discordrat | d0edb846b44e046fee8fea55dba1160e988ccfc947cf51fbb2803ded90268d19

Analysis

max time kernel
137s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayer.exe
Size

78KB
MD5

8f3d0d4044ff8cc1d847687568c91e14
SHA1

fd9049e0e5c074603b78a2aea228b75e4ce6c099
SHA256

1c7ffa12df8fc6b0617ddd3e7bf89582154156c803ca2b2df7a6073d43e13dc0
SHA512

afd8aa0948e588de2bb7d44687afccd5da52e613a06a26bbec862945a3cd1a80423b2e1929256bce23e92bac5b09f27e436c1223583d4507c6782da3d46760e4
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+cPIC:5Zv5PDwbjNrmAE+QIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxNTQyMjc0OTk4ODg4NDU3Mg.G8QiY3.e2k047pCmhPxBH-tdaOfxVTB1BY3dSfZIT_sXY
server_id
1201970766531530822

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RobloxPlayer.exe

description pid process target process

PID 8 created 612 8 RobloxPlayer.exe winlogon.exe
Downloads MZ/PE file

description	pid	process	target process
PID 8 created 612	8	RobloxPlayer.exe	winlogon.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
70	discord.com
84	discord.com
99	discord.com
100	discord.com
102	discord.com
80	raw.githubusercontent.com
98	discord.com
101	discord.com
8	discord.com
20	discord.com
79	raw.githubusercontent.com
104	discord.com
7	discord.com

Drops file in System32 directory 12 IoCs

Processes:

svchost.exesvchost.exesvchost.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RobloxPlayer.exe

description pid process target process

PID 8 set thread context of 5424 8 RobloxPlayer.exe dllhost.exe

description	pid	process	target process
PID 8 set thread context of 5424	8	RobloxPlayer.exe	dllhost.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exemousocoreworker.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exe

pid process

5176 SCHTASKS.exe

pid	process
5176	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exemousocoreworker.exewmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000	svchost.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

OfficeClickToRun.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 26 May 2024 02:03:56 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8B7A11B3-DFB2-4302-BB6C-2DF5F3E835FF}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716689036"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RobloxPlayer.exedllhost.exeWerFault.exesvchost.exe

pid	process
8	RobloxPlayer.exe
8	RobloxPlayer.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
8	RobloxPlayer.exe
6108	WerFault.exe
6108	WerFault.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5548	svchost.exe
5548	svchost.exe
5424	dllhost.exe
5424	dllhost.exe
8	RobloxPlayer.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
8	RobloxPlayer.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
8	RobloxPlayer.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
8	RobloxPlayer.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
8	RobloxPlayer.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe
5424	dllhost.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
1252
1172
1292
6056
1908
3080
3920
2504
1208
5404
2540
2996
5052
4684
2524
264
4032
5216
1072
3176
5264
6124
1476
5256
3052
5328
5884
4076
1988
4800
1036
5896
4156
5048
4172
4200
4708
4304
6004
5648
5816
4308
4356
4816
228
5640
5376
5972
5696
5520
5692
5724
5612
5720
6088
5292
3956
1080
5556
648
1288
956
4952
2592

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RobloxPlayer.exefirefox.exedllhost.exeExplorer.EXEsvchost.exemousocoreworker.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	8	RobloxPlayer.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	8	RobloxPlayer.exe
Token: SeDebugPrivilege	5424	dllhost.exe
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeAuditPrivilege	2840	svchost.exe
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeShutdownPrivilege	3260	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	3260	mousocoreworker.exe
Token: SeShutdownPrivilege	3260	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	3260	mousocoreworker.exe
Token: SeShutdownPrivilege	3260	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	3260	mousocoreworker.exe
Token: SeShutdownPrivilege	3260	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	3260	mousocoreworker.exe
Token: SeAssignPrimaryTokenPrivilege	1896	svchost.exe
Token: SeIncreaseQuotaPrivilege	1896	svchost.exe
Token: SeSecurityPrivilege	1896	svchost.exe
Token: SeTakeOwnershipPrivilege	1896	svchost.exe
Token: SeLoadDriverPrivilege	1896	svchost.exe
Token: SeSystemtimePrivilege	1896	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeRestorePrivilege	1896	svchost.exe
Token: SeShutdownPrivilege	1896	svchost.exe
Token: SeSystemEnvironmentPrivilege	1896	svchost.exe
Token: SeUndockPrivilege	1896	svchost.exe
Token: SeManageVolumePrivilege	1896	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1896	svchost.exe
Token: SeIncreaseQuotaPrivilege	1896	svchost.exe
Token: SeSecurityPrivilege	1896	svchost.exe
Token: SeTakeOwnershipPrivilege	1896	svchost.exe
Token: SeLoadDriverPrivilege	1896	svchost.exe
Token: SeSystemtimePrivilege	1896	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeRestorePrivilege	1896	svchost.exe
Token: SeShutdownPrivilege	1896	svchost.exe
Token: SeSystemEnvironmentPrivilege	1896	svchost.exe
Token: SeUndockPrivilege	1896	svchost.exe
Token: SeManageVolumePrivilege	1896	svchost.exe
Token: SeAuditPrivilege	2840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1896	svchost.exe
Token: SeIncreaseQuotaPrivilege	1896	svchost.exe
Token: SeSecurityPrivilege	1896	svchost.exe
Token: SeTakeOwnershipPrivilege	1896	svchost.exe
Token: SeLoadDriverPrivilege	1896	svchost.exe
Token: SeSystemtimePrivilege	1896	svchost.exe
Token: SeBackupPrivilege	1896	svchost.exe
Token: SeRestorePrivilege	1896	svchost.exe
Token: SeShutdownPrivilege	1896	svchost.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

firefox.exe

pid process

3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

firefox.exe

pid process

3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
3596 firefox.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

firefox.exeExplorer.EXE

pid process

3596 firefox.exe
3536 Explorer.EXE

pid	process
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe

pid	process
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe

pid	process
3596	firefox.exe
3536	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 4052 wrote to memory of 3596	4052	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 3324	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 4728	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 4728	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 4728	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 4728	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 4728	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 4728	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 4728	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 4728	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 4728	3596	firefox.exe	firefox.exe
PID 3596 wrote to memory of 4728	3596	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1012
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c465767e-89ff-4265-96fc-24603b3e59ec}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5424
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 612 -s 888
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:6108

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1184
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1440
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2520
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:6120
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:5256
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2368
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:5584
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:5984
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:5476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2736

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2888

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3536
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe
  "C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77RobloxPlayer.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5176
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.0.788320107\1977161413" -parentBuildID 20230214051806 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b937e675-f3b0-4a56-85ea-a26d45c616ce} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 1816 1d6c4a0dd58 gpu
      4⤵
      PID:3324
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.1.478559409\447855270" -parentBuildID 20230214051806 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1e91bae-b680-4817-b0b4-b73610ceede7} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 2428 1d6b7d89f58 socket
      4⤵
      PID:4728
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.2.1300315223\281465491" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3048 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29a2ffce-5f6c-46c8-90ea-55e92ea979bc} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 3104 1d6c75f0f58 tab
      4⤵
      PID:4332
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.3.2133370678\1211981237" -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6a4ae0d-63be-48f0-86ec-9ce04fe37be0} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 3796 1d6c9b70d58 tab
      4⤵
      PID:2776
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.4.1244995237\71464186" -childID 3 -isForBrowser -prefsHandle 5064 -prefMapHandle 5032 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7978ab8-1fd5-486c-8cd7-3d82e2e517fd} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5072 1d6cb711b58 tab
      4⤵
      PID:2980
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.5.762987501\1377002446" -childID 4 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ce6a594-6be4-4031-ba30-c238ee8ba6e8} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5208 1d6cbe0ce58 tab
      4⤵
      PID:1620
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.6.1677371873\1294080851" -childID 5 -isForBrowser -prefsHandle 5496 -prefMapHandle 5492 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e97b633-92ec-45aa-bd66-65d66c1c5c6e} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 5504 1d6cbe0dd58 tab
      4⤵
      PID:4588
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3596.7.224071960\2027648408" -childID 6 -isForBrowser -prefsHandle 5996 -prefMapHandle 5992 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b709ab7e-2deb-44ca-8767-3ee0d8cb9b13} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" 6004 1d6cd8c6858 tab
      4⤵
      PID:5516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4840

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1756

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1352

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3724

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:1044

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4748

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86B4.tmp.csv

Filesize
43KB

MD5
3f30ddd8ea997ce603b1678a95d832af

SHA1
19ad957645484410657bb5445c4cc529c80dab0e

SHA256
a06dfa409b124eb4f22f45ee3abf680336b9b03e695b6edfcb876d4edb1f8c59

SHA512
bc341bed479fd927fe0d0cc6cfa394e93c64a53c32833bbadbce0a564d6fe36c238b7e0e672db0eaf07d9805d7eae6f8f2bf16fffebeb7d8d3dc2df5e77957a5

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8723.tmp.txt

Filesize
13KB

MD5
8e791260e784fadf3e3ca81916f5f888

SHA1
f529c66d975ffa742e57c5d739dfcec147b1c6d1

SHA256
ceefdc2149e03b3dbfb106ad6c476b67ec8a342fe988f039ef0728d6e4f11498

SHA512
173994d0de3c24dea367b90517f1399437e8ec09b0be474ceb016110ce6d7c1bec62c96f422e27fe4114f9f60d10d003fcfad34effd2361b393b3b4385b9ce78

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
34KB

MD5
ea8dafa1651618988d6083c1ca361215

SHA1
6ef2dcc79575cb9680b14c2ea3b2a24ddf96ccfa

SHA256
627af7f1b8398e5d8448216ff07695f67e0c8652e19035e06ff5de75bdf25a8e

SHA512
193af0d2e82ce6798bdd6cb17bd17b96eaa6ca8a6c51cf9b8bc7b22d3fb3a1e7d618a21fa6c55ad38f923499245fb9983028732dbc74b69548ab47137eb5b1f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
d0050a862ea47efad1c07616553b30b2

SHA1
7609c30e6e26899e22b7610db77fbe5c97f68a67

SHA256
4dd4a7fbe41263386664fe8014ff8f12be3fc6d5bb2aa07c3b4dd38a63af7289

SHA512
de094a37c08c9c56ed87b4ba026b184efd4a187658932770c0cd962ef99d6ebfdc83bfb1f2a555eee9c9f2a9a6fab32049f70da83e368143d343efaa69dd6278

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/8-67-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

Filesize
2.0MB

Download
memory/8-2-0x000002646C390000-0x000002646C552000-memory.dmp

Filesize
1.8MB

Download
memory/8-68-0x00007FFE4CCF0000-0x00007FFE4CDAE000-memory.dmp

Filesize
760KB

Download
memory/8-130-0x00007FFE30513000-0x00007FFE30515000-memory.dmp

Filesize
8KB

Download
memory/8-492-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

Filesize
10.8MB

Download
memory/8-4-0x000002646CBD0000-0x000002646D0F8000-memory.dmp

Filesize
5.2MB

Download
memory/8-66-0x000002646C210000-0x000002646C24E000-memory.dmp

Filesize
248KB

Download
memory/8-3-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

Filesize
10.8MB

Download
memory/8-1-0x00007FFE30513000-0x00007FFE30515000-memory.dmp

Filesize
8KB

Download
memory/8-0-0x0000026451DD0000-0x0000026451DE8000-memory.dmp

Filesize
96KB

Download
memory/8-385-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

Filesize
10.8MB

Download
memory/404-109-0x000001E68FD90000-0x000001E68FDBA000-memory.dmp

Filesize
168KB

Download
memory/404-98-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/404-97-0x000001E68FD90000-0x000001E68FDBA000-memory.dmp

Filesize
168KB

Download
memory/612-102-0x00007FFE4E5CF000-0x00007FFE4E5D0000-memory.dmp

Filesize
4KB

Download
memory/612-386-0x00007FFE4E5CC000-0x00007FFE4E5CD000-memory.dmp

Filesize
4KB

Download
memory/612-82-0x000001A43E1E0000-0x000001A43E203000-memory.dmp

Filesize
140KB

Download
memory/612-84-0x000001A43E210000-0x000001A43E23A000-memory.dmp

Filesize
168KB

Download
memory/612-405-0x000001A43E210000-0x000001A43E23A000-memory.dmp

Filesize
168KB

Download
memory/612-101-0x00007FFE4E5CD000-0x00007FFE4E5CE000-memory.dmp

Filesize
4KB

Download
memory/612-100-0x000001A43E210000-0x000001A43E23A000-memory.dmp

Filesize
168KB

Download
memory/664-85-0x000001E409510000-0x000001E40953A000-memory.dmp

Filesize
168KB

Download
memory/664-104-0x00007FFE4E5CD000-0x00007FFE4E5CE000-memory.dmp

Filesize
4KB

Download
memory/664-103-0x000001E409510000-0x000001E40953A000-memory.dmp

Filesize
168KB

Download
memory/664-86-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/936-131-0x000001CE9F560000-0x000001CE9F58A000-memory.dmp

Filesize
168KB

Download
memory/936-116-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/936-115-0x000001CE9F560000-0x000001CE9F58A000-memory.dmp

Filesize
168KB

Download
memory/940-95-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/940-94-0x000001CFDA5D0000-0x000001CFDA5FA000-memory.dmp

Filesize
168KB

Download
memory/940-107-0x00007FFE4E5CC000-0x00007FFE4E5CD000-memory.dmp

Filesize
4KB

Download
memory/940-106-0x000001CFDA5D0000-0x000001CFDA5FA000-memory.dmp

Filesize
168KB

Download
memory/1012-90-0x000002D72CB50000-0x000002D72CB7A000-memory.dmp

Filesize
168KB

Download
memory/1012-91-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/1012-105-0x000002D72CB50000-0x000002D72CB7A000-memory.dmp

Filesize
168KB

Download
memory/1084-132-0x00000253F3860000-0x00000253F388A000-memory.dmp

Filesize
168KB

Download
memory/1084-118-0x00000253F3860000-0x00000253F388A000-memory.dmp

Filesize
168KB

Download
memory/1084-119-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/1100-121-0x0000021E18EF0000-0x0000021E18F1A000-memory.dmp

Filesize
168KB

Download
memory/1100-122-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/1160-124-0x0000014971200000-0x000001497122A000-memory.dmp

Filesize
168KB

Download
memory/1160-125-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/1184-127-0x00000290002C0000-0x00000290002EA000-memory.dmp

Filesize
168KB

Download
memory/1184-128-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/1244-135-0x0000024C161A0000-0x0000024C161CA000-memory.dmp

Filesize
168KB

Download
memory/1244-136-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/1320-139-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/1320-138-0x000002265F960000-0x000002265F98A000-memory.dmp

Filesize
168KB

Download
memory/1336-148-0x0000020913F60000-0x0000020913F8A000-memory.dmp

Filesize
168KB

Download
memory/1336-149-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

Filesize
64KB

Download
memory/5424-69-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5424-70-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5424-72-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

Filesize
2.0MB

Download
memory/5424-74-0x00007FFE4CCF0000-0x00007FFE4CDAE000-memory.dmp

Filesize
760KB

Download
memory/5424-75-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5424-71-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download