	556	WerFault.exe	smss.exe
2148	4752	WerFault.exe	smss.exe
2560	460	WerFault.exe	smss.exe
4516	2900	WerFault.exe	smss.exe
2752	2584	WerFault.exe	smss.exe
1360	2892	WerFault.exe	smss.exe
2896	3592	WerFault.exe	smss.exe
1272	1740	WerFault.exe	smss.exe
916	1496	WerFault.exe	smss.exe
1532	4752	WerFault.exe	smss.exe
4468	3364	WerFault.exe	smss.exe
4516	736	WerFault.exe	smss.exe
744	2752	WerFault.exe	smss.exe
4232	4560	WerFault.exe	smss.exe
1956	2524	WerFault.exe	smss.exe
3136	2040	WerFault.exe	smss.exe
3716	1516	WerFault.exe	smss.exe
760	3592	WerFault.exe	smss.exe
820	1196	WerFault.exe	smss.exe
2268	4716	WerFault.exe	smss.exe
4320	2056	WerFault.exe	smss.exe
2580	1532	WerFault.exe	smss.exe
2524	1612	WerFault.exe	smss.exe
1976	780	WerFault.exe	smss.exe
1140	4876	WerFault.exe	smss.exe
2212	2472	WerFault.exe	smss.exe
2112	3928	WerFault.exe	smss.exe
1968	2128	WerFault.exe	smss.exe
3944	1940	WerFault.exe	smss.exe
4720	2428	WerFault.exe	smss.exe
2204	928	WerFault.exe	smss.exe
2468	3460	WerFault.exe	smss.exe
4288	2464	WerFault.exe	smss.exe
4436	3984	WerFault.exe	smss.exe
4032	1292	WerFault.exe	smss.exe
3044	4228	WerFault.exe	smss.exe
3944	1012	WerFault.exe	smss.exe
1452	4796	WerFault.exe	smss.exe
2532	4448	WerFault.exe	smss.exe
4148	4756	WerFault.exe	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tаskmgr.exe

pid	process
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe
4812	tаskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tаskmgr.exe

pid process

4812 tаskmgr.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

tаskmgr.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	pid	process
Token: SeDebugPrivilege	4812	tаskmgr.exe
Token: SeDebugPrivilege	4004	smss.exe
Token: SeDebugPrivilege	2856	smss.exe
Token: SeDebugPrivilege	1328	smss.exe
Token: SeDebugPrivilege	4392	smss.exe
Token: SeDebugPrivilege	4888	smss.exe
Token: SeDebugPrivilege	1620	smss.exe
Token: SeDebugPrivilege	3976	smss.exe
Token: SeDebugPrivilege	4980	smss.exe
Token: SeDebugPrivilege	2216	smss.exe
Token: SeDebugPrivilege	1916	smss.exe
Token: SeDebugPrivilege	3496	smss.exe
Token: SeDebugPrivilege	4164	smss.exe
Token: SeDebugPrivilege	3392	smss.exe
Token: SeDebugPrivilege	1000	smss.exe
Token: SeDebugPrivilege	60	smss.exe
Token: SeDebugPrivilege	1512	smss.exe
Token: SeDebugPrivilege	2036	smss.exe
Token: SeDebugPrivilege	2484	smss.exe
Token: SeDebugPrivilege	4916	smss.exe
Token: SeDebugPrivilege	3132	smss.exe
Token: SeDebugPrivilege	1676	smss.exe
Token: SeDebugPrivilege	2920	smss.exe
Token: SeDebugPrivilege	4404	smss.exe
Token: SeDebugPrivilege	4440	smss.exe
Token: SeDebugPrivilege	3916	smss.exe
Token: SeDebugPrivilege	1800	smss.exe
Token: SeDebugPrivilege	3188	smss.exe
Token: SeDebugPrivilege	3368	smss.exe
Token: SeDebugPrivilege	5076	smss.exe
Token: SeDebugPrivilege	1300	smss.exe
Token: SeDebugPrivilege	884	smss.exe
Token: SeDebugPrivilege	2544	smss.exe
Token: SeDebugPrivilege	4896	smss.exe
Token: SeDebugPrivilege	3196	smss.exe
Token: SeDebugPrivilege	4512	smss.exe
Token: SeDebugPrivilege	4992	smss.exe
Token: SeDebugPrivilege	4768	smss.exe
Token: SeDebugPrivilege	632	smss.exe
Token: SeDebugPrivilege	1544	smss.exe
Token: SeDebugPrivilege	4024	smss.exe
Token: SeDebugPrivilege	2148	smss.exe
Token: SeDebugPrivilege	1432	smss.exe
Token: SeDebugPrivilege	3296	smss.exe
Token: SeDebugPrivilege	1688	smss.exe
Token: SeDebugPrivilege	2664	smss.exe
Token: SeDebugPrivilege	3456	smss.exe
Token: SeDebugPrivilege	540	smss.exe
Token: SeDebugPrivilege	1240	smss.exe
Token: SeDebugPrivilege	3504	smss.exe
Token: SeDebugPrivilege	4828	smss.exe
Token: SeDebugPrivilege	1572	smss.exe
Token: SeDebugPrivilege	4952	smss.exe
Token: SeDebugPrivilege	896	smss.exe
Token: SeDebugPrivilege	4800	smss.exe
Token: SeDebugPrivilege	2596	smss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tаskmgr.exe

pid process

4812 tаskmgr.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

tаskmgr.exe

pid process

4812 tаskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.execsc.exetаskmgr.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	pid	process	target process
PID 1620 wrote to memory of 2924	1620	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe	csc.exe
PID 1620 wrote to memory of 2924	1620	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe	csc.exe
PID 2924 wrote to memory of 1160	2924	csc.exe	cvtres.exe
PID 2924 wrote to memory of 1160	2924	csc.exe	cvtres.exe
PID 1620 wrote to memory of 4812	1620	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe	tаskmgr.exe
PID 1620 wrote to memory of 4812	1620	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe	tаskmgr.exe
PID 4812 wrote to memory of 4004	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 4004	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 4004	4812	tаskmgr.exe	smss.exe
PID 4004 wrote to memory of 4540	4004	smss.exe	smss.exe
PID 4004 wrote to memory of 4540	4004	smss.exe	smss.exe
PID 4004 wrote to memory of 4540	4004	smss.exe	smss.exe
PID 4812 wrote to memory of 2856	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 2856	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 2856	4812	tаskmgr.exe	smss.exe
PID 2856 wrote to memory of 4612	2856	smss.exe	smss.exe
PID 2856 wrote to memory of 4612	2856	smss.exe	smss.exe
PID 2856 wrote to memory of 4612	2856	smss.exe	smss.exe
PID 4812 wrote to memory of 1328	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 1328	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 1328	4812	tаskmgr.exe	smss.exe
PID 1328 wrote to memory of 2396	1328	smss.exe	smss.exe
PID 1328 wrote to memory of 2396	1328	smss.exe	smss.exe
PID 1328 wrote to memory of 2396	1328	smss.exe	smss.exe
PID 4812 wrote to memory of 4392	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 4392	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 4392	4812	tаskmgr.exe	smss.exe
PID 4392 wrote to memory of 4908	4392	smss.exe	smss.exe
PID 4392 wrote to memory of 4908	4392	smss.exe	smss.exe
PID 4392 wrote to memory of 4908	4392	smss.exe	smss.exe
PID 4812 wrote to memory of 4888	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 4888	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 4888	4812	tаskmgr.exe	smss.exe
PID 4888 wrote to memory of 3944	4888	smss.exe	smss.exe
PID 4888 wrote to memory of 3944	4888	smss.exe	smss.exe
PID 4888 wrote to memory of 3944	4888	smss.exe	smss.exe
PID 4812 wrote to memory of 1620	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 1620	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 1620	4812	tаskmgr.exe	smss.exe
PID 1620 wrote to memory of 2724	1620	smss.exe	smss.exe
PID 1620 wrote to memory of 2724	1620	smss.exe	smss.exe
PID 1620 wrote to memory of 2724	1620	smss.exe	smss.exe
PID 4812 wrote to memory of 3976	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 3976	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 3976	4812	tаskmgr.exe	smss.exe
PID 3976 wrote to memory of 3608	3976	smss.exe	smss.exe
PID 3976 wrote to memory of 3608	3976	smss.exe	smss.exe
PID 3976 wrote to memory of 3608	3976	smss.exe	smss.exe
PID 4812 wrote to memory of 4980	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 4980	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 4980	4812	tаskmgr.exe	smss.exe
PID 4980 wrote to memory of 4432	4980	smss.exe	smss.exe
PID 4980 wrote to memory of 4432	4980	smss.exe	smss.exe
PID 4980 wrote to memory of 4432	4980	smss.exe	smss.exe
PID 4812 wrote to memory of 2216	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 2216	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 2216	4812	tаskmgr.exe	smss.exe
PID 2216 wrote to memory of 1956	2216	smss.exe	smss.exe
PID 2216 wrote to memory of 1956	2216	smss.exe	smss.exe
PID 2216 wrote to memory of 1956	2216	smss.exe	smss.exe
PID 4812 wrote to memory of 1916	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 1916	4812	tаskmgr.exe	smss.exe
PID 4812 wrote to memory of 1916	4812	tаskmgr.exe	smss.exe
PID 1916 wrote to memory of 4936	1916	smss.exe	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
"C:\Users\Admin\AppData\Local\Temp\1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tm4_ldi3.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48FC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC48FB.tmp"
3⤵
PID:1160

C:\Windows\System32\tаskmgr.exe
"C:\Windows\System32\tаskmgr.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4812

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 796
5⤵
- Program crash
PID:4816

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 796
5⤵
- Program crash
PID:460

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 796
5⤵
- Program crash
PID:3100

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 796
5⤵
- Program crash
PID:3404

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 796
5⤵
- Program crash
PID:2056

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 796
5⤵
- Program crash
PID:1300

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 796
5⤵
- Program crash
PID:1512

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 796
5⤵
- Program crash
PID:1132

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 796
5⤵
- Program crash
PID:3760

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 796
5⤵
- Program crash
PID:2424

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 796
5⤵
- Program crash
PID:400

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 796
5⤵
- Program crash
PID:4992

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 796
5⤵
- Program crash
PID:4972

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 816
5⤵
- Program crash
PID:3472

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 796
5⤵
- Program crash
PID:4440

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 796
5⤵
- Program crash
PID:3104

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 796
5⤵
- Program crash
PID:2584

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 796
5⤵
- Program crash
PID:2500

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 800
5⤵
- Program crash
PID:2364

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 796
5⤵
- Program crash
PID:3428

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 796
5⤵
- Program crash
PID:1068

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 796
5⤵
- Program crash
PID:1984

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 796
5⤵
- Program crash
PID:3944

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 796
5⤵
- Program crash
PID:2916

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 796
5⤵
- Program crash
PID:2496

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 812
5⤵
- Program crash
PID:2148

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 796
5⤵
- Program crash
PID:2560

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 796
5⤵
- Program crash
PID:4516

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 796
5⤵
- Program crash
PID:2752

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 796
5⤵
- Program crash
PID:1360

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
- Executes dropped EXE
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 796
5⤵
- Program crash
PID:2896

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 796
5⤵
- Program crash
PID:1272

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 796
5⤵
- Program crash
PID:916

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 796
5⤵
- Program crash
PID:1532

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 796
5⤵
- Program crash
PID:4468

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 796
5⤵
- Program crash
PID:4516

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 796
5⤵
- Program crash
PID:744

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 796
5⤵
- Program crash
PID:4232

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 796
5⤵
- Program crash
PID:1956

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 796
5⤵
- Program crash
PID:3136

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 796
5⤵
- Program crash
PID:3716

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 796
5⤵
- Program crash
PID:760

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 796
5⤵
- Program crash
PID:820

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 796
5⤵
- Program crash
PID:2268

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 796
5⤵
- Program crash
PID:4320

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 796
5⤵
- Program crash
PID:2580

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 796
5⤵
- Program crash
PID:2524

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 796
5⤵
- Program crash
PID:1976

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 796
5⤵
- Program crash
PID:1140

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 796
5⤵
- Program crash
PID:2212

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 796
5⤵
- Program crash
PID:2112

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 796
5⤵
- Program crash
PID:1968

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 796
5⤵
- Program crash
PID:3944

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 796
5⤵
- Program crash
PID:4720

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 796
5⤵
- Program crash
PID:2204

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:2732

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 796
5⤵
- Program crash
PID:2468

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:3652

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 796
5⤵
- Program crash
PID:4288

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:3048

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 796
5⤵
- Program crash
PID:4436

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:1696

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 796
5⤵
- Program crash
PID:4032

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:3996

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 796
5⤵
- Program crash
PID:3044

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:4484

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 796
5⤵
- Program crash
PID:3944

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:4528

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 796
5⤵
- Program crash
PID:1452

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:4572

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 796
5⤵
- Program crash
PID:2532

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:2032

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 796
5⤵
- Program crash
PID:4148

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:2464

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 796
5⤵
PID:3100

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:4452

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 796
5⤵
PID:1744

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 4812 /protectFile
3⤵
PID:4348

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 4812 "/protectFile"
4⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 796
5⤵
PID:4212

C:\Windows\System32\tаskmgr.exe
C:\Windows\System32\tаskmgr.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4540 -ip 4540
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4612 -ip 4612
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2396 -ip 2396
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4908 -ip 4908
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3944 -ip 3944
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2724 -ip 2724
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3608 -ip 3608
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4432 -ip 4432
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1956 -ip 1956
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4936 -ip 4936
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2712 -ip 2712
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1352 -ip 1352
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1688 -ip 1688
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2280 -ip 2280
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3944 -ip 3944
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3092 -ip 3092
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 864 -ip 864
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4376 -ip 4376
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2416 -ip 2416
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1256 -ip 1256
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1864 -ip 1864
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1744 -ip 1744
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3592 -ip 3592
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4796 -ip 4796
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 556 -ip 556
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4752 -ip 4752
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 460 -ip 460
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2900 -ip 2900
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2584 -ip 2584
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2892 -ip 2892
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3592 -ip 3592
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1740 -ip 1740
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1496 -ip 1496
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4752 -ip 4752
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3364 -ip 3364
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 736 -ip 736
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2752 -ip 2752
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4560 -ip 4560
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2524 -ip 2524
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2040 -ip 2040
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1516 -ip 1516
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3592 -ip 3592
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1196 -ip 1196
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4716 -ip 4716
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2056 -ip 2056
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1532 -ip 1532
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1612 -ip 1612
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 780 -ip 780
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4876 -ip 4876
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2472 -ip 2472
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3928 -ip 3928
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2128 -ip 2128
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1940 -ip 1940
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2428 -ip 2428
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 928 -ip 928
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3460 -ip 3460
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2464 -ip 2464
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3984 -ip 3984
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1292 -ip 1292
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4228 -ip 4228
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1012 -ip 1012
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4796 -ip 4796
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4448 -ip 4448
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4756 -ip 4756
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2964 -ip 2964
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4940 -ip 4940
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3448 -ip 3448
1⤵
PID:3484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\smss.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES48FC.tmp
Filesize
1KB

MD5
810efa51d315bb49e86547a6d19a7b8a

SHA1
bcd99806175647d844de7500b489ab041d0b5aa8

SHA256
02af6eca6ae638637c3f21b7113646a0f5e900d02f562ddc0e62cd34d4e19397

SHA512
21921a06419c3c0e3750a9dc41005fd1e798adb99803a43fc19827484ace7aeab426fd1c288a5c2dfb07c7d1a1360ef4d500f2f66ecc362b0f27668c11a8a22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\err_d7904e4fe3184c208642abe8f5cf9293.dat
Filesize
1KB

MD5
e2b3100941b4e6b21041859ab1aa1e7f

SHA1
3464e423b577f4f941fa97e50bfa6eed96cfc620

SHA256
cac8dfbc728db7406239c355fddc44e6ea7ad22cdef5f8b03acaa78b079ac76c

SHA512
01d74ea3a99188f4a3d260cee001d7c72a32c867588f8f086a7e4e6e4a553341d96c3d864b582b9469c980ab1c389296303ad8710d16298a7cef53ec0d18e606

Download Submit
C:\Users\Admin\AppData\Local\Temp\tm4_ldi3.dll
Filesize
76KB

MD5
5ae6a598fe5d5c312bf33e5e35cfad15

SHA1
4d326d44ffa1acbba1d02a9ac501cd9a41c53de6

SHA256
fdfbfb2724624ac42778a9dd3e8b6f70f62735be34c0d7de07b4493418172520

SHA512
09450925fcfcc4203d77253fbc5aa4934f6141bc285d856add0dc4635f5f3fca3ef883b8f00160c6cc61941ee25946f0257386031c1d9d530c9d236499cc89b5

Download Submit
C:\Users\Admin\AppData\Roaming\smss.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\System32\tаskmgr.exe
Filesize
918KB

MD5
beff93c13a3839484a3248f3a1702516

SHA1
77d2620d977c1b7730a599da82efd7360898f309

SHA256
1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca

SHA512
fdf7ad1b65283101b1852badc92d09507a82eb13771d0676452f712fa26b649f20b18d970cf7c5f9bd43bf87b9252bd2ae76d9e11ef1addc0778565342a19a28

Download Submit
C:\Windows\System32\tаskmgr.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC48FB.tmp
Filesize
676B

MD5
f00d37798455111631374ec1b4920865

SHA1
33bb4b93720895a55215bfbb59ce16af6aa746eb

SHA256
be8198fbf9eae269b1818b30a4d256243503240652370e2605595af2bd7ca11c

SHA512
c293caba6464755d26e0848cc9c9225b6102278b09dc211ced3d6162a87f980ecf62202d1369f112da079de602e6c7f8d20c2d8f278314650bd312f346651171

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tm4_ldi3.0.cs
Filesize
208KB

MD5
61f035a9d772b537d435a2a8a945448e

SHA1
b38bd6c155cf0a61fbf29f73612a9a91e2707fc6

SHA256
5f149ad390ab5f7f9f11223e28e00e7a791638bea223a7182239a41f0bd61e15

SHA512
4b81a7db1f22de504ef4337707da68726b14d21e0e0eaa8aa70ce28f3965a100573ea022903b38d62e1b3fab0f7666c036a19b280ee51b77cb4f4c4ad7ff23ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tm4_ldi3.cmdline
Filesize
349B

MD5
2873409a70440aa38d3c21dfb04b25cc

SHA1
9a6aa95ea5b6fe4077dd654de800023f44326999

SHA256
38514330d8fb9e0e99fd8c8c2ddb820b34591ff4c27c5420514e8b064c41cab7

SHA512
0e11c384eb8c096009244d152ed405cf14820561ceedcacc7a2d5dc6d3339e70400688e6250f36bc6d9001e274214c4bcbbca48545c65157fdafcef68b3c2650

Download Submit
memory/212-87-0x00007FFE223A0000-0x00007FFE22E61000-memory.dmp

Filesize
10.8MB

Download
memory/212-66-0x00007FFE223A0000-0x00007FFE22E61000-memory.dmp

Filesize
10.8MB

Download
memory/212-67-0x000000001AD30000-0x000000001AD40000-memory.dmp

Filesize
64KB

Download
memory/1328-102-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1328-105-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1620-30-0x000000001DC50000-0x000000001E20A000-memory.dmp

Filesize
5.7MB

Download
memory/1620-22-0x000000001BD30000-0x000000001BD46000-memory.dmp

Filesize
88KB

Download
memory/1620-27-0x0000000001600000-0x0000000001608000-memory.dmp

Filesize
32KB

Download
memory/1620-28-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

Filesize
32KB

Download
memory/1620-29-0x000000001D2F0000-0x000000001D352000-memory.dmp

Filesize
392KB

Download
memory/1620-25-0x00007FFE25B80000-0x00007FFE26521000-memory.dmp

Filesize
9.6MB

Download
memory/1620-31-0x000000001E210000-0x000000001E300000-memory.dmp

Filesize
960KB

Download
memory/1620-32-0x000000001D450000-0x000000001D46E000-memory.dmp

Filesize
120KB

Download
memory/1620-33-0x000000001E310000-0x000000001E359000-memory.dmp

Filesize
292KB

Download
memory/1620-34-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/1620-35-0x000000001E3F0000-0x000000001E460000-memory.dmp

Filesize
448KB

Download
memory/1620-36-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/1620-24-0x00007FFE25B80000-0x00007FFE26521000-memory.dmp

Filesize
9.6MB

Download
memory/1620-26-0x0000000001620000-0x0000000001632000-memory.dmp

Filesize
72KB

Download
memory/1620-123-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1620-54-0x00007FFE25B80000-0x00007FFE26521000-memory.dmp

Filesize
9.6MB

Download
memory/1620-121-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1620-1-0x00007FFE25B80000-0x00007FFE26521000-memory.dmp

Filesize
9.6MB

Download
memory/1620-2-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/1620-3-0x000000001BBF0000-0x000000001BC4C000-memory.dmp

Filesize
368KB

Download
memory/1620-8-0x000000001C8B0000-0x000000001C94C000-memory.dmp

Filesize
624KB

Download
memory/1620-0-0x00007FFE25B80000-0x00007FFE26521000-memory.dmp

Filesize
9.6MB

Download
memory/1620-7-0x000000001C340000-0x000000001C80E000-memory.dmp

Filesize
4.8MB

Download
memory/1620-6-0x000000001BCF0000-0x000000001BCFE000-memory.dmp

Filesize
56KB

Download
memory/2396-104-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/2396-107-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/2724-124-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/2856-96-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/2856-98-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/2924-14-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/3944-120-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3944-118-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4004-84-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4004-85-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/4004-92-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4392-112-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4392-109-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4540-90-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4540-93-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4612-100-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4612-99-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4812-63-0x000000001C110000-0x000000001C15E000-memory.dmp

Filesize
312KB

Download
memory/4812-59-0x000000001BDB0000-0x000000001BDEC000-memory.dmp

Filesize
240KB

Download
memory/4812-88-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/4812-111-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/4812-57-0x000000001B8A0000-0x000000001B8B2000-memory.dmp

Filesize
72KB

Download
memory/4812-56-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/4812-108-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/4812-60-0x000000001BF00000-0x000000001C00A000-memory.dmp

Filesize
1.0MB

Download
memory/4812-72-0x00007FFE223A0000-0x00007FFE22E61000-memory.dmp

Filesize
10.8MB

Download
memory/4812-69-0x000000001C5F0000-0x000000001C600000-memory.dmp

Filesize
64KB

Download
memory/4812-58-0x000000001BD50000-0x000000001BD62000-memory.dmp

Filesize
72KB

Download
memory/4812-53-0x0000000000CB0000-0x0000000000D9C000-memory.dmp

Filesize
944KB

Download
memory/4812-55-0x00007FFE223A0000-0x00007FFE22E61000-memory.dmp

Filesize
10.8MB

Download
memory/4812-65-0x000000001C4D0000-0x000000001C4E8000-memory.dmp

Filesize
96KB

Download
memory/4812-68-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/4888-117-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4888-115-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4908-113-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download