dcrat | d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2022, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.1MB
MD5

1466f001f010dfed5838484c2fb25a56
SHA1

489c707fd9d43574e536b4da4f15d3965d57c2fc
SHA256

d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc
SHA512

35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0
SSDEEP

12288:4epPM2lx+HOqRo1lEBht1ylUyeewN3eJE3/oZ4DFWX4DBYFn9ducCSLEelT+wsHu:X0Vey/Olg5pwZesvCStZsbqSNz6

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	5096	schtasks.exe	60
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	5096	schtasks.exe	60

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4116-256-0x0000000000400000-0x000000000053A000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	file.exe

Executes dropped EXE 4 IoCs

pid	Process
4912	TrustedInstaller.exe
5012	TrustedInstaller.exe
2216	TrustedInstaller.exe
3436	TrustedInstaller.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	TrustedInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	file.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	ipinfo.io
38	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 4116	4800	file.exe	95
PID 4208 set thread context of 4380	4208	file.exe	154
PID 4912 set thread context of 3436	4912	TrustedInstaller.exe	199

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\9e8d7a4ca61bd9	file.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe	file.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\04c1e7795967e4	file.exe
File created	C:\Program Files\Microsoft Office\Office16\sppsvc.exe	file.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe	file.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\RuntimeBroker.exe	file.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\04c1e7795967e4	file.exe
File created	C:\Program Files\Microsoft Office\Office16\0a1fd5f707cd16	file.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3e	file.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\TrustedInstaller.exe	file.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\1040\dwm.exe	file.exe
File created	C:\Windows\Microsoft.NET\Framework\1040\6cb0b6c459d5d3	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TrustedInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TrustedInstaller.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4212	schtasks.exe
2216	schtasks.exe
3276	schtasks.exe
32	schtasks.exe
3448	schtasks.exe
4296	schtasks.exe
1440	schtasks.exe
3456	schtasks.exe
3344	schtasks.exe
3408	schtasks.exe
1816	schtasks.exe
1460	schtasks.exe
3428	schtasks.exe
1160	schtasks.exe
1196	schtasks.exe
5112	schtasks.exe
2152	schtasks.exe
2248	schtasks.exe
4528	schtasks.exe
4772	schtasks.exe
5032	schtasks.exe
2488	schtasks.exe
836	schtasks.exe
4744	schtasks.exe
5108	schtasks.exe
448	schtasks.exe
5036	schtasks.exe
976	schtasks.exe
4080	schtasks.exe
3976	schtasks.exe
408	schtasks.exe
3864	schtasks.exe
1824	schtasks.exe
3332	schtasks.exe
3416	schtasks.exe
1164	schtasks.exe
4548	schtasks.exe
1172	schtasks.exe
400	schtasks.exe
3228	schtasks.exe
4720	schtasks.exe
5008	schtasks.exe
3276	schtasks.exe
4220	schtasks.exe
1636	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	file.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	file.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	TrustedInstaller.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1088	powershell.exe
1088	powershell.exe
4468	powershell.exe
4800	file.exe
4800	file.exe
4800	file.exe
4800	file.exe
4800	file.exe
4800	file.exe
4468	powershell.exe
4116	file.exe
4116	file.exe
4116	file.exe
4116	file.exe
4116	file.exe
4116	file.exe
4116	file.exe
4116	file.exe
4116	file.exe
4116	file.exe
4116	file.exe
1168	powershell.exe
1168	powershell.exe
1092	powershell.exe
1092	powershell.exe
860	powershell.exe
860	powershell.exe
2724	powershell.exe
2724	powershell.exe
1404	powershell.exe
1404	powershell.exe
3848	powershell.exe
3848	powershell.exe
548	powershell.exe
548	powershell.exe
4588	powershell.exe
4588	powershell.exe
2576	powershell.exe
2576	powershell.exe
4976	powershell.exe
4976	powershell.exe
1092	powershell.exe
1168	powershell.exe
2724	powershell.exe
2576	powershell.exe
1404	powershell.exe
548	powershell.exe
860	powershell.exe
3848	powershell.exe
4588	powershell.exe
4976	powershell.exe
2700	powershell.exe
2700	powershell.exe
4208	file.exe
4208	file.exe
384	powershell.exe
384	powershell.exe
4380	file.exe
4380	file.exe
4380	file.exe
480	powershell.exe
3364	powershell.exe
4236	powershell.exe
4572	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	file.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4116	file.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4208	file.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	4380	file.exe
Token: SeDebugPrivilege	480	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	204	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	4912	TrustedInstaller.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	3436	TrustedInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1088	4800	file.exe	81
PID 4800 wrote to memory of 1088	4800	file.exe	81
PID 4800 wrote to memory of 1088	4800	file.exe	81
PID 4800 wrote to memory of 1200	4800	file.exe	89
PID 4800 wrote to memory of 1200	4800	file.exe	89
PID 4800 wrote to memory of 1200	4800	file.exe	89
PID 1200 wrote to memory of 4468	1200	cmd.exe	91
PID 1200 wrote to memory of 4468	1200	cmd.exe	91
PID 1200 wrote to memory of 4468	1200	cmd.exe	91
PID 4800 wrote to memory of 2732	4800	file.exe	92
PID 4800 wrote to memory of 2732	4800	file.exe	92
PID 4800 wrote to memory of 2732	4800	file.exe	92
PID 4800 wrote to memory of 1680	4800	file.exe	93
PID 4800 wrote to memory of 1680	4800	file.exe	93
PID 4800 wrote to memory of 1680	4800	file.exe	93
PID 4800 wrote to memory of 1900	4800	file.exe	94
PID 4800 wrote to memory of 1900	4800	file.exe	94
PID 4800 wrote to memory of 1900	4800	file.exe	94
PID 4800 wrote to memory of 4116	4800	file.exe	95
PID 4800 wrote to memory of 4116	4800	file.exe	95
PID 4800 wrote to memory of 4116	4800	file.exe	95
PID 4800 wrote to memory of 4116	4800	file.exe	95
PID 4800 wrote to memory of 4116	4800	file.exe	95
PID 4800 wrote to memory of 4116	4800	file.exe	95
PID 4800 wrote to memory of 4116	4800	file.exe	95
PID 4800 wrote to memory of 4116	4800	file.exe	95
PID 4116 wrote to memory of 1168	4116	file.exe	123
PID 4116 wrote to memory of 1168	4116	file.exe	123
PID 4116 wrote to memory of 1168	4116	file.exe	123
PID 4116 wrote to memory of 1092	4116	file.exe	143
PID 4116 wrote to memory of 1092	4116	file.exe	143
PID 4116 wrote to memory of 1092	4116	file.exe	143
PID 4116 wrote to memory of 860	4116	file.exe	125
PID 4116 wrote to memory of 860	4116	file.exe	125
PID 4116 wrote to memory of 860	4116	file.exe	125
PID 4116 wrote to memory of 1404	4116	file.exe	126
PID 4116 wrote to memory of 1404	4116	file.exe	126
PID 4116 wrote to memory of 1404	4116	file.exe	126
PID 4116 wrote to memory of 2724	4116	file.exe	129
PID 4116 wrote to memory of 2724	4116	file.exe	129
PID 4116 wrote to memory of 2724	4116	file.exe	129
PID 4116 wrote to memory of 3848	4116	file.exe	141
PID 4116 wrote to memory of 3848	4116	file.exe	141
PID 4116 wrote to memory of 3848	4116	file.exe	141
PID 4116 wrote to memory of 548	4116	file.exe	131
PID 4116 wrote to memory of 548	4116	file.exe	131
PID 4116 wrote to memory of 548	4116	file.exe	131
PID 4116 wrote to memory of 4588	4116	file.exe	132
PID 4116 wrote to memory of 4588	4116	file.exe	132
PID 4116 wrote to memory of 4588	4116	file.exe	132
PID 4116 wrote to memory of 2576	4116	file.exe	133
PID 4116 wrote to memory of 2576	4116	file.exe	133
PID 4116 wrote to memory of 2576	4116	file.exe	133
PID 4116 wrote to memory of 4976	4116	file.exe	135
PID 4116 wrote to memory of 4976	4116	file.exe	135
PID 4116 wrote to memory of 4976	4116	file.exe	135
PID 4116 wrote to memory of 4400	4116	file.exe	142
PID 4116 wrote to memory of 4400	4116	file.exe	142
PID 4116 wrote to memory of 4400	4116	file.exe	142
PID 4400 wrote to memory of 4764	4400	cmd.exe	145
PID 4400 wrote to memory of 4764	4400	cmd.exe	145
PID 4400 wrote to memory of 4764	4400	cmd.exe	145
PID 4764 wrote to memory of 4624	4764	w32tm.exe	146
PID 4764 wrote to memory of 4624	4764	w32tm.exe	146

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgA2AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- C:\Users\Admin\AppData\Local\Temp\file.exe
  C:\Users\Admin\AppData\Local\Temp\file.exe
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\file.exe
  C:\Users\Admin\AppData\Local\Temp\file.exe
  2⤵
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\file.exe
  C:\Users\Admin\AppData\Local\Temp\file.exe
  2⤵
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\file.exe
  C:\Users\Admin\AppData\Local\Temp\file.exe
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\file.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\TrustedInstaller.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\TextConv\en-US\RuntimeBroker.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\1040\dwm.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Idle.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PNfa8RQ2hP.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      4⤵
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4208
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgA2AA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:4796
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
    - - C:\Users\Admin\AppData\Local\Temp\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\file.exe
        5⤵
        
        PID:4604
    - - C:\Users\Admin\AppData\Local\Temp\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\file.exe
        5⤵
        Checks computer location settings
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\file.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\System.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SppExtComObj.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:204
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\sppsvc.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bfmU82gIBQ.bat"
        6⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5008
        
        C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgA2AA==
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        8⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe"
        8⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe"
        8⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14aedfb2-94db-409a-828e-88503a9f9c5d.vbs"
        9⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b45777ff-2650-4159-bcbe-f83592bdda8d.vbs"
        9⤵
        
        PID:3560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\microsoft shared\TextConv\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\TextConv\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\TextConv\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework\1040\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1040\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\1040\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\odt\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe

Filesize
1.1MB

MD5
1466f001f010dfed5838484c2fb25a56

SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc

SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe

Filesize
1.1MB

MD5
1466f001f010dfed5838484c2fb25a56

SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc

SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe

Filesize
1.1MB

MD5
1466f001f010dfed5838484c2fb25a56

SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc

SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe

Filesize
1.1MB

MD5
1466f001f010dfed5838484c2fb25a56

SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc

SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\TrustedInstaller.exe

Filesize
1.1MB

MD5
1466f001f010dfed5838484c2fb25a56

SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc

SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrustedInstaller.exe.log

Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
5106e855ea3445f727e042a46da3d259

SHA1
0e167cdb3557ffbd5f1c5849c3d4515a6c7494c8

SHA256
c6d9dc6f96027e5e380286aa56ae2e21cb2ec4e7ddd09da8e7feac4b6f9dac53

SHA512
865896ce9ed9b228734ef3903ab89f25ef77fd9992fa8c2f839fc30ffb47d903f2675bc3c15f1abdc2191c9eff3aa18096cbb97cc246b80ee8aa35786db1a009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1d1f749189447a4301500c5a0fa70be8

SHA1
2ec666ad7408b6889ff312f1ef5ee043c5bb86bd

SHA256
abeac63981f4fb4d9dd31b66a054bcc993b56de2d2bf6380bf20d7d48bc320d8

SHA512
23ce01610b47d12694b9d60b9a3aca76b8eeea0c83ba8f0c8e4aca99cf82aa261cbd5822af6db1283a6a62f25ce47990418c1958fc83ceb08b6e0510599e3f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7bb2afdccca2d7517d0b6f6e909f668d

SHA1
f2596b294f1870a24b24b8d61c887fbb9c90ecee

SHA256
a81d1e0f4474808d4c2999c8447575fc78003c2086ecac59a8566ac78f8bcad6

SHA512
1f3e73886a37554ad372de2395a806a59c9eefde944efd75d0af80fb046275d482813d57e4485828209cef81328f48b091f12e1a517328b0f36058f164b99174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7bb2afdccca2d7517d0b6f6e909f668d

SHA1
f2596b294f1870a24b24b8d61c887fbb9c90ecee

SHA256
a81d1e0f4474808d4c2999c8447575fc78003c2086ecac59a8566ac78f8bcad6

SHA512
1f3e73886a37554ad372de2395a806a59c9eefde944efd75d0af80fb046275d482813d57e4485828209cef81328f48b091f12e1a517328b0f36058f164b99174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ad5f9b97bbb351241efcd511642a529b

SHA1
ba9090adfc371ee50e8ab3c9b2cbc6b14fa9fa69

SHA256
d3059c9adeee0ebbe97ba441adca99c7979f70560f0adfe6a045ebd1b17ee51c

SHA512
550222fa0ea026e02b924540a23f73350c86d52ae62a7a1f6d7f3d247daa18b8e3d4ac1afb90075671ec420ed2bcbe9bfd2004cd45db804a24a043b1a28507bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c55620fa0f6ef3a8810d98f1579c4e72

SHA1
7dcda47c746ca02175a6d7a3a25bba3343634b48

SHA256
cbf831dc18a72849e4e8e7438844a169f436d160d10d6c80657b2b7e5e3f9ded

SHA512
6b5fee000c6ebb7e4898f49506ec4df49cbf5da5c16f74bdc3efae324fe98e4b6743b211797dab392d4a970457ae5dd2ec6b85b43900f464d835eca17fcd332a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ad5f9b97bbb351241efcd511642a529b

SHA1
ba9090adfc371ee50e8ab3c9b2cbc6b14fa9fa69

SHA256
d3059c9adeee0ebbe97ba441adca99c7979f70560f0adfe6a045ebd1b17ee51c

SHA512
550222fa0ea026e02b924540a23f73350c86d52ae62a7a1f6d7f3d247daa18b8e3d4ac1afb90075671ec420ed2bcbe9bfd2004cd45db804a24a043b1a28507bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ad5f9b97bbb351241efcd511642a529b

SHA1
ba9090adfc371ee50e8ab3c9b2cbc6b14fa9fa69

SHA256
d3059c9adeee0ebbe97ba441adca99c7979f70560f0adfe6a045ebd1b17ee51c

SHA512
550222fa0ea026e02b924540a23f73350c86d52ae62a7a1f6d7f3d247daa18b8e3d4ac1afb90075671ec420ed2bcbe9bfd2004cd45db804a24a043b1a28507bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ad5f9b97bbb351241efcd511642a529b

SHA1
ba9090adfc371ee50e8ab3c9b2cbc6b14fa9fa69

SHA256
d3059c9adeee0ebbe97ba441adca99c7979f70560f0adfe6a045ebd1b17ee51c

SHA512
550222fa0ea026e02b924540a23f73350c86d52ae62a7a1f6d7f3d247daa18b8e3d4ac1afb90075671ec420ed2bcbe9bfd2004cd45db804a24a043b1a28507bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
00c4163545d20a4309b89dc1241ef854

SHA1
3301437b64335844231702388258a34204032606

SHA256
90c26f3baa6628b4b2de0de5358c5c6c0e010a9231892e2e2aeabe22312c3b9b

SHA512
c24ad1b5dc3e4b8f2ee028a89dd483a6118ad578c3ce1edda572b102f3db5569422fa9bb56685cce38dcbde7c1984abdb4d854b7570e51a01a1e44e3b8db1582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bf6a70317b24d082bc7536f97a63f98d

SHA1
8794e1a0be15af2869e3713b2015e9d7bd91bfa5

SHA256
440466e74d987ead804ffe6aa68c1138102e737e3bb9c9724a64cea442142f86

SHA512
a561bf57ea200b239b45e1634fc3c6c5903850512e7e669b1db567c529485d45b0e536f8e362d87558dceafa3c6915f3e3d39aa40b7a8d3ed9f12ae768b26fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bf6a70317b24d082bc7536f97a63f98d

SHA1
8794e1a0be15af2869e3713b2015e9d7bd91bfa5

SHA256
440466e74d987ead804ffe6aa68c1138102e737e3bb9c9724a64cea442142f86

SHA512
a561bf57ea200b239b45e1634fc3c6c5903850512e7e669b1db567c529485d45b0e536f8e362d87558dceafa3c6915f3e3d39aa40b7a8d3ed9f12ae768b26fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
6726652953527f42be977f5e76efe194

SHA1
8ffcb854e53d2991b8d2a3d5616c066dc5d36d31

SHA256
2fcb11090c2b4656fad07c82c41256de1484da4b2f4ed50db308f6f1cd9f5944

SHA512
6a0e13479c406a32c057a4e972cedd0a2bb233c2713c2aa0b0c82eb09d8f832a7e794623df7fff916e236d17a04f81d7a92ec744c9d79284bb38ad3cf5b8437a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
11c4b8a6c3d3e07cacfc1d7fa579d9bc

SHA1
08906fa833819aab6a6af02cdadd61c637fd5833

SHA256
872f5b36d4171e68164a1d9ac90914617557a9fad7ea4522f8bf3ae58347fd17

SHA512
6235811de451d92a947fc14f12d1a3c5c94c1dbaef730c348a522079966f8345226bd55e04e5a2a7598c294516250449202ac00d2a90dab05e4ad32e0a97447b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
409cced0a84c54b1264ba77c75db9582

SHA1
00838e73fe9cbd37ce1e89e71996fc77d85c1ea6

SHA256
3f02c3a1b58bfcda39a2eb87b9278b4d5776d9f712c2c206a9c41397b16f1578

SHA512
6e8f94c7ae9cdc50df8d17e73e5206fbdded0c374a5a35e65c4eee34dcd31f6094e1226280a8fee4d34456acd6ba5b8493c53435f390477b29d8a1b33c307a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
48a199a4ea35f7f92d28f1428d008e3f

SHA1
53a571804f47742099e335e5ad48bfe923036a09

SHA256
4f36529807304bf8aa78ce42676b21b196ff5fdd9ffa38928b7a93258820a7a2

SHA512
97adfab809786b4512bd7c0d5be93d1980999ecdfe06ba341781e78d873f0c955f98d72d6143015aafd6845421d123bba52d9c47f9579213ab4dec43f02b6452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
48a199a4ea35f7f92d28f1428d008e3f

SHA1
53a571804f47742099e335e5ad48bfe923036a09

SHA256
4f36529807304bf8aa78ce42676b21b196ff5fdd9ffa38928b7a93258820a7a2

SHA512
97adfab809786b4512bd7c0d5be93d1980999ecdfe06ba341781e78d873f0c955f98d72d6143015aafd6845421d123bba52d9c47f9579213ab4dec43f02b6452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
48a199a4ea35f7f92d28f1428d008e3f

SHA1
53a571804f47742099e335e5ad48bfe923036a09

SHA256
4f36529807304bf8aa78ce42676b21b196ff5fdd9ffa38928b7a93258820a7a2

SHA512
97adfab809786b4512bd7c0d5be93d1980999ecdfe06ba341781e78d873f0c955f98d72d6143015aafd6845421d123bba52d9c47f9579213ab4dec43f02b6452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b9c28a5c73cd8293e5daa7903ce9dcab

SHA1
63bf500f177fe9a890b5d98bdc0e72eeb0571160

SHA256
f252ac9e0319c8576f044406c5b116aec3cbc32d13642fa6e4d5162d78999902

SHA512
58f5c3b53f33c63e77bf01f29dd34f8daa529f5fcf3bfd6b4f525815066c42ec6d325543d0a445b39579239a9073299f4a7f13dfe3d58076307e5b6a128bc615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
475c5afd225a4b9b4ac0dbcc2cf12a02

SHA1
b912939d632e276e9c9327c600706c849a69098c

SHA256
87f20c92d43f2a916202e474bd255af4a54d7890707eb4a4d6fbe3be328ac4e5

SHA512
897d27d7602d435249a57a094814c082861c4e1329c23309c14455899669da3205d087a2ad7439ff97da4b2065a0e9b5cc2355758926063396e292e449b0482f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
475c5afd225a4b9b4ac0dbcc2cf12a02

SHA1
b912939d632e276e9c9327c600706c849a69098c

SHA256
87f20c92d43f2a916202e474bd255af4a54d7890707eb4a4d6fbe3be328ac4e5

SHA512
897d27d7602d435249a57a094814c082861c4e1329c23309c14455899669da3205d087a2ad7439ff97da4b2065a0e9b5cc2355758926063396e292e449b0482f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
cb628af5183deacf8b7a8214bddabd71

SHA1
9864dd0bb825e30039f1ea3e7e4ebd69117ec2f8

SHA256
71415f9d94d3c31cf70c756b168bb02d7f566dc58ea490dc1f32e215c6339a0a

SHA512
cac48f77d1e3a5549a253008cc1059908562594f00a4d6eb93f1204c0290d64d794240527de7962c935682c7c059efa6a3f017d2d8fcac172d0e470b6b1b417b

Download Submit
C:\Users\Admin\AppData\Local\Temp\14aedfb2-94db-409a-828e-88503a9f9c5d.vbs

Filesize
758B

MD5
fc875cd6d7dda41959fc6bb3ffc8cf59

SHA1
b88b324328587cba5f37a3c60fea4fea3445d6c8

SHA256
00a1a7b04a16e72acbeaa03e389e3ca423113d9afbf1147bdb47f5bebdeb4981

SHA512
ae605be26d6f10a14927450634748c9b6b1c94565074fb398b038f6dfe5c167a87b1f0913c6f162d38ebd0881a16d625246b5b2c71b5bc42e963914ca0620388

Download Submit
C:\Users\Admin\AppData\Local\Temp\PNfa8RQ2hP.bat

Filesize
207B

MD5
9c33882f6bd77c4ea24ab1bb5a66b71c

SHA1
230646b46eb7dde26c8f77bfe553fe52acc570b4

SHA256
834c5627efa024f0def521f31827faec1cdbe60fbe4db43146763719e157af8c

SHA512
b9ca3abf2fac0c6ac8a3a574d4305865727d6cc6bdaf1fa3687c06265e035c0b37522af6663f56fcb9629fa5a8641c9e1e267f1ab32d2555bd253e56dfc83db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b45777ff-2650-4159-bcbe-f83592bdda8d.vbs

Filesize
534B

MD5
3d1b04c7fe1bae2eab07a4cc1c1d7d88

SHA1
2841f9fafe4b2a54155a723861207679e526acbc

SHA256
c9ce6776cb666eff2272d28c7ecfb90162ac387119a95a8dd42afc6def9c8d9b

SHA512
88bac0eb054ab58da3adf810c8b889be7b8d11e995f1749aa23d22ab62e9a2058c1640fbd5e6faa9eb622cb091cb3515e32b8d07fc1e61e6386b6f6f1d753d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfmU82gIBQ.bat

Filesize
247B

MD5
4eaf54135b203662913a53095ed6a2fa

SHA1
e9a9626baffcc6ff92eb543b170a7207cddcf47d

SHA256
ab9a8b0c1a39ea64d5df4ee7dbabfeeeb1ae609451cfad7b17a01fccbd355752

SHA512
a764e154fb56ed26f6e32b17e9240096ce854e75ab94ee2c0c49c11f7e42d790c36dc23835b123ded75c34796b8aac67fbd23f6507807e94f3df7d9fc1addb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Nonntontb\Nonntontb.exe

Filesize
1.1MB

MD5
1466f001f010dfed5838484c2fb25a56

SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc

SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Nonntontb\Nonntontb.exe

Filesize
1.1MB

MD5
1466f001f010dfed5838484c2fb25a56

SHA1
489c707fd9d43574e536b4da4f15d3965d57c2fc

SHA256
d3c18746bd2a2cb25e714a40be7a3e94d5bab0d924db7160ef8cc82a7f0848bc

SHA512
35fb65a70892c86f3e8ae97e84648d089e7bad8ff567503d2322d24fbee953a7ccef49611c8e4ad98b29cd0b926699a48d11a10c189e7e903dcb529ed23a75e0

Download Submit
memory/204-331-0x0000000070570000-0x00000000705BC000-memory.dmp

Filesize
304KB

Download
memory/384-313-0x0000000070570000-0x00000000705BC000-memory.dmp

Filesize
304KB

Download
memory/480-325-0x0000000070570000-0x00000000705BC000-memory.dmp

Filesize
304KB

Download
memory/548-286-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/860-285-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/1088-242-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/1088-240-0x0000000005BE0000-0x0000000006208000-memory.dmp

Filesize
6.2MB

Download
memory/1088-239-0x00000000033C0000-0x00000000033F6000-memory.dmp

Filesize
216KB

Download
memory/1088-241-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/1088-243-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/1088-245-0x0000000006E90000-0x0000000006EAA000-memory.dmp

Filesize
104KB

Download
memory/1088-244-0x0000000007FF0000-0x000000000866A000-memory.dmp

Filesize
6.5MB

Download
memory/1092-284-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/1168-283-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/1404-289-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/2576-287-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/2724-288-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/3364-328-0x0000000070570000-0x00000000705BC000-memory.dmp

Filesize
304KB

Download
memory/3436-362-0x0000000008F50000-0x000000000947C000-memory.dmp

Filesize
5.2MB

Download
memory/3436-361-0x0000000008510000-0x00000000086D2000-memory.dmp

Filesize
1.8MB

Download
memory/3848-291-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/4088-330-0x0000000070570000-0x00000000705BC000-memory.dmp

Filesize
304KB

Download
memory/4116-257-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/4116-260-0x0000000005AF0000-0x0000000005B40000-memory.dmp

Filesize
320KB

Download
memory/4116-256-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4116-259-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/4236-326-0x0000000070570000-0x00000000705BC000-memory.dmp

Filesize
304KB

Download
memory/4368-329-0x0000000070570000-0x00000000705BC000-memory.dmp

Filesize
304KB

Download
memory/4468-276-0x0000000007720000-0x0000000007728000-memory.dmp

Filesize
32KB

Download
memory/4468-264-0x0000000007580000-0x000000000758A000-memory.dmp

Filesize
40KB

Download
memory/4468-272-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/4468-261-0x00000000073A0000-0x00000000073D2000-memory.dmp

Filesize
200KB

Download
memory/4468-266-0x0000000006040000-0x000000000604E000-memory.dmp

Filesize
56KB

Download
memory/4468-265-0x00000000077C0000-0x0000000007856000-memory.dmp

Filesize
600KB

Download
memory/4468-262-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/4468-263-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/4572-327-0x0000000070570000-0x00000000705BC000-memory.dmp

Filesize
304KB

Download
memory/4588-290-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/4800-170-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-152-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-134-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-237-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/4800-132-0x0000000000760000-0x0000000000884000-memory.dmp

Filesize
1.1MB

Download
memory/4800-133-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-196-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-194-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-192-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-190-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-188-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-186-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-184-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-182-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-180-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-178-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-176-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-166-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-172-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-136-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-138-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-140-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-174-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-164-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-158-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-162-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-142-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-160-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-144-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-156-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-154-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-168-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-150-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-148-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4800-146-0x00000000062F0000-0x0000000006331000-memory.dmp

Filesize
260KB

Download
memory/4976-292-0x0000000075060000-0x00000000750AC000-memory.dmp

Filesize
304KB

Download
memory/5060-356-0x000000006FA70000-0x000000006FABC000-memory.dmp

Filesize
304KB

Download