dcrat | 34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
Size

1.7MB
MD5

588e6b61bedc53cff84d52ded6c201b0
SHA1

48e42d75a1852507a276c6a84f2ab43c750486f0
SHA256

34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6
SHA512

9b91d3c9b442790c16c22b2967fdcde3f6742f42c06304e4e34a6ab93620c6ff0170fddff5d7b447ce95528e4e10dc21cbe975a3b296f08d9d7275dc15c2aa30
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2160	schtasks.exe	28

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2904-1-0x0000000000870000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/files/0x0007000000018687-27.dat	dcrat
behavioral1/files/0x0008000000018f53-84.dat	dcrat
behavioral1/files/0x0013000000016d3e-167.dat	dcrat
behavioral1/files/0x0009000000019266-202.dat	dcrat
behavioral1/files/0x0008000000019356-213.dat	dcrat
behavioral1/memory/2828-389-0x0000000000140000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/1920-400-0x0000000000880000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/memory/2424-412-0x0000000000A60000-0x0000000000C20000-memory.dmp	dcrat
behavioral1/memory/2484-424-0x0000000000F70000-0x0000000001130000-memory.dmp	dcrat
behavioral1/memory/1676-447-0x00000000012B0000-0x0000000001470000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1284	powershell.exe
2372	powershell.exe
1568	powershell.exe
1836	powershell.exe
2708	powershell.exe
2284	powershell.exe
2764	powershell.exe
2848	powershell.exe
800	powershell.exe
2984	powershell.exe
1852	powershell.exe
1804	powershell.exe
1608	powershell.exe
1728	powershell.exe
2348	powershell.exe
2308	powershell.exe
1776	powershell.exe
1300	powershell.exe
2512	powershell.exe
1512	powershell.exe
532	powershell.exe
2816	powershell.exe
1756	powershell.exe
2496	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe

Executes dropped EXE 8 IoCs

pid	Process
2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2828	winlogon.exe
1920	winlogon.exe
2424	winlogon.exe
2484	winlogon.exe
2884	winlogon.exe
1676	winlogon.exe
1080	winlogon.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCX9B8D.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\RCXAA4A.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\RCXACCB.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\e978f868350d50	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files (x86)\Reference Assemblies\cc11b995f2a76d	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\Idle.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\6ccacd8608530f	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\powershell.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\winlogon.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Internet Explorer\de-DE\dllhost.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCX9B8C.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\dllhost.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\Idle.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files (x86)\Reference Assemblies\winlogon.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCX9502.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\MSBuild\Microsoft\services.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXA19B.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXA19C.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Internet Explorer\de-DE\5940a34987c991	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\6cb0b6c459d5d3	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCX9501.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\MSBuild\Microsoft\c5b4cb5e9653cc	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\RCXAA4B.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\RCXACCC.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\cc11b995f2a76d	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\powershell.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\services.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\temp\RCX9707.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Windows\Globalization\ELS\Transliteration\RCX9D91.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\Cursors\csrss.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\PLA\Rules\conhost.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\CSC\powershell.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Windows\de-DE\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\assembly\temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\assembly\temp\ef13f2376f6376	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\Globalization\ELS\Transliteration\winlogon.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Windows\assembly\temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\Cursors\886983d96e3d3e	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\CSC\e978f868350d50	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\Globalization\ELS\Transliteration\cc11b995f2a76d	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Windows\Globalization\ELS\Transliteration\RCX9D92.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Windows\Globalization\ELS\Transliteration\winlogon.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\PLA\Rules\088424020bedd6	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\de-DE\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\de-DE\ef13f2376f6376	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Windows\assembly\temp\RCX9706.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Windows\Cursors\csrss.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Windows\PLA\Rules\conhost.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Windows\CSC\powershell.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
2328	schtasks.exe
1516	schtasks.exe
3016	schtasks.exe
284	schtasks.exe
2712	schtasks.exe
1636	schtasks.exe
2316	schtasks.exe
2724	schtasks.exe
2232	schtasks.exe
2816	schtasks.exe
2672	schtasks.exe
1288	schtasks.exe
2120	schtasks.exe
2508	schtasks.exe
1488	schtasks.exe
2452	schtasks.exe
1984	schtasks.exe
1756	schtasks.exe
1080	schtasks.exe
2732	schtasks.exe
1708	schtasks.exe
2720	schtasks.exe
2884	schtasks.exe
2192	schtasks.exe
2404	schtasks.exe
2784	schtasks.exe
2576	schtasks.exe
3040	schtasks.exe
2128	schtasks.exe
744	schtasks.exe
2272	schtasks.exe
3048	schtasks.exe
1836	schtasks.exe
2424	schtasks.exe
2952	schtasks.exe
1932	schtasks.exe
2664	schtasks.exe
1976	schtasks.exe
2044	schtasks.exe
2520	schtasks.exe
2504	schtasks.exe
2704	schtasks.exe
2684	schtasks.exe
1960	schtasks.exe
2280	schtasks.exe
2352	schtasks.exe
1180	schtasks.exe
340	schtasks.exe
1928	schtasks.exe
1848	schtasks.exe
1528	schtasks.exe
2560	schtasks.exe
2808	schtasks.exe
2084	schtasks.exe
660	schtasks.exe
1972	schtasks.exe
3064	schtasks.exe
2636	schtasks.exe
1936	schtasks.exe
2652	schtasks.exe
1792	schtasks.exe
1668	schtasks.exe
1180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
1804	powershell.exe
2308	powershell.exe
1776	powershell.exe
2372	powershell.exe
2816	powershell.exe
1852	powershell.exe
2984	powershell.exe
2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
1300	powershell.exe
2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
1568	powershell.exe
800	powershell.exe
2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
1836	powershell.exe
2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
1284	powershell.exe
2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2828	winlogon.exe
Token: SeDebugPrivilege	1920	winlogon.exe
Token: SeDebugPrivilege	2424	winlogon.exe
Token: SeDebugPrivilege	2484	winlogon.exe
Token: SeDebugPrivilege	2884	winlogon.exe
Token: SeDebugPrivilege	1676	winlogon.exe
Token: SeDebugPrivilege	1080	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1776	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	73
PID 2904 wrote to memory of 1776	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	73
PID 2904 wrote to memory of 1776	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	73
PID 2904 wrote to memory of 2372	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	74
PID 2904 wrote to memory of 2372	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	74
PID 2904 wrote to memory of 2372	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	74
PID 2904 wrote to memory of 1804	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	75
PID 2904 wrote to memory of 1804	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	75
PID 2904 wrote to memory of 1804	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	75
PID 2904 wrote to memory of 2816	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	77
PID 2904 wrote to memory of 2816	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	77
PID 2904 wrote to memory of 2816	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	77
PID 2904 wrote to memory of 1284	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	78
PID 2904 wrote to memory of 1284	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	78
PID 2904 wrote to memory of 1284	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	78
PID 2904 wrote to memory of 1852	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	79
PID 2904 wrote to memory of 1852	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	79
PID 2904 wrote to memory of 1852	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	79
PID 2904 wrote to memory of 2984	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	81
PID 2904 wrote to memory of 2984	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	81
PID 2904 wrote to memory of 2984	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	81
PID 2904 wrote to memory of 800	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	82
PID 2904 wrote to memory of 800	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	82
PID 2904 wrote to memory of 800	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	82
PID 2904 wrote to memory of 2308	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	84
PID 2904 wrote to memory of 2308	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	84
PID 2904 wrote to memory of 2308	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	84
PID 2904 wrote to memory of 1568	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	88
PID 2904 wrote to memory of 1568	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	88
PID 2904 wrote to memory of 1568	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	88
PID 2904 wrote to memory of 1836	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	89
PID 2904 wrote to memory of 1836	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	89
PID 2904 wrote to memory of 1836	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	89
PID 2904 wrote to memory of 1300	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	91
PID 2904 wrote to memory of 1300	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	91
PID 2904 wrote to memory of 1300	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	91
PID 2904 wrote to memory of 2944	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	97
PID 2904 wrote to memory of 2944	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	97
PID 2904 wrote to memory of 2944	2904	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	97
PID 2944 wrote to memory of 532	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	130
PID 2944 wrote to memory of 532	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	130
PID 2944 wrote to memory of 532	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	130
PID 2944 wrote to memory of 2848	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	131
PID 2944 wrote to memory of 2848	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	131
PID 2944 wrote to memory of 2848	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	131
PID 2944 wrote to memory of 1512	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	132
PID 2944 wrote to memory of 1512	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	132
PID 2944 wrote to memory of 1512	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	132
PID 2944 wrote to memory of 2348	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	133
PID 2944 wrote to memory of 2348	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	133
PID 2944 wrote to memory of 2348	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	133
PID 2944 wrote to memory of 2496	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	136
PID 2944 wrote to memory of 2496	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	136
PID 2944 wrote to memory of 2496	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	136
PID 2944 wrote to memory of 1756	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	139
PID 2944 wrote to memory of 1756	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	139
PID 2944 wrote to memory of 1756	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	139
PID 2944 wrote to memory of 2764	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	140
PID 2944 wrote to memory of 2764	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	140
PID 2944 wrote to memory of 2764	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	140
PID 2944 wrote to memory of 2512	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	141
PID 2944 wrote to memory of 2512	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	141
PID 2944 wrote to memory of 2512	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	141
PID 2944 wrote to memory of 2284	2944	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
"C:\Users\Admin\AppData\Local\Temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
  "C:\Users\Admin\AppData\Local\Temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IkPMKNTTUa.bat"
    3⤵
    PID:1288
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2000
  - - C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe
      "C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2828
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\705f9e3f-6b64-49a9-99e8-58e184cf2e8e.vbs"
        5⤵
        
        PID:824
      - C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec8274f0-bd9d-445d-9a41-72d6e3a9dfbf.vbs"
        7⤵
        
        PID:1264
        
        C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63c0ef11-d0f6-42b1-af25-dedfdf64db0b.vbs"
        9⤵
        
        PID:2344
        
        C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4266e1ad-b150-43f0-97f9-0bf394355616.vbs"
        11⤵
        
        PID:1784
        
        C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35fe19d8-72b9-4fb1-9813-fea987a8ca3d.vbs"
        13⤵
        
        PID:1720
        
        C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\298a76f7-d7b8-4f32-9047-b7435a59962d.vbs"
        15⤵
        
        PID:1896
        
        C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ffe715a-c6fb-45f4-8ade-f228df48ce99.vbs"
        17⤵
        
        PID:672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39f35972-26fc-48c3-80fa-6bc76bbdef12.vbs"
        17⤵
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\356f3687-fa58-4cd0-aa89-927b08fc0198.vbs"
        15⤵
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b3cd5a6-ed2b-4600-9e17-87632e009a7c.vbs"
        13⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcf83965-94c0-4d82-a8e7-9dbedd4f7215.vbs"
        11⤵
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85b024fd-ddb6-4eed-b6c9-1369b2324736.vbs"
        9⤵
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cfa1f26-b20b-4323-80a7-81989eabc0bb.vbs"
        7⤵
        
        PID:2328
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ac9d212-f0a8-47b8-9325-09ec4fc63817.vbs"
        5⤵
        
        PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N3" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N" /sc ONLOGON /tr "'C:\Windows\assembly\temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N3" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\ELS\Transliteration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N3" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N3" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Rules\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Rules\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N3" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N" /sc ONLOGON /tr "'C:\Windows\de-DE\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N3" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Windows\CSC\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\CSC\powershell.exe'" /rl HIGHEST /f
1⤵
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Windows\CSC\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe

Filesize
1.7MB

MD5
be3bf5361efe3d272b758892c3641284

SHA1
e134fca540e7a34c43246d5edac733a840f472eb

SHA256
b51dbd51596e77e91bc15d2335e60dd2d812aec75b0eb9f6d18275d7b1db3257

SHA512
0488021149f837ad022b2b806c26946c933180a649ff3ccc32213b49f07d0fc95b525a0670a340027a279b9151b9dce59aa905fbfaad32bbf305a4f361d34199

Download Submit
C:\Users\Admin\AppData\Local\Temp\298a76f7-d7b8-4f32-9047-b7435a59962d.vbs

Filesize
746B

MD5
4793be7e69c877dc5b475f71eb1cc9c3

SHA1
6149dda43db7859ceda1ee8b16c2b1f99ef6364a

SHA256
417d5694943b191ecc90eea330625d24c968775a44c349843d0fe33936b93362

SHA512
2f8adcbd6ed8cf114400a326020a884e56f16972d3468f22a3f20fbc9d0fde043d7e78a6dc83a2e724bbc0e8075f0cac81620e3b5e11ac33fe162310a8b3b0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\35fe19d8-72b9-4fb1-9813-fea987a8ca3d.vbs

Filesize
746B

MD5
b6ae423dc4670401e73cdd188991d5b0

SHA1
92bc288e99a7441b68719cce21a6fc53e4f7de30

SHA256
8d6186c5b961dc455388ca60ed1628e5cf316ba967f63ad57ae7bbc335b6b5bc

SHA512
0246eea678687afa7fe350c0ed353af6b25b0148bc62113df07ee9216b9fd2d583c79951f2738e5c6164f4949d58037e3dec9af3697d7a9caedee901fba84517

Download Submit
C:\Users\Admin\AppData\Local\Temp\4266e1ad-b150-43f0-97f9-0bf394355616.vbs

Filesize
746B

MD5
3c372df3a228d3ce303b7288f0bcf874

SHA1
f9e193f4a6a9c2ea3f851c19e715bfe51cd1f354

SHA256
b9b55e937ec34a0750d4154f06d36b79fd5f7ca104aea26cd44a5f477b9b262b

SHA512
c1203b504f5c8325c11f18a56125f420b5deaf52dd0c32d387067ee9630714ba63d7cd20ac02ad580fb9e3569bcde6ce04749938cf29e4b0a21a3000cf557bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\63c0ef11-d0f6-42b1-af25-dedfdf64db0b.vbs

Filesize
746B

MD5
2585276bb7cf3254af5c88f5ef18fdaa

SHA1
bb55b333178ec92c2ebac010741f667da16d33ae

SHA256
91a284a4992619cfe2bd1477f64686a68d98956f5ebfc8f356bf3da83bc05f32

SHA512
fa031d7deabbe150347d4138a7c32a32eb081bb9e9b6abb4298511f6d9d3df344c132ea19a3468255f0f363017c74c09ac6e2db2fe3a777d73a68936f681c3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\705f9e3f-6b64-49a9-99e8-58e184cf2e8e.vbs

Filesize
746B

MD5
b9292a46a6e91f6c3571f4fc201da8df

SHA1
7523080a2946c1293bb341751c6c22bf06f3a027

SHA256
f808a1c0d404a9cc6e12eda1bb5bfd04e0a8bd8cc5d49c487ce025ff0c87e5b0

SHA512
1c3f69f627ca2750805b2cc0b82e1d749ef590791562187d39d314d9836dcbe9f7fe560689826ef2a7f4b3e4873d1fc8a880e52c53de2b656b10ede9ab3b26b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ac9d212-f0a8-47b8-9325-09ec4fc63817.vbs

Filesize
522B

MD5
2526cbdec05b355a6ecabc413b458a96

SHA1
d19e5afb1ee3c3c10b1ffc17a303178d8e127843

SHA256
0d3df71d198ef2ccc77e6b2f4235642d75e5b737f5159df3e166a84de7fa329a

SHA512
ef84c767cf6ad382601c190fb910f3e9fa1cfa58f83819a8be6b39267d51d415572e22dcda700ce5d9e7772a738f45f051f754061d20bed4edbc86cafca6aa7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ffe715a-c6fb-45f4-8ade-f228df48ce99.vbs

Filesize
746B

MD5
57df15570bf317430c012e3e224faacc

SHA1
c14a0268805b7c8a18ca5229b4276091788aa5bc

SHA256
2191700796fb458d19564e6d6d0806db3379fd32cce467db00e9a9fd496dcd9b

SHA512
958acb2fc428047d34419fc856ccc66f33837ec92da427b06e16971dfc1bad6c9d208b0a43be1e9c544f18335366ca794d828728fc6692e2c930102d0e3e0d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkPMKNTTUa.bat

Filesize
235B

MD5
dfc582b9ca902e84e72421d4706f2a31

SHA1
a608147ba99c55af8e1e7d21956fc9f066fadf42

SHA256
83acea7b3c6836c504e36ec796878004593d1e29a96e0e08a1f1f79c43ed7702

SHA512
23ee264c37b8d0580922425b07537bf4e7ea5f5412188f9c051ac0ee6f1b8045de87f395c03f78d81451dcab81bce69195cd24c27458c0990cd66cde3435da3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec8274f0-bd9d-445d-9a41-72d6e3a9dfbf.vbs

Filesize
746B

MD5
eb51f268a99d297a30efdd4423c20575

SHA1
11be38a0c0709704889f000b1c5e4a79fe6cca54

SHA256
0f6b2374e9677d375bfd430a75011ad293e5fbe084c49e8529e27aa742c28d64

SHA512
1d3fd7667b014cfe4bb7fabc644cc916f4fa8656180f8e0f663c9e0f539de6b474acfa5a1ef6733be89dd99bece22f907827d55a5492cf80da4a3fed2735e061

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d0f3c87d59c54fa35c26686aaf941bdb

SHA1
b6449b79aecdf166d02a547ca9964e85957c4dbf

SHA256
36a1b06c3f6453dcb463db8fdda31877575439a185c30b535ffacbff72bb8b91

SHA512
1ca567fb6938a9d5464b3b93b482581189a889ac19f67891e7609c0c72478145ae536fd2c663f27608e35d34f41d6a9cd35dd588277d05c8c625c94e07d22ba8

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\wininit.exe

Filesize
1.7MB

MD5
89646008ac4ed55d5c7c913c7823164b

SHA1
e6f7785bb41471419f30951fee28acb4f52b8340

SHA256
bc9da1d37ae56ca72f6392550a33111efb6f7a4efffd0cbe0213047956719668

SHA512
e3dfae9c96754db2421b3cc056a65490c713c9dfd280bf5fbe02283c452b42e83fcb5ccc15fd81ea7f8d0676e59edb364ec20f41111140fc285d4bc462865a72

Download Submit
C:\Users\Default\winlogon.exe

Filesize
1.7MB

MD5
0499906e56113afacb4f50e4578ff980

SHA1
55529ceb753762bcdd8fb8f6358d13a22434b8cc

SHA256
f9d8addd4eced6d906859a398d13f8d444d31bc01b7cdced5f2237fcb0ac9e71

SHA512
7a7f479e4fe568abb70111d4b99d04456f147ff5dfeb634da57520e9f5b746c09eae95f1560bee2aab9dcd04ba1365d87b2d31e5ff3173e52e653918fa5668e2

Download Submit
C:\Users\Public\Desktop\System.exe

Filesize
1.7MB

MD5
ed86638cbe6171f35c748e7e1827f448

SHA1
43173008bbb5864b15632723726945bc28578aab

SHA256
5a8ef8558983dddfff5b7c96ea12b104ff9a5e9a97c67d4a58fac1e4a567d261

SHA512
986cf1eab079d2c9f073edaba750b86bde565f7890467436b802ee275d7fedcf4f80db4b8a72ae42d6889027d5e1a9d6f176352e2eaefdab2465b5965b1994e7

Download Submit
C:\Windows\Globalization\ELS\Transliteration\winlogon.exe

Filesize
1.7MB

MD5
588e6b61bedc53cff84d52ded6c201b0

SHA1
48e42d75a1852507a276c6a84f2ab43c750486f0

SHA256
34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6

SHA512
9b91d3c9b442790c16c22b2967fdcde3f6742f42c06304e4e34a6ab93620c6ff0170fddff5d7b447ce95528e4e10dc21cbe975a3b296f08d9d7275dc15c2aa30

Download Submit
memory/1676-447-0x00000000012B0000-0x0000000001470000-memory.dmp

Filesize
1.8MB

Download
memory/1776-236-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1920-400-0x0000000000880000-0x0000000000A40000-memory.dmp

Filesize
1.8MB

Download
memory/2308-241-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2424-412-0x0000000000A60000-0x0000000000C20000-memory.dmp

Filesize
1.8MB

Download
memory/2484-424-0x0000000000F70000-0x0000000001130000-memory.dmp

Filesize
1.8MB

Download
memory/2828-389-0x0000000000140000-0x0000000000300000-memory.dmp

Filesize
1.8MB

Download
memory/2848-332-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2848-333-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2904-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2904-11-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/2904-15-0x0000000002120000-0x0000000002128000-memory.dmp

Filesize
32KB

Download
memory/2904-257-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-16-0x0000000002130000-0x000000000213C000-memory.dmp

Filesize
48KB

Download
memory/2904-20-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-216-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-13-0x0000000002100000-0x000000000210A000-memory.dmp

Filesize
40KB

Download
memory/2904-199-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2904-14-0x0000000002110000-0x000000000211E000-memory.dmp

Filesize
56KB

Download
memory/2904-12-0x00000000020F0000-0x00000000020FC000-memory.dmp

Filesize
48KB

Download
memory/2904-17-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/2904-9-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2904-8-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2904-7-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2904-6-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/2904-5-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/2904-4-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2904-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2904-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-1-0x0000000000870000-0x0000000000A30000-memory.dmp

Filesize
1.8MB

Download