dcrat | 448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5eca

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
Size

1.7MB
MD5

b09d4f8b9be1ca3790fafb6c5faf66a0
SHA1

d17af72bde97583329a50fef411c3e3567b2578a
SHA256

448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5eca
SHA512

8036dcf63d62b6e9af455087c8009b6e429c86283a5fa8459ba0cee600808802029d2e1ea9e2cd47d53eac290f99189b6c8c5a9b1b97eb20b99586985fbe4470
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2744	schtasks.exe	30

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2508-1-0x00000000010C0000-0x0000000001280000-memory.dmp	dcrat
behavioral1/files/0x00080000000162b2-27.dat	dcrat
behavioral1/files/0x0008000000016a66-91.dat	dcrat
behavioral1/memory/1884-237-0x0000000000370000-0x0000000000530000-memory.dmp	dcrat
behavioral1/memory/1956-365-0x0000000000B90000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/1724-376-0x0000000000EE0000-0x00000000010A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2536	powershell.exe
2912	powershell.exe
2968	powershell.exe
2908	powershell.exe
2612	powershell.exe
268	powershell.exe
1136	powershell.exe
2508	powershell.exe
2016	powershell.exe
2900	powershell.exe
2764	powershell.exe
2892	powershell.exe
2996	powershell.exe
2152	powershell.exe
1900	powershell.exe
1124	powershell.exe
1852	powershell.exe
2888	powershell.exe
2884	powershell.exe
2412	powershell.exe
1352	powershell.exe
2752	powershell.exe
2988	powershell.exe
1596	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe

Executes dropped EXE 8 IoCs

pid	Process
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1956	Idle.exe
1724	Idle.exe
1484	Idle.exe
1712	Idle.exe
2424	Idle.exe
1588	Idle.exe
2440	Idle.exe

Drops file in Program Files directory 48 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\69ddcba757bf72	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Google\CrashReports\6ccacd8608530f	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXA71E.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Uninstall Information\lsm.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\56085415360792	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Windows Defender\fr-FR\58085bb96a3aee	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Mozilla Firefox\fonts\56085415360792	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX9C2C.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Uninstall Information\101b941d020240	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\spoolsv.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\RCX9342.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\Idle.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\RCXA0A2.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\System.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\24dbde2999530e	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Google\CrashReports\c5b4cb5e9653cc	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX9545.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\services.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\spoolsv.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXA2A6.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Uninstall Information\lsm.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Google\CrashReports\Idle.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Windows Sidebar\it-IT\27d1bcfc3c54e0	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Mozilla Firefox\fonts\wininit.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\RCX9341.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXA71D.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\6ccacd8608530f	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WmiPrvSE.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\smss.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX95B4.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX9C2D.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WmiPrvSE.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Windows Sidebar\it-IT\System.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\smss.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\RCXA0A1.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXA2A7.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Windows Defender\fr-FR\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Google\CrashReports\services.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\wininit.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\f3b6ecef712a24	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\IME\smss.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\IME\69ddcba757bf72	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\Prefetch\ReadyBoot\audiodg.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\Prefetch\ReadyBoot\42af1c969fbb7b	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\IME\smss.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\audiodg.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2432	schtasks.exe
1904	schtasks.exe
2308	schtasks.exe
2296	schtasks.exe
2008	schtasks.exe
2672	schtasks.exe
1348	schtasks.exe
3020	schtasks.exe
2308	schtasks.exe
2556	schtasks.exe
2560	schtasks.exe
1828	schtasks.exe
1028	schtasks.exe
1704	schtasks.exe
2964	schtasks.exe
1736	schtasks.exe
1176	schtasks.exe
2012	schtasks.exe
1712	schtasks.exe
2924	schtasks.exe
2640	schtasks.exe
1916	schtasks.exe
2904	schtasks.exe
2600	schtasks.exe
2628	schtasks.exe
2952	schtasks.exe
2300	schtasks.exe
2528	schtasks.exe
1940	schtasks.exe
2792	schtasks.exe
844	schtasks.exe
1436	schtasks.exe
1580	schtasks.exe
2956	schtasks.exe
2976	schtasks.exe
2904	schtasks.exe
756	schtasks.exe
468	schtasks.exe
1724	schtasks.exe
320	schtasks.exe
1328	schtasks.exe
3032	schtasks.exe
1304	schtasks.exe
1468	schtasks.exe
2936	schtasks.exe
2600	schtasks.exe
2844	schtasks.exe
1512	schtasks.exe
2648	schtasks.exe
268	schtasks.exe
1632	schtasks.exe
2664	schtasks.exe
3040	schtasks.exe
3044	schtasks.exe
2924	schtasks.exe
2800	schtasks.exe
1308	schtasks.exe
2336	schtasks.exe
2108	schtasks.exe
2692	schtasks.exe
3036	schtasks.exe
2868	schtasks.exe
2832	schtasks.exe
2072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
2884	powershell.exe
2612	powershell.exe
2900	powershell.exe
2536	powershell.exe
2764	powershell.exe
2988	powershell.exe
1852	powershell.exe
2752	powershell.exe
2016	powershell.exe
2912	powershell.exe
2908	powershell.exe
2888	powershell.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1956	Idle.exe
Token: SeDebugPrivilege	1724	Idle.exe
Token: SeDebugPrivilege	1484	Idle.exe
Token: SeDebugPrivilege	1712	Idle.exe
Token: SeDebugPrivilege	2424	Idle.exe
Token: SeDebugPrivilege	1588	Idle.exe
Token: SeDebugPrivilege	2440	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2536	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	67
PID 2508 wrote to memory of 2536	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	67
PID 2508 wrote to memory of 2536	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	67
PID 2508 wrote to memory of 1852	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	68
PID 2508 wrote to memory of 1852	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	68
PID 2508 wrote to memory of 1852	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	68
PID 2508 wrote to memory of 2912	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	69
PID 2508 wrote to memory of 2912	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	69
PID 2508 wrote to memory of 2912	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	69
PID 2508 wrote to memory of 2752	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	70
PID 2508 wrote to memory of 2752	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	70
PID 2508 wrote to memory of 2752	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	70
PID 2508 wrote to memory of 2888	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	71
PID 2508 wrote to memory of 2888	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	71
PID 2508 wrote to memory of 2888	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	71
PID 2508 wrote to memory of 2016	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	72
PID 2508 wrote to memory of 2016	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	72
PID 2508 wrote to memory of 2016	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	72
PID 2508 wrote to memory of 2900	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	73
PID 2508 wrote to memory of 2900	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	73
PID 2508 wrote to memory of 2900	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	73
PID 2508 wrote to memory of 2988	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	74
PID 2508 wrote to memory of 2988	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	74
PID 2508 wrote to memory of 2988	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	74
PID 2508 wrote to memory of 2764	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	75
PID 2508 wrote to memory of 2764	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	75
PID 2508 wrote to memory of 2764	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	75
PID 2508 wrote to memory of 2884	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	76
PID 2508 wrote to memory of 2884	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	76
PID 2508 wrote to memory of 2884	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	76
PID 2508 wrote to memory of 2908	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	77
PID 2508 wrote to memory of 2908	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	77
PID 2508 wrote to memory of 2908	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	77
PID 2508 wrote to memory of 2612	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	78
PID 2508 wrote to memory of 2612	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	78
PID 2508 wrote to memory of 2612	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	78
PID 2508 wrote to memory of 2720	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	91
PID 2508 wrote to memory of 2720	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	91
PID 2508 wrote to memory of 2720	2508	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	91
PID 2720 wrote to memory of 828	2720	cmd.exe	93
PID 2720 wrote to memory of 828	2720	cmd.exe	93
PID 2720 wrote to memory of 828	2720	cmd.exe	93
PID 2720 wrote to memory of 1884	2720	cmd.exe	94
PID 2720 wrote to memory of 1884	2720	cmd.exe	94
PID 2720 wrote to memory of 1884	2720	cmd.exe	94
PID 1884 wrote to memory of 2996	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	138
PID 1884 wrote to memory of 2996	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	138
PID 1884 wrote to memory of 2996	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	138
PID 1884 wrote to memory of 268	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	139
PID 1884 wrote to memory of 268	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	139
PID 1884 wrote to memory of 268	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	139
PID 1884 wrote to memory of 1596	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	141
PID 1884 wrote to memory of 1596	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	141
PID 1884 wrote to memory of 1596	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	141
PID 1884 wrote to memory of 1124	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	142
PID 1884 wrote to memory of 1124	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	142
PID 1884 wrote to memory of 1124	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	142
PID 1884 wrote to memory of 2508	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	144
PID 1884 wrote to memory of 2508	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	144
PID 1884 wrote to memory of 2508	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	144
PID 1884 wrote to memory of 1136	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	145
PID 1884 wrote to memory of 1136	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	145
PID 1884 wrote to memory of 1136	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	145
PID 1884 wrote to memory of 2152	1884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
"C:\Users\Admin\AppData\Local\Temp\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iKDvRnKw2P.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
    "C:\Users\Admin\AppData\Local\Temp\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hc8aSAkfcJ.bat"
      4⤵
      PID:2336
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1256
    - - C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6614bc6-5a51-4462-bbde-9628a840c617.vbs"
        6⤵
        
        PID:1372
        
        C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\642cc4da-c2e2-4de7-876a-3f9ad2c1df69.vbs"
        8⤵
        
        PID:1904
        
        C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f432d431-b2c8-4bdb-a1f0-73dba1a1996f.vbs"
        10⤵
        
        PID:2656
        
        C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85eeb053-cde4-42d8-9cb6-30f5a71dfde5.vbs"
        12⤵
        
        PID:2004
        
        C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8daee55a-0dfe-493b-9930-8165de321f91.vbs"
        14⤵
        
        PID:1784
        
        C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44032fcf-1ace-4662-8b08-d3219e917692.vbs"
        16⤵
        
        PID:1720
        
        C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b49eba7-0a94-41b6-99ff-d1fbb5bd6a14.vbs"
        18⤵
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b01c54c9-4717-4155-80d9-e9047ee551ce.vbs"
        18⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebe2b36c-f331-4ce2-8664-febd0f321f31.vbs"
        16⤵
        
        PID:468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c11f6aae-621a-42de-ad6a-b40c29b1b749.vbs"
        14⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\879e9581-f16c-45b2-a6c2-028a20f1e32e.vbs"
        12⤵
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\759cadd4-1b10-4175-b305-37580088bc1e.vbs"
        10⤵
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b49f2b2-1969-4386-9423-d81e115cbb27.vbs"
        8⤵
        
        PID:2676
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c241442-747c-48b8-b732-8c6a59af0df1.vbs"
        6⤵
        
        PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN4" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\fr-FR\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN4" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\IME\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /f
1⤵
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /rl HIGHEST /f
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\CrashReports\RCX95B4.tmp

Filesize
1.7MB

MD5
0ec0507751be1856bba60c0b9150101e

SHA1
01efcc58d500f8ce8d1465deba6879b668c7d5e5

SHA256
9dc9caa880261d74a6451032ad418a1da20b3d81275174fce84583816d92d5f0

SHA512
50e9da3bece4f1e2413503e0ed7cb9c1680b5dd59a7b60e95692144867539b76a8f5224e4d7b7a72b9a4ce344bf15c64348fba35898626a273c745aa274d6e1f

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe

Filesize
1.7MB

MD5
b09d4f8b9be1ca3790fafb6c5faf66a0

SHA1
d17af72bde97583329a50fef411c3e3567b2578a

SHA256
448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5eca

SHA512
8036dcf63d62b6e9af455087c8009b6e429c86283a5fa8459ba0cee600808802029d2e1ea9e2cd47d53eac290f99189b6c8c5a9b1b97eb20b99586985fbe4470

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c241442-747c-48b8-b732-8c6a59af0df1.vbs

Filesize
512B

MD5
e307e3cb3d957faa22db9d1c83ec9ba3

SHA1
55bf3ab00ad9287135330c17666c344d81d9ea98

SHA256
132c413c198a7cd7a1c66f2934ad9e511f481b4ab8ec75471bdb81cdec765e09

SHA512
814fb8e63c73504437697f8d0d10cb2a2587e710a1929d4f5666353d311d25a857155b04dedb46f7f398e641946293a86e08dd5a6392c2c5f4d25935d30d9308

Download Submit
C:\Users\Admin\AppData\Local\Temp\44032fcf-1ace-4662-8b08-d3219e917692.vbs

Filesize
736B

MD5
88d6cb6c8c809359e38258c7f9e2393f

SHA1
852c69d37a2dbb19c4eeb6858d6256a1aeffdb27

SHA256
cf739a6e9b3575666cc30e673b205371bc6d63c909a1c4129ebf9ef75673d515

SHA512
05df745e3fe559186d170e1d68567f1b161cdbebee20ae94e3ce21609c5b0f6e5b2609539cf10099359f9d714ba5129f80e03528e89f1f42f0be8d2cfa503990

Download Submit
C:\Users\Admin\AppData\Local\Temp\642cc4da-c2e2-4de7-876a-3f9ad2c1df69.vbs

Filesize
736B

MD5
70b79e0a0a778afd40a886f7a13f6f55

SHA1
b82314df25203ca9fb690a169a585447a84ff671

SHA256
5d6693cf8e25baddaad8a43437477334c56ca469fa39e39f7c8f23180aa4395a

SHA512
19b01e9060d7372e8e8343bcfb57bbc09b82ea94a92931eda8c61c6f0744e54841a2bba70ba6669c579e606f7e660622630a703b96bf9a69d4d8c3054c9eaf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b49eba7-0a94-41b6-99ff-d1fbb5bd6a14.vbs

Filesize
736B

MD5
1fb570239418f9d0407d74063930a35c

SHA1
3cf5d533f57e39a6d4e6419e31bef1c328ef830d

SHA256
2e2900527140661d808611734ea259da28ab7e3ef0d1794ee461b5d1c0100bfb

SHA512
c264f431fcc1bdc63e5ced01c625a5886312804df46b6904fd8c0c1f8d8f471e6460409c116965611ee99900a4f907189ef975cfe71ab22e93cf789a0149d411

Download Submit
C:\Users\Admin\AppData\Local\Temp\85eeb053-cde4-42d8-9cb6-30f5a71dfde5.vbs

Filesize
736B

MD5
f514b6a3b561fb66a3537397881f8566

SHA1
3dae0b791a0ce4689df544c03fcb47259697966a

SHA256
0820fa237b4cf038800a4e0bb0c4b30736bfbc3a01783234867d5fbc0d0d627a

SHA512
e4f03b6ef67c3cf7f4ad35a65ce85e775fab20be5a586691ff6c0383c71aea41838b2fdc7d409b6b95abfd65f6a389b61f5e47eb6dd1b3e79ba75acc5c6d8606

Download Submit
C:\Users\Admin\AppData\Local\Temp\8daee55a-0dfe-493b-9930-8165de321f91.vbs

Filesize
736B

MD5
22ce3647dbefd06163e2dbb895094d40

SHA1
aad6dd1aad77b3112aa3dbf5470ee196012ee4a4

SHA256
306bf5cc7f6e0d7c5e1b9bab8ef37ffa979815dc4a0692519cca48ce09ec7124

SHA512
9bdb36af674b5d935dd15328677e43ceb6088a17534149a48b13782e92ee28b911259f3cb81711a599bd416384294bb34d6afa64742c4c055036e1da311082bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hc8aSAkfcJ.bat

Filesize
225B

MD5
5afa4ba51f149fb0a2605e7eebd5bd63

SHA1
1715ab9345dd658dc2af052f6bb10b2d8adcc737

SHA256
573a0b8161063e7daed0cba482a42da784fa31e717afb7c815e266fe543b7c40

SHA512
93c5a5d063f02ed90d04b1c5b2d64aa9de9ead3d685c0a7c785449991dd71f06343aef603a89c1a73ccea46e18c7f515e907eaa09fcfec02a3e3c7e85afe65ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6614bc6-5a51-4462-bbde-9628a840c617.vbs

Filesize
736B

MD5
25f29eb95e3b3b43daaa1482af49eb00

SHA1
4bb4ba886f4259e89aff66432f35e8a0fe05aae3

SHA256
1563394e2ef11c0da163ca29173196c0fb2091a2678112d0398b87fe5d8cb28e

SHA512
d4aa265d19d3f840ebb4710f7709e38f4223d352d51608c73de8eafa879f2a7bb921d90da70af2b2333f3232b2894658dd02ad53f4201599bb2ce0843e2edb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f432d431-b2c8-4bdb-a1f0-73dba1a1996f.vbs

Filesize
736B

MD5
ab74c2610878ccdd10f8bfe0ed875aec

SHA1
93de35bcb4cf035c0faaad6166cf06c92bf59b80

SHA256
87d2c2904c6679ea721a3bd4daa971371a37b02433d3710801f7a49abab4c682

SHA512
b1e66d2c39d1f7319f22281ee5df13f0e9ecb12b0d244682d9beecab9d2d242495dd2b7052193edefc2174f89882f996238a23ab3ab71934ebafbf7e7ef67fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iKDvRnKw2P.bat

Filesize
268B

MD5
7f81ab83cec8c6fc9d20e94ca73fd528

SHA1
4d51d8ceea4db9a137ffff8c2e34b0467a3c0017

SHA256
ed7bf4f778e865d656e91a0c52f5e1b4e5723b0e91a5c23eeceb19adecc57a4d

SHA512
9f66c969e3f29688294fa238cdf99d8f7c8fafbeb82e897fc566c578062a5de9a1107c2f7525f3ff60faf28eb055a88d8b4295894c642deb5ee28a8655867464

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
70742d95f0f63fb0891876eb1fbec808

SHA1
fc76a8df78a2770adaa10976cd216b728fbb07c5

SHA256
c28805d474ce1e8e8ab51aa3c54571b4476fad12cbbc33d5a5d8b78ad23a7e95

SHA512
da45b2b5ac657ee68ffe49d2701b4a1b8e4878a8b11452e814c2587f392e22870d83d2c7034399dc789b9b980bdf26c1470ec47b565a88b722570cbfb503beb4

Download Submit
memory/268-314-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/268-313-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1712-400-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/1724-376-0x0000000000EE0000-0x00000000010A0000-memory.dmp

Filesize
1.8MB

Download
memory/1724-377-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/1884-237-0x0000000000370000-0x0000000000530000-memory.dmp

Filesize
1.8MB

Download
memory/1956-365-0x0000000000B90000-0x0000000000D50000-memory.dmp

Filesize
1.8MB

Download
memory/2424-412-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/2508-11-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2508-0-0x000007FEF4FC3000-0x000007FEF4FC4000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x00000000010C0000-0x0000000001280000-memory.dmp

Filesize
1.8MB

Download
memory/2508-173-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-20-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-17-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/2508-15-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/2508-16-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2508-13-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Filesize
40KB

Download
memory/2508-14-0x0000000000B10000-0x0000000000B1E000-memory.dmp

Filesize
56KB

Download
memory/2508-12-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2508-2-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-9-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2508-8-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2508-7-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2508-6-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/2508-5-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2508-4-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/2508-3-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2884-179-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2884-180-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download