dcrat | 6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8

Resubmissions

13-01-2025 04:14

250113-et66ksvpex 10

12-01-2025 13:59

250112-ragg2axnhl 10

Analysis

max time kernel
771s
max time network
767s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Size

1.7MB
MD5

0624cb81236f6a0e8d0487a766458088
SHA1

36ea7baa5b367c60269eb1a277bd5ad4bc41b54b
SHA256

6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8
SHA512

742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvD:OTHUxUoh1IF9gl2M

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	2564	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2564	schtasks.exe	81

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4020-1-0x0000000000930000-0x0000000000AF0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cb3-30.dat	dcrat
behavioral2/files/0x0008000000023cb7-57.dat	dcrat
behavioral2/files/0x000b000000023ca7-80.dat	dcrat
behavioral2/files/0x0009000000023cae-89.dat	dcrat
behavioral2/memory/1028-254-0x0000000000090000-0x0000000000250000-memory.dmp	dcrat
behavioral2/files/0x000300000001e754-314.dat	dcrat
behavioral2/memory/4412-503-0x0000000000A50000-0x0000000000C10000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4968	powershell.exe
1496	powershell.exe
1864	powershell.exe
2272	powershell.exe
3932	powershell.exe
1956	powershell.exe
3912	powershell.exe
1980	powershell.exe
1636	powershell.exe
3324	powershell.exe
2068	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe

Checks computer location settings 2 TTPs 37 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 42 IoCs

pid	Process
1028	TextInputHost.exe
5068	TextInputHost.exe
872	TextInputHost.exe
5100	TextInputHost.exe
2348	TextInputHost.exe
3016	TextInputHost.exe
3368	TextInputHost.exe
4536	TextInputHost.exe
5100	TextInputHost.exe
2616	TextInputHost.exe
3016	TextInputHost.exe
1208	TextInputHost.exe
1088	TextInputHost.exe
4352	TextInputHost.exe
5052	TextInputHost.exe
1496	TextInputHost.exe
2756	TextInputHost.exe
1208	TextInputHost.exe
3552	TextInputHost.exe
1840	TextInputHost.exe
3052	TextInputHost.exe
1464	TextInputHost.exe
4360	TextInputHost.exe
372	TextInputHost.exe
4412	OfficeClickToRun.exe
1416	TextInputHost.exe
872	TextInputHost.exe
2164	TextInputHost.exe
3432	TextInputHost.exe
1840	TextInputHost.exe
1220	TextInputHost.exe
4464	TextInputHost.exe
2344	TextInputHost.exe
1680	TextInputHost.exe
3872	TextInputHost.exe
536	OfficeClickToRun.exe
1000	RuntimeBroker.exe
3968	TextInputHost.exe
2248	TextInputHost.exe
2856	TextInputHost.exe
4840	sysmon.exe
3940	TextInputHost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\e6c9b481da804f	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXBF51.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXBFBF.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PLA\TextInputHost.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\RCXC1C4.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\PLA\TextInputHost.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\PLA\22eafd247d37c3	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\e6c9b481da804f	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\PLA\RCXBAA9.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\PLA\RCXBB17.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\RCXC242.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
264	schtasks.exe
3104	schtasks.exe
4728	schtasks.exe
764	schtasks.exe
3364	schtasks.exe
1900	schtasks.exe
2688	schtasks.exe
1860	schtasks.exe
2308	schtasks.exe
3456	schtasks.exe
1016	schtasks.exe
776	schtasks.exe
1008	schtasks.exe
4536	schtasks.exe
428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
1496	powershell.exe
1496	powershell.exe
4968	powershell.exe
4968	powershell.exe
3932	powershell.exe
3932	powershell.exe
1980	powershell.exe
1980	powershell.exe
3912	powershell.exe
3912	powershell.exe
1636	powershell.exe
1636	powershell.exe
2068	powershell.exe
2068	powershell.exe
3324	powershell.exe
4968	powershell.exe
3324	powershell.exe
2272	powershell.exe
2272	powershell.exe
1864	powershell.exe
1864	powershell.exe
1956	powershell.exe
1956	powershell.exe
1864	powershell.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
1496	powershell.exe
3932	powershell.exe
1980	powershell.exe
1636	powershell.exe
2068	powershell.exe
2272	powershell.exe
4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
3324	powershell.exe
3912	powershell.exe
1956	powershell.exe
1028	TextInputHost.exe
1028	TextInputHost.exe
1028	TextInputHost.exe
1028	TextInputHost.exe
1028	TextInputHost.exe
1028	TextInputHost.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1028	TextInputHost.exe
Token: SeDebugPrivilege	5068	TextInputHost.exe
Token: SeDebugPrivilege	872	TextInputHost.exe
Token: SeDebugPrivilege	5100	TextInputHost.exe
Token: SeDebugPrivilege	2348	TextInputHost.exe
Token: SeDebugPrivilege	3016	TextInputHost.exe
Token: SeDebugPrivilege	3368	TextInputHost.exe
Token: SeDebugPrivilege	4536	TextInputHost.exe
Token: SeDebugPrivilege	5100	TextInputHost.exe
Token: SeDebugPrivilege	2616	TextInputHost.exe
Token: SeDebugPrivilege	3016	TextInputHost.exe
Token: SeDebugPrivilege	1208	TextInputHost.exe
Token: SeDebugPrivilege	1088	TextInputHost.exe
Token: SeDebugPrivilege	4352	TextInputHost.exe
Token: SeDebugPrivilege	5052	TextInputHost.exe
Token: SeDebugPrivilege	1496	TextInputHost.exe
Token: SeDebugPrivilege	2756	TextInputHost.exe
Token: SeDebugPrivilege	1208	TextInputHost.exe
Token: SeDebugPrivilege	3552	TextInputHost.exe
Token: SeDebugPrivilege	1840	TextInputHost.exe
Token: SeDebugPrivilege	3052	TextInputHost.exe
Token: SeDebugPrivilege	1464	TextInputHost.exe
Token: SeDebugPrivilege	4360	TextInputHost.exe
Token: SeDebugPrivilege	372	TextInputHost.exe
Token: SeDebugPrivilege	4412	OfficeClickToRun.exe
Token: SeDebugPrivilege	1416	TextInputHost.exe
Token: SeDebugPrivilege	872	TextInputHost.exe
Token: SeDebugPrivilege	2164	TextInputHost.exe
Token: SeDebugPrivilege	3432	TextInputHost.exe
Token: SeDebugPrivilege	1840	TextInputHost.exe
Token: SeDebugPrivilege	1220	TextInputHost.exe
Token: SeDebugPrivilege	4464	TextInputHost.exe
Token: SeDebugPrivilege	2344	TextInputHost.exe
Token: SeDebugPrivilege	1680	TextInputHost.exe
Token: SeDebugPrivilege	3872	TextInputHost.exe
Token: SeDebugPrivilege	536	OfficeClickToRun.exe
Token: SeDebugPrivilege	1000	RuntimeBroker.exe
Token: SeDebugPrivilege	3968	TextInputHost.exe
Token: SeDebugPrivilege	2248	TextInputHost.exe
Token: SeDebugPrivilege	2856	TextInputHost.exe
Token: SeDebugPrivilege	4840	sysmon.exe
Token: SeDebugPrivilege	3940	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 1956	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	98
PID 4020 wrote to memory of 1956	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	98
PID 4020 wrote to memory of 3912	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	99
PID 4020 wrote to memory of 3912	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	99
PID 4020 wrote to memory of 1980	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	100
PID 4020 wrote to memory of 1980	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	100
PID 4020 wrote to memory of 4968	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	101
PID 4020 wrote to memory of 4968	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	101
PID 4020 wrote to memory of 1496	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	102
PID 4020 wrote to memory of 1496	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	102
PID 4020 wrote to memory of 1636	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	103
PID 4020 wrote to memory of 1636	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	103
PID 4020 wrote to memory of 1864	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	104
PID 4020 wrote to memory of 1864	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	104
PID 4020 wrote to memory of 2272	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	105
PID 4020 wrote to memory of 2272	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	105
PID 4020 wrote to memory of 3932	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	106
PID 4020 wrote to memory of 3932	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	106
PID 4020 wrote to memory of 3324	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	107
PID 4020 wrote to memory of 3324	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	107
PID 4020 wrote to memory of 2068	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	108
PID 4020 wrote to memory of 2068	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	108
PID 4020 wrote to memory of 1028	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	120
PID 4020 wrote to memory of 1028	4020	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	120
PID 1028 wrote to memory of 2932	1028	TextInputHost.exe	121
PID 1028 wrote to memory of 2932	1028	TextInputHost.exe	121
PID 1028 wrote to memory of 1736	1028	TextInputHost.exe	122
PID 1028 wrote to memory of 1736	1028	TextInputHost.exe	122
PID 2932 wrote to memory of 5068	2932	WScript.exe	129
PID 2932 wrote to memory of 5068	2932	WScript.exe	129
PID 5068 wrote to memory of 1148	5068	TextInputHost.exe	130
PID 5068 wrote to memory of 1148	5068	TextInputHost.exe	130
PID 5068 wrote to memory of 1444	5068	TextInputHost.exe	131
PID 5068 wrote to memory of 1444	5068	TextInputHost.exe	131
PID 1148 wrote to memory of 872	1148	WScript.exe	134
PID 1148 wrote to memory of 872	1148	WScript.exe	134
PID 872 wrote to memory of 4712	872	TextInputHost.exe	135
PID 872 wrote to memory of 4712	872	TextInputHost.exe	135
PID 872 wrote to memory of 4148	872	TextInputHost.exe	136
PID 872 wrote to memory of 4148	872	TextInputHost.exe	136
PID 4712 wrote to memory of 5100	4712	WScript.exe	137
PID 4712 wrote to memory of 5100	4712	WScript.exe	137
PID 5100 wrote to memory of 1976	5100	TextInputHost.exe	138
PID 5100 wrote to memory of 1976	5100	TextInputHost.exe	138
PID 5100 wrote to memory of 3476	5100	TextInputHost.exe	139
PID 5100 wrote to memory of 3476	5100	TextInputHost.exe	139
PID 1976 wrote to memory of 2348	1976	WScript.exe	140
PID 1976 wrote to memory of 2348	1976	WScript.exe	140
PID 2348 wrote to memory of 3156	2348	TextInputHost.exe	141
PID 2348 wrote to memory of 3156	2348	TextInputHost.exe	141
PID 2348 wrote to memory of 1656	2348	TextInputHost.exe	142
PID 2348 wrote to memory of 1656	2348	TextInputHost.exe	142
PID 3156 wrote to memory of 3016	3156	WScript.exe	143
PID 3156 wrote to memory of 3016	3156	WScript.exe	143
PID 3016 wrote to memory of 3596	3016	TextInputHost.exe	144
PID 3016 wrote to memory of 3596	3016	TextInputHost.exe	144
PID 3016 wrote to memory of 2720	3016	TextInputHost.exe	145
PID 3016 wrote to memory of 2720	3016	TextInputHost.exe	145
PID 3596 wrote to memory of 3368	3596	WScript.exe	146
PID 3596 wrote to memory of 3368	3596	WScript.exe	146
PID 3368 wrote to memory of 3736	3368	TextInputHost.exe	147
PID 3368 wrote to memory of 3736	3368	TextInputHost.exe	147
PID 3368 wrote to memory of 1288	3368	TextInputHost.exe	148
PID 3368 wrote to memory of 1288	3368	TextInputHost.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\PLA\TextInputHost.exe
  "C:\Windows\PLA\TextInputHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07695dd4-aa0c-499f-9714-6586569ee5da.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\PLA\TextInputHost.exe
      C:\Windows\PLA\TextInputHost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8570eb1e-0ced-4c88-9822-3d99bb51784c.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20f1daec-f46d-47bc-a07a-49d208041ccc.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7bae099-4754-4179-be09-be5e3d651d1d.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c67ec998-3083-4d95-a2fe-7aae122e343b.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cbfa5e5-f1e0-46d6-8ba8-9664d91ff91f.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ee6e8b1-28da-425a-919a-af75224ba3f2.vbs"
        15⤵
        
        PID:3736
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07c7e86e-5d09-455c-8edb-5a311c473484.vbs"
        17⤵
        
        PID:744
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\148a5a64-b52e-4796-870d-953143379b4e.vbs"
        19⤵
        
        PID:3996
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ada18a49-3cd6-4c12-b33c-c66f4f19b230.vbs"
        21⤵
        
        PID:2976
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0798503b-a876-454d-a7d5-0ae3608ba118.vbs"
        23⤵
        
        PID:3856
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de8a2e22-f221-47d2-8987-81d9148ea1ef.vbs"
        25⤵
        
        PID:2940
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee7f9209-4232-4ddf-b15b-b28625abfd95.vbs"
        27⤵
        
        PID:3564
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3defa6b0-70a8-407b-ba74-c9ac29447400.vbs"
        29⤵
        
        PID:1924
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97cc8104-96e3-456c-a72a-c4139c2bdbbf.vbs"
        31⤵
        
        PID:4972
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62440ed2-5be2-483d-b7b6-ff74b7a4bb34.vbs"
        33⤵
        
        PID:2768
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b396e3a7-8ac1-480d-9799-08a209f82cd2.vbs"
        35⤵
        
        PID:2656
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f7a7c1e-13f7-4f9e-b9ea-6cf4d69c7998.vbs"
        37⤵
        
        PID:436
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c649b52-f5ae-40fe-a38b-0eabf1a6d871.vbs"
        39⤵
        
        PID:2760
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6f67ea2-d126-4c8b-abf8-23cfd9350b4b.vbs"
        41⤵
        
        PID:1692
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c6728b9-fe9b-49b9-8773-ac5b1a338c5f.vbs"
        43⤵
        
        PID:4844
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec9a14e8-09c9-460b-8c05-4b4615c03525.vbs"
        45⤵
        
        PID:2372
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92a8ca6a-038e-4e8b-aa0b-498016bff419.vbs"
        47⤵
        
        PID:680
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a16eb56-7ec5-45ff-bf2f-c0d1329c73de.vbs"
        49⤵
        
        PID:2880
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c18a8f3f-97f3-476f-8ac4-9321b3bd406c.vbs"
        49⤵
        
        PID:3100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fb2cc1d-11a9-4c8a-93b4-0dbcec781ab6.vbs"
        47⤵
        
        PID:544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efef1c56-e3dd-467f-9a7e-2af79e6c9c52.vbs"
        45⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba057495-5356-4bec-a3e3-9c1b6a7fab74.vbs"
        43⤵
        
        PID:4344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d361f3c-d4e4-407f-aec2-a159873959b9.vbs"
        41⤵
        
        PID:1400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02ba10fb-64d2-44c8-8b67-3e6d5d78a241.vbs"
        39⤵
        
        PID:3448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7db0c74-bb81-4334-966a-f185697de68a.vbs"
        37⤵
        
        PID:708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f4fb5c9-fa38-4476-80f7-1e34b4758831.vbs"
        35⤵
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20f9a517-8819-4636-92ee-23af596c2d4d.vbs"
        33⤵
        
        PID:4212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ecfb0fc-0268-43c5-9021-062546561f03.vbs"
        31⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0dcc7b2-48dc-4a5f-8757-702039b89570.vbs"
        29⤵
        
        PID:3104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f65e3c88-05f7-405c-a016-72c89e1268ec.vbs"
        27⤵
        
        PID:1168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0991f90-4862-424c-a261-466f25d2679e.vbs"
        25⤵
        
        PID:180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c15fe564-4b96-41b2-bda8-31702c7e629c.vbs"
        23⤵
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28b2fe00-be6b-451c-b256-76e0c4fef143.vbs"
        21⤵
        
        PID:4988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67d1a559-982c-4e75-aa7e-5aaf344d64dc.vbs"
        19⤵
        
        PID:1076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7715811-3b5d-4f26-bd99-c3cff0021e1f.vbs"
        17⤵
        
        PID:3532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b242867-026c-4508-8a11-7415bc77a87e.vbs"
        15⤵
        
        PID:1288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34f8553e-a065-407f-b339-468d7ed0fd62.vbs"
        13⤵
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9f2752a-7346-4080-b8ad-3325c0da695c.vbs"
        11⤵
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99088a9d-d8ea-45f2-a34f-fd570b691bd2.vbs"
        9⤵
        
        PID:3476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f83a0466-1bfe-4cd7-86ed-790b688856ef.vbs"
        7⤵
        
        PID:4148
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c44bedb1-ce45-4830-ab78-6066ad7e8f73.vbs"
        5⤵
        
        PID:1444
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dba64e86-ec96-4746-97c3-38a9bf4b9c20.vbs"
    3⤵
    PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\PLA\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe
C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\PLA\TextInputHost.exe
C:\Windows\PLA\TextInputHost.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:872
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b0aa34f-47b8-4032-a307-6892767a480b.vbs"
  2⤵
  PID:1176
- - C:\Windows\PLA\TextInputHost.exe
    C:\Windows\PLA\TextInputHost.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4f5e3e0-f585-44b3-9e7b-dbcc5cb0f73b.vbs"
      4⤵
      PID:2880
    - - C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe75c4a3-3841-4403-acd5-493073a03a39.vbs"
        6⤵
        
        PID:1960
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b734241d-96f4-4982-bffb-d95c37581ef4.vbs"
        8⤵
        
        PID:2192
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0e2fb67-aa29-40cd-8c5b-81a041238adc.vbs"
        10⤵
        
        PID:3908
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11d84bc5-ba40-400f-a4c2-d6ced7e072f0.vbs"
        12⤵
        
        PID:2072
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f936345c-6e17-416c-ac72-edef99efe1a9.vbs"
        14⤵
        
        PID:4364
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\117b1878-4727-4ede-b20b-ee1f21145bda.vbs"
        16⤵
        
        PID:1176
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e90d292-2f85-44f3-af22-b3c8a228df66.vbs"
        18⤵
        
        PID:3432
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30f910bd-6160-473f-9e6c-c1452c824c9d.vbs"
        20⤵
        
        PID:4348
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5826b415-c74f-4c71-8baa-43558bba8297.vbs"
        22⤵
        
        PID:3016
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137dda30-f683-4eef-9e9f-f5c0dc31f3d7.vbs"
        24⤵
        
        PID:4284
        
        C:\Windows\PLA\TextInputHost.exe
        
        C:\Windows\PLA\TextInputHost.exe
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f065f636-46a3-411b-ba60-0b136cea41d5.vbs"
        24⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c48cf140-fcff-41e3-95b2-7ad53b36059a.vbs"
        22⤵
        
        PID:3136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70fe8a96-b29e-42bf-aa25-86b5a8ff999b.vbs"
        20⤵
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f72026e-12ea-492a-93a3-4e35358895e8.vbs"
        18⤵
        
        PID:412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\802df85a-e904-4c8a-964f-453656139e10.vbs"
        16⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9574c05-8403-4c65-8191-a9e474b0ce79.vbs"
        14⤵
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\176ae439-96e3-422a-bdfe-d034a01c84c7.vbs"
        12⤵
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc15af91-f3fe-4df5-aead-56d7679eb137.vbs"
        10⤵
        
        PID:4376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e069c9f6-9cbf-4007-a1c8-cde133aec96f.vbs"
        8⤵
        
        PID:2452
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dea2142-2898-4123-a7a2-ee23b80d7fcc.vbs"
        6⤵
        
        PID:2900
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1459f03a-e0f3-4aae-b2d2-1645977cf3cf.vbs"
      4⤵
      PID:2196
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abddf861-e99c-42c6-a79f-95d4273a4054.vbs"
  2⤵
  PID:3864

C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe
C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Users\Default User\RuntimeBroker.exe
"C:\Users\Default User\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Users\Default\sysmon.exe
C:\Users\Default\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe

Filesize
1.7MB

MD5
cd8f0ff201dc0afc98655e31c0624fde

SHA1
759a78e5acaaf2d7504551d59933974c8c752c71

SHA256
aa9eb219505c3c9e3a989344762e7b203a6b57fd900d4a23e902725204e78010

SHA512
8f2bdf4b4871ffc1b18ab5171705a50f8c811e0536eb6d9cab44eb8a2bc65f99d1526a6bc128b65df25b9c2c6cc6841f08a166599e91ec8ec2fcbc4eb985cb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2d45daa9e9acea96d8a2cadfd38aeb47

SHA1
a1d49dfe3b7ff32a914f4e5c6fca696878d7227c

SHA256
96341c1835589a0a0075c7cae08feb06a96c1a125fdbc650effc39b8ae36fbf5

SHA512
b6228fa8931b8a5bb5fba99ff706bb77aa21cfc03248c5d208c24e2a141c8cb79b4988eadf985441fa9d02e9525589ab69335315d604994a33ec92fe640731f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\07695dd4-aa0c-499f-9714-6586569ee5da.vbs

Filesize
708B

MD5
9d781288bf93130123f7d6dc9e85c040

SHA1
45e710a8e9e06632caaa5a5e467ad5b733e76159

SHA256
57b564635fd7b8a25ac0b978c126148469d8744aef1e35eb7069c63b0fff3851

SHA512
05b177352545dc8e1f88de7e9c8d4a1ef2646e1ac9f4b21c5d72ada23f5d20cf524cf5f8de526b9923978f2794b02439ee9ea47d9a0a380ed7e3be2f8e64140d

Download Submit
C:\Users\Admin\AppData\Local\Temp\07c7e86e-5d09-455c-8edb-5a311c473484.vbs

Filesize
708B

MD5
262a88e7034c32a0c89052184e6b834f

SHA1
209d6662656d242b0fa3dec3d762c936e6e6daad

SHA256
f06648713c63d319f4235e7717ae8c5c99f3255d7e55af6c56764df9ff544380

SHA512
87b570f9680bc8479b8ee361e7193252491d6703d690fde8fb99080e98e9bc9cf0609ad4dfb26fcd5359e9ed3f35d32301cf1ba252d6f686b06ca0df8439b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\20f1daec-f46d-47bc-a07a-49d208041ccc.vbs

Filesize
707B

MD5
0cf8703dd3b7382d84be9e703e2582bc

SHA1
bc4f779ab9f721fd582602f798658118c371d327

SHA256
c6e597e7cb8be6d7c11acf36edfd2f8214414b81a7fa1a56516f9a79f93e6e2b

SHA512
93d9819fc61f94abc11a2f2ddb06fa3dace87f3f8701d30a049314eaccc990fc0d268d3cfdbff55d62c42b9b147e52d78738fea86b8d55fee634bc29e0b2f017

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ee6e8b1-28da-425a-919a-af75224ba3f2.vbs

Filesize
708B

MD5
504bb629490ddaa43d4dbc19c0eb3007

SHA1
795b9de3b1e0c78d5e5e478bcf1d6d38710ef900

SHA256
0b67f2b3d3c383d9eb4b0c6ccaa5d4b94c59f77503f1c897a86a8a357902ba06

SHA512
9b7142cc2bd34073f6675873de756afdad52d49bc063cd257de155dd60c768c4c54c317f63f70ce17826422557d5fd11174aacd9a07393a5562ca2f86892f6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cbfa5e5-f1e0-46d6-8ba8-9664d91ff91f.vbs

Filesize
708B

MD5
e53e1ba9cecbb0b269b867f9301dc7b9

SHA1
d58da6ac25ac991de826dee874e52f2e37a7a5a2

SHA256
e87bb651f5c28a0457ea6974006de898e265601cfed01e99857cb0355de1b98f

SHA512
e249d3f352f1fc731fb8be92b81e771a179bac3d19c904273a5b8751195b1df0469b55761d5049a21719aa864b53951086a0599de04ab75ccb96caac904f4abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8570eb1e-0ced-4c88-9822-3d99bb51784c.vbs

Filesize
708B

MD5
bcd5978254db76b7caecb5fe7c3e8a3e

SHA1
fb4dcf0e0954364524c777cadbdba14925476784

SHA256
8a49cc38b75bfa14273ad1d7f790d3b76251ef74929cfd5d9c150e91e6599fa7

SHA512
4168b2bd11810c9c2e49359652fefcf02ec41991fc302b42a8fc0ff9db53cf140dab66c7e59d1f03b45d9af27a7da12091592ad26f96c7fd0c235160e49524e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_so0jsbsd.qak.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ada18a49-3cd6-4c12-b33c-c66f4f19b230.vbs

Filesize
708B

MD5
669fe959a6b2fc21db5ea10725b1f821

SHA1
1825e75e05f5f26851ebe8c98998e9bbffd5f428

SHA256
50842949fa23cb9081758b7ac6f43a3d304539a60948839bf31d48da3b2bac28

SHA512
a285f2e6c12b763bf4579f10ecb241edf3008bd6f1c3fe0bc1b6c7b25d08b0cbdbc139a09e854d767b9507497b6dcdec404255bdc85e1fb31f386788fb0284ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\b734241d-96f4-4982-bffb-d95c37581ef4.vbs

Filesize
708B

MD5
2e2780fd66eb45ee27f36f2905b2931f

SHA1
a121ff92f4b13d72f32bf3211b4e5d01e7adb659

SHA256
4cb11e63d89c39a5d4a41d703399b68892e3776d11513817eed6b6906ef66c90

SHA512
f4a724fbe475c41272594cb240f19c6bc6473657fb55bd659207b19f98ae323be36b41f6ac8f4bcae5c90212bcfe3d37814536544d25ea54e62de16bdb3eb0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c56f65f62f7dce504360e34952034be06d87f72f.exe

Filesize
1.7MB

MD5
1adc077ee4a6b3e933ae72ef3f4ec283

SHA1
fe45c446512bb352b3a4c85f7afd3e58c9b0fb6e

SHA256
d3965516ad44d8d039bbca5814aa4863a9f3e490cb3939e7cf4e1fb97950f69b

SHA512
535fdc9a0eb92c3dbf20011ef3fe1a8e5c3ef55b90f8cd930f8e82fb5150a68368dc00b4b7590c7fa14b4136565be4abd50259e9872428c1b1cad4ec38dea137

Download Submit
C:\Users\Admin\AppData\Local\Temp\c67ec998-3083-4d95-a2fe-7aae122e343b.vbs

Filesize
708B

MD5
dfebe4fab8794d1f36f889072a840dd1

SHA1
4eb025c1ee3d8cb865e64fd93bb7cbed0e157f67

SHA256
36c2732b26e1aa82fdd9a853c1f2f45d6e279c65d2687a7aee43f097409a6df6

SHA512
6be5a2b70e666af821b1ae2b5cedc0f8f2aab92c6a1ec1541e81e0cf9b1518447ff88dfec27fd63a1e06821caaa8076e2f46fcbdc6b91bfe7afda441aebaa9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\dba64e86-ec96-4746-97c3-38a9bf4b9c20.vbs

Filesize
484B

MD5
1c3fefddc686ce82ce10a5576f273967

SHA1
b941316f0f879047510aa1172a9194c25e254eb9

SHA256
2580403172ce5789169a861337c828e1911210fdad87a7cc57f002974e311cf5

SHA512
287535e06e53149c53c37e613ab1a75bf831a384b9cb324ae370945473d6753fa4e899ab68322cd88a3c80fb3d262c5e9faba3a7c8f77bf19b9fb0e5927d540c

Download Submit
C:\Users\Admin\AppData\Local\Temp\de8a2e22-f221-47d2-8987-81d9148ea1ef.vbs

Filesize
708B

MD5
c93e8c7ccc690cd6730ce022aeb58019

SHA1
b11e1dc04c7bb22629891c35201c453d953e546a

SHA256
ffc6e745b25a9dbc79167dd184fe875f8432330c7c37510b0ebe2683aad9672e

SHA512
5ce91c68ea8ca0840039ffdcb312684c6aefbbbc61efa8e6d734f61be4659c2dc5ffaef0e9b68de88b48a6b948961f5a777187978649ae0fecb17129c87b3bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7bae099-4754-4179-be09-be5e3d651d1d.vbs

Filesize
708B

MD5
9c13cdd887931a8888991e61d82b023d

SHA1
c672348913779febdf11f5f27c2f4bc469ea8ddc

SHA256
b27e9e1f486d27dd4e77820de79e5becd14c35d31f044cd7c4ecb6e1e0451a36

SHA512
42305f3b3a6e2e4d1aa8bafa97d4cd6bee05e0ab7d9642f165dd02a125ac9fcba9c1798740ae58dbdb662d889bc670d87bcbd145bf9e86aa20527310ad7f3813

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee7f9209-4232-4ddf-b15b-b28625abfd95.vbs

Filesize
708B

MD5
ce51196b83a352e92ebb3f53e3718403

SHA1
4f3d06b62808f852a158c6c235540c3671c51094

SHA256
41d92be8aa3cb5610e025ca6ae9beae518e9b31b7c1c31e2826a644eeb76db7a

SHA512
722d56056b223214f7fcd88910f65ad0c5a8e3bc73c11910f85cf7fe0719e278c6ae699fbf1c299f02aa61f6dc0f68de47d0a84ee064360bcbe34cd63a4829ec

Download Submit
C:\Windows\PLA\TextInputHost.exe

Filesize
1.7MB

MD5
a4a0deb0170dc7dbe1c8db79d2d2ac2c

SHA1
57e56a1f6cac3c948e685fa85c9b45a74ede23fa

SHA256
6ad739147d242b004075290725bb066c6a128fd8c8311a069ee1671488b48c27

SHA512
bfcbcb671a567560c071dcfb15ed434e209ca7de064972df67315d7c6023708bacbd51b367c9110096e31e3c819564ee9ac7eb9fe007beca824bb331eb6efa2c

Download Submit
C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe

Filesize
1.7MB

MD5
0624cb81236f6a0e8d0487a766458088

SHA1
36ea7baa5b367c60269eb1a277bd5ad4bc41b54b

SHA256
6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8

SHA512
742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553

Download Submit
C:\Windows\SystemResources\Windows.UI.ShellCommonInetCore\WindowsInternal.Xaml.Controls.Tabs\OfficeClickToRun.exe

Filesize
1.7MB

MD5
9cf159f9bdbbeb076bd8e9d1519aef26

SHA1
084e0410dfaee7cf91c9abb448addb9a4584d678

SHA256
fa7271951e8ca44a3380f4e0c1a743bc6f1a14be7f3d943d8704f19b1bca5683

SHA512
b966a163f58466a326ae50e27343dd892a4543d38faf415fa19c30f148adefd8cc5566145bee8551788a1040bb88f89ca416d63814c002196555c89ce1932bdd

Download Submit
memory/372-495-0x00000000031A0000-0x00000000031B2000-memory.dmp

Filesize
72KB

Download
memory/1028-254-0x0000000000090000-0x0000000000250000-memory.dmp

Filesize
1.8MB

Download
memory/1220-535-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/1464-480-0x000000001B430000-0x000000001B442000-memory.dmp

Filesize
72KB

Download
memory/1840-527-0x000000001B280000-0x000000001B292000-memory.dmp

Filesize
72KB

Download
memory/2164-512-0x000000001B860000-0x000000001B872000-memory.dmp

Filesize
72KB

Download
memory/2616-378-0x000000001BBF0000-0x000000001BC02000-memory.dmp

Filesize
72KB

Download
memory/2856-587-0x000000001BA90000-0x000000001BAA2000-memory.dmp

Filesize
72KB

Download
memory/4020-9-0x000000001B860000-0x000000001B86C000-memory.dmp

Filesize
48KB

Download
memory/4020-5-0x00000000011D0000-0x00000000011D8000-memory.dmp

Filesize
32KB

Download
memory/4020-13-0x000000001C390000-0x000000001C8B8000-memory.dmp

Filesize
5.2MB

Download
memory/4020-3-0x00000000011A0000-0x00000000011BC000-memory.dmp

Filesize
112KB

Download
memory/4020-20-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

Filesize
10.8MB

Download
memory/4020-2-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

Filesize
10.8MB

Download
memory/4020-15-0x000000001B910000-0x000000001B91A000-memory.dmp

Filesize
40KB

Download
memory/4020-4-0x000000001B8B0000-0x000000001B900000-memory.dmp

Filesize
320KB

Download
memory/4020-16-0x000000001B920000-0x000000001B92E000-memory.dmp

Filesize
56KB

Download
memory/4020-17-0x000000001B930000-0x000000001B938000-memory.dmp

Filesize
32KB

Download
memory/4020-0-0x00007FFC76C43000-0x00007FFC76C45000-memory.dmp

Filesize
8KB

Download
memory/4020-12-0x000000001B880000-0x000000001B892000-memory.dmp

Filesize
72KB

Download
memory/4020-1-0x0000000000930000-0x0000000000AF0000-memory.dmp

Filesize
1.8MB

Download
memory/4020-6-0x000000001B710000-0x000000001B720000-memory.dmp

Filesize
64KB

Download
memory/4020-18-0x000000001B940000-0x000000001B94C000-memory.dmp

Filesize
48KB

Download
memory/4020-7-0x000000001B720000-0x000000001B736000-memory.dmp

Filesize
88KB

Download
memory/4020-8-0x000000001B740000-0x000000001B750000-memory.dmp

Filesize
64KB

Download
memory/4020-14-0x000000001B900000-0x000000001B90C000-memory.dmp

Filesize
48KB

Download
memory/4020-23-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

Filesize
10.8MB

Download
memory/4020-10-0x000000001B870000-0x000000001B878000-memory.dmp

Filesize
32KB

Download
memory/4020-19-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

Filesize
48KB

Download
memory/4020-255-0x00007FFC76C40000-0x00007FFC77701000-memory.dmp

Filesize
10.8MB

Download
memory/4412-503-0x0000000000A50000-0x0000000000C10000-memory.dmp

Filesize
1.8MB

Download
memory/4464-543-0x000000001B820000-0x000000001B832000-memory.dmp

Filesize
72KB

Download
memory/4536-355-0x0000000003380000-0x0000000003392000-memory.dmp

Filesize
72KB

Download
memory/4968-143-0x0000018AF1600000-0x0000018AF1622000-memory.dmp

Filesize
136KB

Download
memory/5052-430-0x0000000003320000-0x0000000003332000-memory.dmp

Filesize
72KB

Download