Analysis

  • max time kernel
    1800s
  • max time network
    1806s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    03-11-2024 20:58

General

  • Target

    bot.exe

  • Size

    3.2MB

  • MD5

    d9f7208d0116dcde22ece5048ac6c37d

  • SHA1

    f9b23d695bb875f032292983fe537c48bc02a657

  • SHA256

    15ba1de7e069b6615cc13a43cc2b50426065e92e018066b0e3a3af43bba522ee

  • SHA512

    152289834cfcf4fc78bd0799a78752587b06dd1c839ee46e050a03c99e1d527de995bd9430fbaee6da3d999293f00dbaa1d07736137e08c7740d5edb7263b114

  • SSDEEP

    49152:ubA3j4Ovfe+uuyV5rPOf82wtPXbGuTVHXZiyF3U5zKY7SeVZ9:ubSvfmV5kjwVbLXq5zKY9VZ9

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 34 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 43 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 15 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\bot.exe
    "C:\Users\Admin\AppData\Local\Temp\bot.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5304
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeagentFont\E1OrDChd6wfhvlLu9Zc8rvL1kfwV.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BridgeagentFont\LMbhEUlzAGhXQ88TEAwD9DBna.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe
          "C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5456
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g8OmkPCg94.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4044
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4228
              • C:\Users\Public\Downloads\WmiPrvSE.exe
                "C:\Users\Public\Downloads\WmiPrvSE.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2768
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4006af5-44eb-4125-bc45-efa280e0d481.vbs"
                  7⤵
                    PID:5040
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b97db559-b74a-47df-83f2-a316bb976443.vbs"
                    7⤵
                      PID:5944
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:12941/
                      7⤵
                      • Enumerates system info in registry
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:2788
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffdd04746f8,0x7ffdd0474708,0x7ffdd0474718
                        8⤵
                          PID:4444
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
                          8⤵
                            PID:3100
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
                            8⤵
                              PID:3352
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
                              8⤵
                                PID:3716
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
                                8⤵
                                  PID:4472
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
                                  8⤵
                                    PID:1480
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
                                    8⤵
                                      PID:4460
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
                                      8⤵
                                        PID:4348
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
                                        8⤵
                                          PID:4828
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                                          8⤵
                                          • Drops file in Program Files directory
                                          PID:516
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x7ff70bb55460,0x7ff70bb55470,0x7ff70bb55480
                                            9⤵
                                              PID:5756
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
                                            8⤵
                                              PID:928
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
                                              8⤵
                                                PID:5424
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
                                                8⤵
                                                  PID:544
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
                                                  8⤵
                                                    PID:3200
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
                                                    8⤵
                                                      PID:3516
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
                                                      8⤵
                                                        PID:1400
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
                                                        8⤵
                                                          PID:1072
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3040 /prefetch:2
                                                          8⤵
                                                            PID:3816
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
                                                            8⤵
                                                              PID:1600
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13930507567730677585,677289438067720626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
                                                              8⤵
                                                                PID:552
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Modifies registry key
                                                        PID:6132
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3172
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3000
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2532
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\dwm.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5608
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5560
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4760
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\taskhostw.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1104
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\twain_32\taskhostw.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5308
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\taskhostw.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4564
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5276
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4456
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2372
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\dllhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2432
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5228
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\dllhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5244
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\spoolsv.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3916
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5800
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\spoolsv.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3160
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1804
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2264
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3856
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:820
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2788
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5236
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\conhost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4840
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2596
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\es-ES\conhost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5684
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4016
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1944
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2396
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2252
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1696
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3220
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1412
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1408
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5760
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2324
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3156
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3532
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\explorer.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2876
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1296
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5072
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1200
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5060
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5344
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:6016
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5996
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4756
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:4152
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "Containerreview" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1568
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Containerreview.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Process spawned unexpected child process
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:5656
                                                • C:\Windows\system32\vssvc.exe
                                                  C:\Windows\system32\vssvc.exe
                                                  1⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:6048
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:2104
                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                    1⤵
                                                      PID:4688
                                                    • C:\Windows\system32\wbem\WmiApSrv.exe
                                                      C:\Windows\system32\wbem\WmiApSrv.exe
                                                      1⤵
                                                        PID:3628
                                                      • C:\Recovery\WindowsRE\Containerreview.exe
                                                        "C:\Recovery\WindowsRE\Containerreview.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1700
                                                      • C:\Program Files\Windows Security\BrowserCore\en-US\services.exe
                                                        "C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3076
                                                      • C:\Windows\en-US\dwm.exe
                                                        "C:\Windows\en-US\dwm.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2744
                                                      • C:\Program Files\Windows Portable Devices\smss.exe
                                                        "C:\Program Files\Windows Portable Devices\smss.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3848
                                                      • C:\Recovery\WindowsRE\sysmon.exe
                                                        "C:\Recovery\WindowsRE\sysmon.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4940
                                                      • C:\Recovery\WindowsRE\sihost.exe
                                                        "C:\Recovery\WindowsRE\sihost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4476
                                                      • C:\Program Files\Internet Explorer\es-ES\conhost.exe
                                                        "C:\Program Files\Internet Explorer\es-ES\conhost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:732
                                                      • C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe
                                                        "C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5208
                                                      • C:\Recovery\WindowsRE\TextInputHost.exe
                                                        "C:\Recovery\WindowsRE\TextInputHost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4288
                                                      • C:\Recovery\WindowsRE\Containerreview.exe
                                                        "C:\Recovery\WindowsRE\Containerreview.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5836
                                                      • C:\Users\Public\Downloads\WmiPrvSE.exe
                                                        "C:\Users\Public\Downloads\WmiPrvSE.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4412
                                                      • C:\Windows\TAPI\explorer.exe
                                                        "C:\Windows\TAPI\explorer.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4724
                                                      • C:\Windows\twain_32\taskhostw.exe
                                                        "C:\Windows\twain_32\taskhostw.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:756
                                                      • C:\Program Files (x86)\Microsoft\Edge\dllhost.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\dllhost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5440
                                                      • C:\Recovery\WindowsRE\csrss.exe
                                                        "C:\Recovery\WindowsRE\csrss.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2668
                                                      • C:\Program Files\Windows Security\BrowserCore\en-US\services.exe
                                                        "C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3188
                                                      • C:\Windows\en-US\dwm.exe
                                                        "C:\Windows\en-US\dwm.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5612
                                                      • C:\Users\Public\spoolsv.exe
                                                        "C:\Users\Public\spoolsv.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5408
                                                      • C:\Program Files\Windows Portable Devices\smss.exe
                                                        "C:\Program Files\Windows Portable Devices\smss.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4792
                                                      • C:\Recovery\WindowsRE\sysmon.exe
                                                        "C:\Recovery\WindowsRE\sysmon.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3364
                                                      • C:\Recovery\WindowsRE\sihost.exe
                                                        "C:\Recovery\WindowsRE\sihost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5208
                                                      • C:\Recovery\WindowsRE\Containerreview.exe
                                                        "C:\Recovery\WindowsRE\Containerreview.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:6120
                                                      • C:\Program Files\Internet Explorer\es-ES\conhost.exe
                                                        "C:\Program Files\Internet Explorer\es-ES\conhost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5160
                                                      • C:\Program Files\Windows Security\BrowserCore\en-US\services.exe
                                                        "C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1844
                                                      • C:\Windows\en-US\dwm.exe
                                                        "C:\Windows\en-US\dwm.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:748
                                                      • C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe
                                                        "C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1484
                                                      • C:\Recovery\WindowsRE\TextInputHost.exe
                                                        "C:\Recovery\WindowsRE\TextInputHost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2032
                                                      • C:\Program Files\Windows Portable Devices\smss.exe
                                                        "C:\Program Files\Windows Portable Devices\smss.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5720
                                                      • C:\Recovery\WindowsRE\Containerreview.exe
                                                        "C:\Recovery\WindowsRE\Containerreview.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1100
                                                      • C:\Users\Public\Downloads\WmiPrvSE.exe
                                                        "C:\Users\Public\Downloads\WmiPrvSE.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2268
                                                      • C:\Recovery\WindowsRE\sysmon.exe
                                                        "C:\Recovery\WindowsRE\sysmon.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5900
                                                      • C:\Windows\TAPI\explorer.exe
                                                        "C:\Windows\TAPI\explorer.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3864
                                                      • C:\Windows\twain_32\taskhostw.exe
                                                        "C:\Windows\twain_32\taskhostw.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4772
                                                      • C:\Program Files (x86)\Microsoft\Edge\dllhost.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\dllhost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1560
                                                      • C:\Recovery\WindowsRE\csrss.exe
                                                        "C:\Recovery\WindowsRE\csrss.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1600
                                                      • C:\Recovery\WindowsRE\sihost.exe
                                                        "C:\Recovery\WindowsRE\sihost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1556
                                                      • C:\Program Files\Internet Explorer\es-ES\conhost.exe
                                                        "C:\Program Files\Internet Explorer\es-ES\conhost.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:6012
                                                      • C:\Program Files\Windows Security\BrowserCore\en-US\services.exe
                                                        "C:\Program Files\Windows Security\BrowserCore\en-US\services.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5916
                                                      • C:\Users\Public\spoolsv.exe
                                                        "C:\Users\Public\spoolsv.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5176
                                                      • C:\Windows\en-US\dwm.exe
                                                        "C:\Windows\en-US\dwm.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5408
                                                      • C:\Recovery\WindowsRE\Containerreview.exe
                                                        "C:\Recovery\WindowsRE\Containerreview.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3344

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Program Files (x86)\Microsoft\Edge\dllhost.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        5bef2af57cbc13bb14d4498de54173ba

                                                        SHA1

                                                        c936a7fcf0c9c5f57914017e20faffc893a978fc

                                                        SHA256

                                                        83a62f59a57c32b11c4fa2c05271e2d81af82f64d0d857d9f41a4fcfd8c77fc1

                                                        SHA512

                                                        36dcc541654646808e1388901c8595aff30507c98fa18db2e5de4ad66d6d8ac86141662fec9b371602a81662aeb289dab4ae3b7a42e2b35311f5023a049c84d7

                                                      • C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        3b1ca38feef0aba734a8759adae7433d

                                                        SHA1

                                                        9223483960c9556af38eceb9679a58185cfc6e5f

                                                        SHA256

                                                        282136f623a6c80c52bc7ac230865dc4b385614c18d35b0c6c5f9f5cee4e48f6

                                                        SHA512

                                                        6cb15edc12b1425a36511ee6a8fb20c27212d1f4ffef0e367fa8708b95efc44e9bb3f02455cfd8365253fadcf5df4f8fae73ba048b9eee1d770bcebcb262d6ef

                                                      • C:\Program Files\Internet Explorer\es-ES\conhost.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        66cad8cbc6782679a4c02a5cc0437c7f

                                                        SHA1

                                                        36f78a60efc2ba1e0ab28fba6c137def67eee69b

                                                        SHA256

                                                        0db3435ec83d02950ad22c3f413f6f7878724ac5a02ebf233f63f8174aa47d9d

                                                        SHA512

                                                        3e19bfaeb1bd147c6e2d45c5cb80ed714d29c4b8ed89cb570e2359d63f754f27585329cb80ab94dbe7ae1f245e4e983f6a50680b4f53a42e88fb84c53d6ce617

                                                      • C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\fontdrvhost.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        b83ff437fd78d56e4049bc3cb68f4c84

                                                        SHA1

                                                        e05748a07c1d058e95a8ee49978696c582cb3791

                                                        SHA256

                                                        eb952a94f5da8c8a8462d8707fb2c2c128094ae27d09c92fd7c91fd16b6624ed

                                                        SHA512

                                                        81ce975853548f04fae1b04f1e6c58539fddf6b660838c9c4c3b713e5f17c5a9bb1b017e8905b4705e37c596585abd33c89f7efb2003c7a58521254e24e6944d

                                                      • C:\Program Files\Windows Portable Devices\smss.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        d044ad04da4d5b5941a9f360a90e5d3d

                                                        SHA1

                                                        cce7a89e37381c2067a4c065fe699e9b822414a6

                                                        SHA256

                                                        fb2aeeb85a5a64b433556ead01d7be5197fa7df444d0f693ea39a05905b6fa6e

                                                        SHA512

                                                        a0412a2bd174230d285e8b6440a37e98bed8a82293440ceaf6c9ea408259fbdb0e0fda994b41d494acb98cb6721d13a1cc082a47ab70bf9c06200adc47ca1692

                                                      • C:\Program Files\Windows Security\BrowserCore\en-US\services.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        d0e75858f62d9eafb6eeb76c7ca0d4ab

                                                        SHA1

                                                        7722eee1e451cff3fb33f5c1cc6c91a1730b82d8

                                                        SHA256

                                                        7b2c8e0377bf5e017c68500f1fb19b52b5304f64fca9b664dfa27bc400560a17

                                                        SHA512

                                                        1a2f1c0f036baf40137528dd26f3c8612731847434daedb953cdc41222866a8bd48452e4125162af7aa8b8bc1908a2d15a65fd898a10a9606d0887ea88b2745f

                                                      • C:\Recovery\WindowsRE\Containerreview.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        634359d7d2831979d76fab1f366131c0

                                                        SHA1

                                                        543c00e6fd1799d967c16882cf2ada6527d417d7

                                                        SHA256

                                                        071d9ad46543ddbe6df0570d114de7a0e3acda1d6c149d4747eb75c890d7b7ae

                                                        SHA512

                                                        1e613c584bcaa48cc4350afde7bb779b5a79e67256fb52c4db782190178d646a000a0b57a4a35b97ba3c0d0eca3abb45754eb26ca60bd9d0045981dc06b32e1c

                                                      • C:\Recovery\WindowsRE\TextInputHost.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        08fbe97a9b1cad8f38092a6dbd5fc7d4

                                                        SHA1

                                                        004709286843abecbe41faadfb7a3c5c018bde15

                                                        SHA256

                                                        f77e98afc6a6a9ff98c08815fc8aa32da3b5f669f3cac2a7e859c1d08a2f2ff7

                                                        SHA512

                                                        f25c66d01efae91316370bba7a8acc90312565c2c7df79c380a0f8a37efe0caa47ff2f4c0b8e2d3fc2561766fa1513095c5c67a02407b0758cedf1bd3b0bd380

                                                      • C:\Recovery\WindowsRE\csrss.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        88fa8885cc5fc045d193857ac957d453

                                                        SHA1

                                                        7340703773267db18f45bd0d2923e22e7877405f

                                                        SHA256

                                                        8c5fdcf63f124670e5f9c8910b22f776a9bc8635d6bf034253587744ace42c35

                                                        SHA512

                                                        a33f0cf31c74b48619d1134e18cee174346e7db9af3078fb1c9130dd02c7974f415267c82975e0fc9a9db975bc520e8c9425c51a07d958a94dbf01be56a51e8d

                                                      • C:\Recovery\WindowsRE\services.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        86d15cd6a08dbf072f314995124db7dd

                                                        SHA1

                                                        ac0935513fcc1a2559c32e9b2658518e3812f434

                                                        SHA256

                                                        354e4735b5325911bcfcdb99daf07cb577f222c2437fb810ed02adf69cd705ee

                                                        SHA512

                                                        f04c1254288c63be4a29612a3ef46ea63a3f59a542284a949ee3dc02ce82c197f92c54dfdff82a81f4d3138acd67295ecf3e04e56a45ca4bd02fdc673531b3f3

                                                      • C:\Recovery\WindowsRE\sihost.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        cedfcfdc086a6986071042ad7301f6f0

                                                        SHA1

                                                        50592dff8936a7c23968bfcf0d152d5d8d280004

                                                        SHA256

                                                        176c714c5c89a926aa2eef847e5df346d665a3e32975f4ffa98faf49ba5ad939

                                                        SHA512

                                                        a45eb4c04ecfcc77e657e77a3ef973d1563e1fdee0e751927d805a3dd148b26e8a5203eb948ef67ea47f6fc7d529ae565fee36c23e3c8982793f2f59b2359cc5

                                                      • C:\Recovery\WindowsRE\sysmon.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        d15dbe43c6f1bf6a410c2998b67fb321

                                                        SHA1

                                                        1b564c1170ab5b3390333cb87cde670afab08000

                                                        SHA256

                                                        72f61fc4f1295d2cfb7e9234c5c13ebe4d64496f41bc5e0d1338b817921709f7

                                                        SHA512

                                                        8353362b620464cce30d587a04059ae94b4d5dfe71d7957b9068b1d34a8af65be88c8a3cf0faaebfef58b71774f8a35dcaaf9238ae82b984c2631b728763d02a

                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Containerreview.exe.log

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        340f7d929ebbc3218c7c80bb773799de

                                                        SHA1

                                                        d6246e1ec0a00c25283d12ca60108f6c8888bb1c

                                                        SHA256

                                                        818c3b409a489f80f5ebc50338ea66ea8a4d90d3d35c4f41d37861dfdbd3da04

                                                        SHA512

                                                        083198c6adc0b14dc6cc3ab9235450aa7ca3b49b5342949771d216f6cd2a82187f02665a803e9ad88064797b78aafdd1aac11f8da1442bfabb0ee72454841d56

                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        b08c36ce99a5ed11891ef6fc6d8647e9

                                                        SHA1

                                                        db95af417857221948eb1882e60f98ab2914bf1d

                                                        SHA256

                                                        cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

                                                        SHA512

                                                        07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        f6126b3cef466f7479c4f176528a9348

                                                        SHA1

                                                        87855913d0bfe2c4559dd3acb243d05c6d7e4908

                                                        SHA256

                                                        588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4

                                                        SHA512

                                                        ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        6dda6e078b56bc17505e368f3e845302

                                                        SHA1

                                                        45fbd981fbbd4f961bf72f0ac76308fc18306cba

                                                        SHA256

                                                        591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15

                                                        SHA512

                                                        9e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

                                                        Filesize

                                                        70KB

                                                        MD5

                                                        e5e3377341056643b0494b6842c0b544

                                                        SHA1

                                                        d53fd8e256ec9d5cef8ef5387872e544a2df9108

                                                        SHA256

                                                        e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                                                        SHA512

                                                        83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

                                                        Filesize

                                                        41B

                                                        MD5

                                                        5af87dfd673ba2115e2fcf5cfdb727ab

                                                        SHA1

                                                        d5b5bbf396dc291274584ef71f444f420b6056f1

                                                        SHA256

                                                        f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                        SHA512

                                                        de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        5KB

                                                        MD5

                                                        498b30933946213f89b464edc96803e3

                                                        SHA1

                                                        0c706076cc4e9dbea4e7bde8ce7134c9357cb5a9

                                                        SHA256

                                                        93c343c50743b259b42c95470647b5121a587f695be14dd7bb1098842f1bfd5c

                                                        SHA512

                                                        60087876298fc3354d8600b5f2d7b19e0cfa0b3fe48a1e5005dd1fb9002ef4155223c4ae28ed3a985c1ed9ed41dbb07e9fed353c0afa7c360d18bc33a458187a

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        5KB

                                                        MD5

                                                        63d51bccf9216c2d15e15a38c09157b2

                                                        SHA1

                                                        c82db2078b94e5b77c3b192554e5d4d3d250dfc2

                                                        SHA256

                                                        05d04e53f2cbdd0000d5d5b2be6faaf071d581bc7663461fcf971b62830194bf

                                                        SHA512

                                                        6b752ea79237dfc84c1b3403bcc5ccd5941c0e42a30e047c80de79c96f8fa37d7aac6dbf287e24707896e86e9792518010aef2b2171f18b24b4f6dfaef2f2405

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        5KB

                                                        MD5

                                                        fea22d873f70905b1bf29680c3fa2e16

                                                        SHA1

                                                        16da06444188a71122938e0fa025383fd4043f68

                                                        SHA256

                                                        d34d72f17310cfdaafb2363fc6a6fea75fba18ee0d0007c243d0e518b376a9aa

                                                        SHA512

                                                        ccd91d0a9b9e0313f8bee0c46270523bcf09c4dadd784679ac67ee865e54778505f5da8c57e8aaef33ec61cfa56a976563bd75e9ce60f5e8503df9c96368333b

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                        Filesize

                                                        24KB

                                                        MD5

                                                        90cc75707c7f427e9bbc8e0553500b46

                                                        SHA1

                                                        9034bdd7e7259406811ec8b5b7ce77317b6a2b7e

                                                        SHA256

                                                        f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb

                                                        SHA512

                                                        7ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                        Filesize

                                                        24KB

                                                        MD5

                                                        0d8c8c98295f59eade1d8c5b0527a5c2

                                                        SHA1

                                                        038269c6a2c432c6ecb5b236d08804502e29cde0

                                                        SHA256

                                                        9148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721

                                                        SHA512

                                                        885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c06f75c1-c396-433e-8646-fbf660e374cf.tmp

                                                        Filesize

                                                        4KB

                                                        MD5

                                                        c7dd907e69e89c42a821a6c7c3a25317

                                                        SHA1

                                                        0db15015c820092b4487de3acdcdf9b7a1b69727

                                                        SHA256

                                                        b075ac643bc8b21d18068cd3a8aa10ee24795f3ddefb976c0517ff1d2b5aa5f3

                                                        SHA512

                                                        da4eadd0888f2ff4ad039d3ca677520d2df1bb15d7df52de86f6d12efe58a3e8e1781ff1ae6e6f5e3911cb51acc55e14bc47a9d678f862396db7574964afd572

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d124cd4a-7996-4f96-8114-23ffc5254306.tmp

                                                        Filesize

                                                        5KB

                                                        MD5

                                                        694b6d0434ccdf1fa81bd43bcc48ff9b

                                                        SHA1

                                                        6d10d53b1c84b54b43dd9d4d1bd5622490b60827

                                                        SHA256

                                                        764229ab3139f21b766eb886b866b0625fed3354dce1cf492c82d07c8a9f32ba

                                                        SHA512

                                                        1ecce7d1d2c72cf85a16d3a0c96137ff4fa77971711b70696412cbf09d0cb62291c812107c523f2196430f790b2720bbeaae878dc6dc23706fab2cff0413df1e

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                        Filesize

                                                        16B

                                                        MD5

                                                        206702161f94c5cd39fadd03f4014d98

                                                        SHA1

                                                        bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                        SHA256

                                                        1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                        SHA512

                                                        0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

                                                        Filesize

                                                        16B

                                                        MD5

                                                        46295cac801e5d4857d09837238a6394

                                                        SHA1

                                                        44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                        SHA256

                                                        0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                        SHA512

                                                        8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        8KB

                                                        MD5

                                                        7023fd7082495bed121f88219bb33313

                                                        SHA1

                                                        2cfd3463080b106345c613d2aab21950d8feb39a

                                                        SHA256

                                                        c50e5a49af9b006fd645fd5249a0c18d6813a55df0015b5f64f1b054c3e8dc55

                                                        SHA512

                                                        612e3a890de555910eaaa350d299b0e4777fdbf46fcaa853ecd2534349099c4e972a6a11edf186889e50727b73c332b564be17b7002ae619cdd34021175742b9

                                                      • C:\Users\Admin\AppData\Local\Temp\b97db559-b74a-47df-83f2-a316bb976443.vbs

                                                        Filesize

                                                        490B

                                                        MD5

                                                        ea0929d3405052d8d7edd8cee593f52d

                                                        SHA1

                                                        b9ecb359b62fac2cbe84c3e8c509cc086c308675

                                                        SHA256

                                                        441840af30cd8c8aa4b348e38c4d3673d1a6115b6da3a0ea452ae3e07a934b43

                                                        SHA512

                                                        fb109c22b28dbf31c944d2c864e2029838a08cad4b6ec18388bbcaeca32c42f13d67249b96df0481bdc573250ea332b16e060c39a6c3bd708cde8906006a4494

                                                      • C:\Users\Admin\AppData\Local\Temp\c4006af5-44eb-4125-bc45-efa280e0d481.vbs

                                                        Filesize

                                                        714B

                                                        MD5

                                                        e0841374114f72d15bd6746c386480fd

                                                        SHA1

                                                        97b5007646d919eb7f90a8f383b6aa42666fa6b8

                                                        SHA256

                                                        29314dd682c81307291a6e0cb08dd8ccf694319e4a2864d51845db3a4255a6a1

                                                        SHA512

                                                        7d8b42d3a283ed0e74909e4078b362cbaad8635881331177c54f09bf9094821ff8f68f38c6939d7d9b5fbb7a078c5e7aa2ff8a385b6e85ae848b90fa8f585a6a

                                                      • C:\Users\Admin\AppData\Local\Temp\g8OmkPCg94.bat

                                                        Filesize

                                                        203B

                                                        MD5

                                                        a9783b37c204301b977bc106f1e4ecdb

                                                        SHA1

                                                        869c54ca4414acfb03dcdf4f614d6e7fb8351500

                                                        SHA256

                                                        75a8d0fd4670b8010edaba8c717db0e742670b67c2ecb700c1adf85dc3dfe557

                                                        SHA512

                                                        b1814e6a54c0379fc8f734fbccf33319dcda653d93206ba9a46f3d2a12d1c7196a4931f9e3e3a8b37c53158973af7ad6c5655e7de7bf146aefaeb3a5cbdfd73b

                                                      • C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        e5cc3d0de29f576e27666e7c6738a584

                                                        SHA1

                                                        29bb5d5edfa88565a2ef1b30ca3921167e5fb637

                                                        SHA256

                                                        eec25bbb0c3ea26e79b4162e8b1a1aa42b9f6b83d2fc710865001cf8750fe24b

                                                        SHA512

                                                        dfd555f50e1dbf31dfce1f95167911697409b4586a25cf4fb88cda430ffc5ac2d2273e12678a7f9cdf26b4909f1d6022497d8c351ea0ba94b34f1085c53bc8fa

                                                      • C:\Users\Admin\AppData\Roaming\BridgeagentFont\E1OrDChd6wfhvlLu9Zc8rvL1kfwV.vbe

                                                        Filesize

                                                        224B

                                                        MD5

                                                        980b8c4323c6a30adefa83e5889189eb

                                                        SHA1

                                                        da4a52e22d8f64ac9e7b86a48100af08aed9ba6b

                                                        SHA256

                                                        20b473780053528b67968274f63a4fd23cbf74e019b7532e0acb5d5b9fdaa2d4

                                                        SHA512

                                                        2c82f4449d8aad3b41eea51771149b6b7f2eb64f995b7589f8f195274d3c1faa05fcb179c5bb1fc3f0589d4f4725d78cd63f33b55fe173c10137ee5b3dcc837d

                                                      • C:\Users\Admin\AppData\Roaming\BridgeagentFont\LMbhEUlzAGhXQ88TEAwD9DBna.bat

                                                        Filesize

                                                        159B

                                                        MD5

                                                        3765c22496f7fd5eabd91a49ef3156dd

                                                        SHA1

                                                        d4f01e65b1f02fa044042350660cf7786fb708b8

                                                        SHA256

                                                        21bced2882fcd08eddd626fcfd74964fb4387ce489d6a42d382c016f05b36564

                                                        SHA512

                                                        7d74455d1b9ce74efb82be9c1b8ca1b0c4d887a0a7c3afe1b2a39652c2fe1331ac16d564c0e4bf2ce6c5b0fb3650b9a5506c9fb322cbb069f30b1a09d0889a00

                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                                                        Filesize

                                                        3KB

                                                        MD5

                                                        62ac46fcb3887294e8ca254304c2e82a

                                                        SHA1

                                                        65cbc85565774a8735c195c6a1ba8e80e4de5c95

                                                        SHA256

                                                        dc0d719fe93d638f574acece05f8501b06629ec83a84169ead0717a865a1a6e7

                                                        SHA512

                                                        92f6fd926dace1ef21dd8723a16d63e3f1b7425cb058cc3d8f75718072655a24c2f4a30fcf81b71ed2b9f3370c46cdfff91ffae9f9c7d172026a239197ce39dc

                                                      • C:\Users\Public\Downloads\WmiPrvSE.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        f916e44f77e2952fabc6541f5d3b9166

                                                        SHA1

                                                        8f8e12cc856bbcf0ad8879dfc7048a65de24c542

                                                        SHA256

                                                        5a9007bf1f34853635047668b8e45108a0a5466c47ea2dab679547e32ed530d3

                                                        SHA512

                                                        e0cc1933625e01b9375bea14a19284d2fcc257ed545953717e86050bae10ae9243db8d825fb7f1f3320c4b720cde96e7d69c847c5a3e0fa306ca4b274e70cebd

                                                      • C:\Users\Public\spoolsv.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        3870e789c691b75f814ba02cce4850ac

                                                        SHA1

                                                        45552ee885e50c662321675295eaba36e5e485e3

                                                        SHA256

                                                        733c4d081abf997bd21da095cf6583dad6947579e2780898b951b55c2388dea8

                                                        SHA512

                                                        fa3f6ee90be00979114185f2912cbad43f2a632998b4bad0d3db91158037a27ade5d988b6935c96d4339047b1852bd00f74c646fc843a93c0277a68714098847

                                                      • C:\Windows\TAPI\explorer.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        329c70803b821ed052b1d76af85946d2

                                                        SHA1

                                                        5dc1e75b38c49117142ffc278119b75ec52346e5

                                                        SHA256

                                                        56fd84508d5dd1e95e283ea27ee123b3bc08b98b21d527769dc55d76fbe6fe18

                                                        SHA512

                                                        dec7c6ef6c1c31100b8ae237054eca39c1783c793caa3b2760758326cb646b599700ce66fafea2e31fa36f45308026c79f8815dcf0530333ebd3924a3786fa5a

                                                      • C:\Windows\en-US\dwm.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        db8231dc1ea5d2f4d338aaa361f71000

                                                        SHA1

                                                        867dca202548b6fc3cea188fee02948c522df996

                                                        SHA256

                                                        f90ac8d9d9614dd017cb16d3bc659033c040deef0452237c1c5475e822b00927

                                                        SHA512

                                                        45692c2f7dbb97ec34aa78b394de360140b692dc74f0bae68c082b51c98e6c9718494e80ee9c28521ea428f31b690dfd42e2a5758f3e5e6b6e54b48e5ade9c80

                                                      • C:\Windows\twain_32\taskhostw.exe

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        ce73e58739721618a64eb5f5b2fa5eae

                                                        SHA1

                                                        b69852ea44d02049af75d27bb3515de7920c7726

                                                        SHA256

                                                        d61c8831023871285907c2d687d134d970767a2b22e7a85dc98c43bb23df91b7

                                                        SHA512

                                                        3e3142d81b9d621233914cf2e1d7f447fd669b6ce244c4419170061ffae515226fb1fb011e5f805eb8e20f18485afb1f8850910e19d63e606478d656d37bd41a

                                                      • memory/732-540-0x0000000000E90000-0x0000000001170000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/756-560-0x00000000000F0000-0x00000000003D0000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/1700-498-0x0000000000330000-0x0000000000610000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/2668-566-0x00000000008B0000-0x0000000000B90000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/2744-513-0x0000000000AE0000-0x0000000000DC0000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/2768-210-0x00000000009C0000-0x0000000000CA0000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/2768-211-0x000000001B7A0000-0x000000001B7F6000-memory.dmp

                                                        Filesize

                                                        344KB

                                                      • memory/3076-510-0x0000000000880000-0x0000000000B60000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/3848-518-0x0000000000940000-0x0000000000C20000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/4288-548-0x00000000005D0000-0x00000000008B0000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/4476-538-0x0000000000840000-0x0000000000B20000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/4724-555-0x0000000000B10000-0x0000000000DF0000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/4940-521-0x0000000000BA0000-0x0000000000E80000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/5208-545-0x0000000000D20000-0x0000000001000000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/5408-576-0x0000000000360000-0x0000000000640000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/5440-563-0x0000000000720000-0x0000000000A00000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/5456-35-0x000000001B9D0000-0x000000001B9DC000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/5456-17-0x0000000000E50000-0x0000000000E6C000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/5456-32-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/5456-22-0x0000000002700000-0x0000000002708000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/5456-21-0x000000001B150000-0x000000001B166000-memory.dmp

                                                        Filesize

                                                        88KB

                                                      • memory/5456-34-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/5456-19-0x0000000000E70000-0x0000000000E78000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/5456-33-0x000000001B8B0000-0x000000001B8B8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/5456-20-0x00000000026F0000-0x0000000002700000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/5456-18-0x000000001B7C0000-0x000000001B810000-memory.dmp

                                                        Filesize

                                                        320KB

                                                      • memory/5456-134-0x00007FFDD6EE3000-0x00007FFDD6EE5000-memory.dmp

                                                        Filesize

                                                        8KB

                                                      • memory/5456-28-0x000000001B1A0000-0x000000001B1AC000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/5456-36-0x000000001BAE0000-0x000000001BAE8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/5456-40-0x000000001BD20000-0x000000001BD2C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/5456-23-0x0000000002760000-0x0000000002768000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/5456-31-0x000000001BEF0000-0x000000001C418000-memory.dmp

                                                        Filesize

                                                        5.2MB

                                                      • memory/5456-16-0x0000000000220000-0x0000000000500000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/5456-30-0x000000001B870000-0x000000001B882000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/5456-41-0x000000001BC10000-0x000000001BC18000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/5456-15-0x00007FFDD6EE3000-0x00007FFDD6EE5000-memory.dmp

                                                        Filesize

                                                        8KB

                                                      • memory/5456-42-0x000000001BC20000-0x000000001BC2C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/5456-29-0x000000001B860000-0x000000001B868000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/5456-24-0x000000001B170000-0x000000001B17A000-memory.dmp

                                                        Filesize

                                                        40KB

                                                      • memory/5456-25-0x000000001B810000-0x000000001B866000-memory.dmp

                                                        Filesize

                                                        344KB

                                                      • memory/5456-38-0x000000001BB00000-0x000000001BB0E000-memory.dmp

                                                        Filesize

                                                        56KB

                                                      • memory/5456-37-0x000000001BAF0000-0x000000001BAFA000-memory.dmp

                                                        Filesize

                                                        40KB

                                                      • memory/5456-26-0x000000001B180000-0x000000001B18C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/5456-39-0x000000001BD10000-0x000000001BD18000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/5456-27-0x000000001B190000-0x000000001B198000-memory.dmp

                                                        Filesize

                                                        32KB