dcrat | 5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
Size

1.7MB
MD5

c6419678552ecc4e3b7ab9fb8af14746
SHA1

1f7473310ee24366acec3b901412adedf7be8308
SHA256

5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86
SHA512

f3dcccd3110d065d9453add7b28975bed60d010199798710d21064ef0b54acebcc4b4ed1090a3335bb1050d468b37c9e864a3cf9ab948af77dfc8a8d6b5454b1
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvC:eTHUxUoh1IF9gl2t

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	1152	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	1152	schtasks.exe	82

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/212-1-0x0000000000FB0000-0x0000000001170000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c92-30.dat	dcrat
behavioral2/files/0x000b000000023c9b-106.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3500	powershell.exe
3108	powershell.exe
1476	powershell.exe
4084	powershell.exe
3688	powershell.exe
1876	powershell.exe
2772	powershell.exe
3236	powershell.exe
2912	powershell.exe
1960	powershell.exe
1556	powershell.exe
1336	powershell.exe
808	powershell.exe
1664	powershell.exe
4472	powershell.exe
4204	powershell.exe
3032	powershell.exe
3928	powershell.exe
4576	powershell.exe
3448	powershell.exe
4688	powershell.exe
3864	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe

Executes dropped EXE 7 IoCs

pid	Process
1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
1424	SearchApp.exe
1276	SearchApp.exe
4112	SearchApp.exe
468	SearchApp.exe
4884	SearchApp.exe
5060	SearchApp.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXB492.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\38384e6a620884	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\TextInputHost.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\OfficeClickToRun.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\OfficeClickToRun.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\55b276f4edf653	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXB491.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\e6c9b481da804f	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\fontdrvhost.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Internet Explorer\de-DE\e6c9b481da804f	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCXB28C.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Windows Defender\ja-JP\wininit.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\TextInputHost.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXB714.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\SearchApp.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\fontdrvhost.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\5b884080fd4f94	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\ModifiableWindowsApps\spoolsv.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files (x86)\Windows Media Player\9e8d7a4ca61bd9	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\69ddcba757bf72	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCXB27B.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\22eafd247d37c3	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXB713.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\SearchApp.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Windows Defender\ja-JP\56085415360792	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\wininit.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\OfficeClickToRun.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..m-install.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c77078a0a016b2f8\RuntimeBroker.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\ja-JP\6203df4a6bafc7	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Windows\TAPI\RCXB919.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Windows\TAPI\RCXB91A.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\SystemResources\CallingShellApp\RuntimeBroker.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Windows\ja-JP\lsass.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\38384e6a620884	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\ja-JP\lsass.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\rescache\_merged\upfc.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\SystemResources\CallingShellApp\9e8d7a4ca61bd9	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Windows\SystemResources\CallingShellApp\RuntimeBroker.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\TAPI\e6c9b481da804f	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Windows\TAPI\OfficeClickToRun.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4404	schtasks.exe
3124	schtasks.exe
3276	schtasks.exe
3544	schtasks.exe
1476	schtasks.exe
3244	schtasks.exe
3900	schtasks.exe
1984	schtasks.exe
4976	schtasks.exe
4516	schtasks.exe
3900	schtasks.exe
1964	schtasks.exe
3480	schtasks.exe
3448	schtasks.exe
2952	schtasks.exe
1464	schtasks.exe
2312	schtasks.exe
320	schtasks.exe
4940	schtasks.exe
4932	schtasks.exe
5080	schtasks.exe
3576	schtasks.exe
3556	schtasks.exe
808	schtasks.exe
2396	schtasks.exe
4584	schtasks.exe
3060	schtasks.exe
3120	schtasks.exe
1664	schtasks.exe
5056	schtasks.exe
4112	schtasks.exe
3928	schtasks.exe
4344	schtasks.exe
4172	schtasks.exe
4280	schtasks.exe
2012	schtasks.exe
3452	schtasks.exe
1072	schtasks.exe
2952	schtasks.exe
2132	schtasks.exe
4936	schtasks.exe
2788	schtasks.exe
1876	schtasks.exe
3768	schtasks.exe
3772	schtasks.exe
3828	schtasks.exe
2908	schtasks.exe
1552	schtasks.exe
4412	schtasks.exe
4416	schtasks.exe
1204	schtasks.exe
1472	schtasks.exe
4052	schtasks.exe
4364	schtasks.exe
628	schtasks.exe
1316	schtasks.exe
3232	schtasks.exe
4372	schtasks.exe
848	schtasks.exe
816	schtasks.exe
1500	schtasks.exe
2120	schtasks.exe
2208	schtasks.exe
3780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
1876	powershell.exe
1876	powershell.exe
3928	powershell.exe
3928	powershell.exe
3688	powershell.exe
3688	powershell.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
4576	powershell.exe
4576	powershell.exe
808	powershell.exe
808	powershell.exe
3500	powershell.exe
3500	powershell.exe
1336	powershell.exe
1336	powershell.exe
4084	powershell.exe
4084	powershell.exe
3108	powershell.exe
3108	powershell.exe
3032	powershell.exe
3032	powershell.exe
2772	powershell.exe
2772	powershell.exe
1336	powershell.exe
3032	powershell.exe
3108	powershell.exe
2772	powershell.exe
808	powershell.exe
1876	powershell.exe
3928	powershell.exe
3688	powershell.exe
4576	powershell.exe
4084	powershell.exe
3500	powershell.exe
1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1424	SearchApp.exe
Token: SeDebugPrivilege	1276	SearchApp.exe
Token: SeDebugPrivilege	4112	SearchApp.exe
Token: SeDebugPrivilege	468	SearchApp.exe
Token: SeDebugPrivilege	4884	SearchApp.exe
Token: SeDebugPrivilege	5060	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2772	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	102
PID 212 wrote to memory of 2772	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	102
PID 212 wrote to memory of 1876	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	103
PID 212 wrote to memory of 1876	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	103
PID 212 wrote to memory of 4576	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	104
PID 212 wrote to memory of 4576	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	104
PID 212 wrote to memory of 3108	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	105
PID 212 wrote to memory of 3108	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	105
PID 212 wrote to memory of 808	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	106
PID 212 wrote to memory of 808	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	106
PID 212 wrote to memory of 1336	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	107
PID 212 wrote to memory of 1336	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	107
PID 212 wrote to memory of 3500	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	108
PID 212 wrote to memory of 3500	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	108
PID 212 wrote to memory of 3688	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	109
PID 212 wrote to memory of 3688	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	109
PID 212 wrote to memory of 3928	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	110
PID 212 wrote to memory of 3928	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	110
PID 212 wrote to memory of 4084	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	112
PID 212 wrote to memory of 4084	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	112
PID 212 wrote to memory of 3032	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	113
PID 212 wrote to memory of 3032	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	113
PID 212 wrote to memory of 3236	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	124
PID 212 wrote to memory of 3236	212	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	124
PID 3236 wrote to memory of 4772	3236	cmd.exe	126
PID 3236 wrote to memory of 4772	3236	cmd.exe	126
PID 3236 wrote to memory of 1852	3236	cmd.exe	130
PID 3236 wrote to memory of 1852	3236	cmd.exe	130
PID 1852 wrote to memory of 3236	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	187
PID 1852 wrote to memory of 3236	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	187
PID 1852 wrote to memory of 3864	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	188
PID 1852 wrote to memory of 3864	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	188
PID 1852 wrote to memory of 1556	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	189
PID 1852 wrote to memory of 1556	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	189
PID 1852 wrote to memory of 1960	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	190
PID 1852 wrote to memory of 1960	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	190
PID 1852 wrote to memory of 1476	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	191
PID 1852 wrote to memory of 1476	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	191
PID 1852 wrote to memory of 4204	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	193
PID 1852 wrote to memory of 4204	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	193
PID 1852 wrote to memory of 4472	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	194
PID 1852 wrote to memory of 4472	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	194
PID 1852 wrote to memory of 1664	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	196
PID 1852 wrote to memory of 1664	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	196
PID 1852 wrote to memory of 3448	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	197
PID 1852 wrote to memory of 3448	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	197
PID 1852 wrote to memory of 2912	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	199
PID 1852 wrote to memory of 2912	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	199
PID 1852 wrote to memory of 4688	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	200
PID 1852 wrote to memory of 4688	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	200
PID 1852 wrote to memory of 2008	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	209
PID 1852 wrote to memory of 2008	1852	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	209
PID 2008 wrote to memory of 3556	2008	cmd.exe	211
PID 2008 wrote to memory of 3556	2008	cmd.exe	211
PID 2008 wrote to memory of 1424	2008	cmd.exe	213
PID 2008 wrote to memory of 1424	2008	cmd.exe	213
PID 1424 wrote to memory of 3472	1424	SearchApp.exe	214
PID 1424 wrote to memory of 3472	1424	SearchApp.exe	214
PID 1424 wrote to memory of 3972	1424	SearchApp.exe	215
PID 1424 wrote to memory of 3972	1424	SearchApp.exe	215
PID 3472 wrote to memory of 1276	3472	WScript.exe	216
PID 3472 wrote to memory of 1276	3472	WScript.exe	216
PID 1276 wrote to memory of 1644	1276	SearchApp.exe	217
PID 1276 wrote to memory of 1644	1276	SearchApp.exe	217

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
"C:\Users\Admin\AppData\Local\Temp\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6UXRAQMNZZ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
    "C:\Users\Admin\AppData\Local\Temp\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CGDF0LRJSG.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3556
    - - C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        
        "C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f88e909-f890-46d7-afc6-47f745aee39a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        
        C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c408ba34-9060-4c8c-b5f3-fe8c79ac4ccc.vbs"
        8⤵
        
        PID:1644
        
        C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        
        C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f510966-582e-413d-8bd4-ef305bac7f43.vbs"
        10⤵
        
        PID:3412
        
        C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        
        C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e68bb50-ea33-4825-b696-875be5e4e996.vbs"
        12⤵
        
        PID:5072
        
        C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        
        C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dfd8492-60fd-4636-9c96-718276e7520b.vbs"
        14⤵
        
        PID:2808
        
        C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        
        C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae1096db-ab21-4929-b91f-5f4a7a998d4a.vbs"
        16⤵
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fe97c53-fef6-4929-aeea-cb30815dd3df.vbs"
        16⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32bab946-64b4-4cbc-8898-63219f7b7bb2.vbs"
        14⤵
        
        PID:3708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\688aef12-d5b5-452d-a5ee-8f96f83fa3a1.vbs"
        12⤵
        
        PID:3536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a0b026f-6b8e-4d81-a3b1-58138991b894.vbs"
        10⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5eabfd1-afd0-4ebd-a664-f1292a5490b1.vbs"
        8⤵
        
        PID:2272
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b7375f0-1513-4540-a714-34b21a9b3630.vbs"
        6⤵
        
        PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\PackageManifests\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c865" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86" /sc ONLOGON /tr "'C:\Users\Admin\Music\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c865" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\ssh\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\ssh\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\CallingShellApp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemResources\CallingShellApp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemResources\CallingShellApp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Documents\My Music\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a83ce2908066654f712d1858746bc3c4

SHA1
14887f0537ce076cdc91801fb5fa584b25f1089f

SHA256
7c32ae0eaa4fef7404ce708744116ab8ea17d9575bbb3b06eb41a443f963456f

SHA512
991b20116815c7db3497d0ede9a216c7b78795e65f898847ffec513692f0c24d146a123725d14a2e1e3efb5744a626dd025a364f2f55f581e21640794a0cc551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75d224e238a397659d8e5cf458a41143

SHA1
d182d16283d3d864a2e328b677551428c29ad6df

SHA256
6a98fa5e6c5b77722f2bd8c855fd14d6bf545fc35b292252d1dc136b89ed2fee

SHA512
3477f3b4182ffdccc817de4242c8fcba706c193a0de5170cd023f8df3d330487d7e372556524b5a0fe1df56de40923700f3f8368eadf6601970e347cbcf078cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
291233c1b2c243cbe9a1698d04704969

SHA1
2d71b2b148b107af02b22951e95cc3c0cabdbff7

SHA256
951f831da23c4ebd0d95e57a26a9662cf7a700f3d3d3b873bfa5302a2a7d57c8

SHA512
04bac390b688d70910e1319a135b6c98bcd277a541e28dcc96ac9501d9a21adfc2be0e0860c069254d062d86c48af60af500e96a587d57f647177bb8831f868a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dfd8492-60fd-4636-9c96-718276e7520b.vbs

Filesize
747B

MD5
dc9fea433ac532aa3693886af4be3bb6

SHA1
fd4399d5435d3fcb4350034e6c77710a87dad568

SHA256
5c9221cad296352462cee08c30b676cf954a4fca0d1c34c769b48ae0b4eeb1e3

SHA512
54625ad9d8326ea857b4832383e541c0d40ad846083047575bde3e0ca3d9bda631de0d9f9130d0dc6f747df0bb87d702c727ba79730126f8f740cb31823cf738

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f510966-582e-413d-8bd4-ef305bac7f43.vbs

Filesize
747B

MD5
7383601398a2cf41dc41aa50e59e764a

SHA1
5db510d6041608f4a4ee666a8eccfaf9f508dec7

SHA256
586264ae87d16cfd7537e3bbbca3cc00b0e24825b889aa95d9963bea06a8e04e

SHA512
5368488956ed20742aab5d3c8e6272a745984c9553f9092a3d5b3b40f31f2afd3c206e745974317f476155a6e11155dbf755a2932fa800c39a7a3f58be128b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f88e909-f890-46d7-afc6-47f745aee39a.vbs

Filesize
747B

MD5
c393a2f555d869ba6e8b625f26dffb93

SHA1
a973778f273bc9458335f2076a7062d7fa9fc136

SHA256
a679235019e65ce50f8f8c410798fec97b4fe72398344993f22e22315488f45a

SHA512
77bc037d4706eb51227374df45d4073529ec51817f4732911c9153931e9561aa412d72e04cdbd04e5cd6fe0452de6a7c64decb28f1b6d819a392e04f07de5793

Download Submit
C:\Users\Admin\AppData\Local\Temp\6UXRAQMNZZ.bat

Filesize
267B

MD5
fae9c7aa50149c9e3190d1a4cab07de2

SHA1
2ad50451c4f545416cca679591df2302dd9887f7

SHA256
b604400f4b0e104b8cfffb29ca32aeccee3ed6fa26f28b07cbd5f13db3b34203

SHA512
2ee4d8cc3a10eb22bef1c9986a7453089e7b424a8ae6a252897bd5a2017d38806e600f9d929283feb5f525ed7170192250474e3a4163b596f3ba45e2c0207920

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b7375f0-1513-4540-a714-34b21a9b3630.vbs

Filesize
523B

MD5
c694123d6ed4299aa467ec9fd7221e52

SHA1
2f83d872eb71e179977a2389a0ac331796d3cc01

SHA256
1ad9b07b0454f1640cfe286ad1b92ada7531045ee3f072852f69dd534fe11573

SHA512
13442da34217b9a08e41c998af744ce61e99b5768b9c78202fa29e56c946fa81acf5e0db4a1114f0fcae4ab5bdc105b8d7c79221d3cfbd9f95a0ec566f9b9330

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e68bb50-ea33-4825-b696-875be5e4e996.vbs

Filesize
746B

MD5
010cc4d7126d0aa8ba4848735a606b59

SHA1
a710c981d15deb1c529febb59e6e2abc859a74ae

SHA256
c8af80a6cf94709507f153ca56637c3dc486fd201fc6427bb26bc31327fa3c93

SHA512
3641134447c5bf92f6d5f4810830e9141ec23b11c3b0e8ca4ae76ca8d84df3667378a41125ead7b6eeeb94c4283b5882f3b5658c7265e6dd9965bca597f0b22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGDF0LRJSG.bat

Filesize
236B

MD5
8f6e51500044252b085776d8a36d9cb0

SHA1
959c2909c29d6996cc6d4fb7c3e37ef4841b90be

SHA256
d2dc8436d32786f8243e7fa65df4a5efaf02d22b7a1fe6c5e52822410477e3c7

SHA512
1263374526ebcf1714a16e745b83ee18ed572c5955e745c069b4e8154932ed9b40c4a53b776f5bef838c677c671f1230fdfbe109ecfd155d49783ab862950a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eql15p3x.4b5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae1096db-ab21-4929-b91f-5f4a7a998d4a.vbs

Filesize
747B

MD5
05e183b3271de6eba1425a37fef5bf5c

SHA1
b19ca443d80e24b0dd86f3a9683f41c9fe6316d7

SHA256
2990f17210889c69b2a716f6090d91befb993f9ce285b3c775d3f5c1db5ba6e4

SHA512
1b1b62474d40836f3de050431375d3536ac8ac82c34f2e4b3d806d0dc8e152b87b83dc40c1079af909a8e8b3f290df66f4f5cffa96787618a6ba7248baea577e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c408ba34-9060-4c8c-b5f3-fe8c79ac4ccc.vbs

Filesize
747B

MD5
13bb01e730e1f090d92024a6cb37481c

SHA1
770a416cfd1f0830941bcaeafc5b42f709735762

SHA256
c15b02320752e39e4ae991ac56351719dfa730420cb7cc58a2dc35c7f93077b3

SHA512
fc3e9533da4121e5115804367f60ff81949e3837ad500e9372210494b447c718794298a77b3983ca7c2bd5670b405f12df753fe376cf83d4c4811f491a34d86d

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
1.7MB

MD5
d5d8c54e06a34d466e78611151d8bca7

SHA1
e72d4d5c758de20bac1fa2bc9b3c415a2d6afdfd

SHA256
e3196656c3e2e9eb730e87eb9b5dc8acd6121d0c08eccc9828585458caa0d0a1

SHA512
fcb636e9b13e2f76b516be3b8937979255c25ff369cf661b053558f1f664a7b5e6be724f70a838efa2b3755ded5901472422bff2ec4b6c9fc97c9807b7d3f3e6

Download Submit
C:\Windows\TAPI\OfficeClickToRun.exe

Filesize
1.7MB

MD5
c6419678552ecc4e3b7ab9fb8af14746

SHA1
1f7473310ee24366acec3b901412adedf7be8308

SHA256
5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86

SHA512
f3dcccd3110d065d9453add7b28975bed60d010199798710d21064ef0b54acebcc4b4ed1090a3335bb1050d468b37c9e864a3cf9ab948af77dfc8a8d6b5454b1

Download Submit
memory/212-13-0x000000001C9D0000-0x000000001CEF8000-memory.dmp

Filesize
5.2MB

Download
memory/212-10-0x000000001C400000-0x000000001C408000-memory.dmp

Filesize
32KB

Download
memory/212-109-0x00007FFB29E63000-0x00007FFB29E65000-memory.dmp

Filesize
8KB

Download
memory/212-153-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-23-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-22-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/212-19-0x000000001C6E0000-0x000000001C6EC000-memory.dmp

Filesize
48KB

Download
memory/212-17-0x000000001C5C0000-0x000000001C5C8000-memory.dmp

Filesize
32KB

Download
memory/212-18-0x000000001C6D0000-0x000000001C6DC000-memory.dmp

Filesize
48KB

Download
memory/212-16-0x000000001C5B0000-0x000000001C5BE000-memory.dmp

Filesize
56KB

Download
memory/212-15-0x000000001C5A0000-0x000000001C5AA000-memory.dmp

Filesize
40KB

Download
memory/212-14-0x000000001C420000-0x000000001C42C000-memory.dmp

Filesize
48KB

Download
memory/212-0-0x00007FFB29E63000-0x00007FFB29E65000-memory.dmp

Filesize
8KB

Download
memory/212-1-0x0000000000FB0000-0x0000000001170000-memory.dmp

Filesize
1.8MB

Download
memory/212-12-0x000000001C410000-0x000000001C422000-memory.dmp

Filesize
72KB

Download
memory/212-9-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

Filesize
48KB

Download
memory/212-4-0x000000001C430000-0x000000001C480000-memory.dmp

Filesize
320KB

Download
memory/212-5-0x0000000003270000-0x0000000003278000-memory.dmp

Filesize
32KB

Download
memory/212-6-0x0000000003280000-0x0000000003290000-memory.dmp

Filesize
64KB

Download
memory/212-7-0x000000001C3E0000-0x000000001C3F6000-memory.dmp

Filesize
88KB

Download
memory/212-8-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/212-3-0x0000000003240000-0x000000000325C000-memory.dmp

Filesize
112KB

Download
memory/212-2-0x00007FFB29E60000-0x00007FFB2A921000-memory.dmp

Filesize
10.8MB

Download
memory/1876-121-0x000001CB5A650000-0x000001CB5A672000-memory.dmp

Filesize
136KB

Download
memory/5060-496-0x000000001BB70000-0x000000001BB82000-memory.dmp

Filesize
72KB

Download