dcrat | 8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1

Analysis

max time kernel
144s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb81b6d0e80118002af4508f2d2df288.exe
Size

5.9MB
MD5

cb81b6d0e80118002af4508f2d2df288
SHA1

d0f10e3d9df31a7528fda382bd759bb27af00920
SHA256

24ab80aa8bf163a7fc00cb6bfa5922269eb438ca6ce02da56016f6579106bfa2
SHA512

028e8bc13cce23c611bf8e1362dc1ceedce8b2d88af4fe8276ae1e631ccb90f3274a23a3e628bd45737a53efe1b08e6851db27823b6eb73b3105012b43083e34
SSDEEP

98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4f:RyeU11Rvqmu8TWKnF6N/1w+

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5264	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5604	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5768	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5592	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5232	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5744	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5556	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5852	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5368	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5428	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5768	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6104	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5792	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	6016	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	6016	schtasks.exe	90

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 39 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5996	powershell.exe
540	powershell.exe
2876	powershell.exe
4256	powershell.exe
4432	powershell.exe
3636	powershell.exe
4064	powershell.exe
1828	powershell.exe
752	powershell.exe
2792	powershell.exe
5312	powershell.exe
1664	powershell.exe
736	powershell.exe
5696	powershell.exe
2896	powershell.exe
5088	powershell.exe
4436	powershell.exe
2524	powershell.exe
5864	powershell.exe
4900	powershell.exe
2928	powershell.exe
4284	powershell.exe
6020	powershell.exe
2128	powershell.exe
6128	powershell.exe
644	powershell.exe
5344	powershell.exe
1712	powershell.exe
3044	powershell.exe
3448	powershell.exe
6120	powershell.exe
4764	powershell.exe
2488	powershell.exe
5496	powershell.exe
4464	powershell.exe
448	powershell.exe
5032	powershell.exe
5124	powershell.exe
2876	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cb81b6d0e80118002af4508f2d2df288.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cb81b6d0e80118002af4508f2d2df288.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cb81b6d0e80118002af4508f2d2df288.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	cb81b6d0e80118002af4508f2d2df288.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 4 IoCs

pid	Process
688	cb81b6d0e80118002af4508f2d2df288.exe
2088	cb81b6d0e80118002af4508f2d2df288.exe
4632	csrss.exe
2348	csrss.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cb81b6d0e80118002af4508f2d2df288.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
688	cb81b6d0e80118002af4508f2d2df288.exe
688	cb81b6d0e80118002af4508f2d2df288.exe
2088	cb81b6d0e80118002af4508f2d2df288.exe
2088	cb81b6d0e80118002af4508f2d2df288.exe
4632	csrss.exe
4632	csrss.exe
2348	csrss.exe
2348	csrss.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\9e8d7a4ca61bd9	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\edge_BITS_4764_811068770\RCX5587.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\Uninstall Information\explorer.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\cc11b995f2a76d	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX5C63.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\c5b4cb5e9653cc	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\Uninstall Information\explorer.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\services.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\winlogon.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\edge_BITS_4764_811068770\22eafd247d37c3	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX5C53.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\edge_BITS_4764_811068770\RCX5577.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\edge_BITS_4764_811068770\TextInputHost.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\winlogon.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\24dbde2999530e	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\dwm.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\Uninstall Information\7a0fd90576e088	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\services.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\edge_BITS_4764_811068770\TextInputHost.exe	cb81b6d0e80118002af4508f2d2df288.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\RemotePackages\RemoteApps\9e8d7a4ca61bd9	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\CSC\winlogon.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\WaaS\tasks\fontdrvhost.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\appcompat\encapsulation\RuntimeBroker.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\appcompat\encapsulation\9e8d7a4ca61bd9	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RuntimeBroker.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe	cb81b6d0e80118002af4508f2d2df288.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cb81b6d0e80118002af4508f2d2df288.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	cb81b6d0e80118002af4508f2d2df288.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	cb81b6d0e80118002af4508f2d2df288.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5768	schtasks.exe
2844	schtasks.exe
4052	schtasks.exe
4984	schtasks.exe
4824	schtasks.exe
2340	schtasks.exe
6060	schtasks.exe
3408	schtasks.exe
5556	schtasks.exe
3944	schtasks.exe
3920	schtasks.exe
4064	schtasks.exe
1712	schtasks.exe
3912	schtasks.exe
5896	schtasks.exe
4924	schtasks.exe
4940	schtasks.exe
2776	schtasks.exe
5604	schtasks.exe
4968	schtasks.exe
4484	schtasks.exe
3440	schtasks.exe
5744	schtasks.exe
5368	schtasks.exe
1976	schtasks.exe
2792	schtasks.exe
4264	schtasks.exe
3288	schtasks.exe
6056	schtasks.exe
1888	schtasks.exe
5768	schtasks.exe
5432	schtasks.exe
4676	schtasks.exe
6104	schtasks.exe
4312	schtasks.exe
1568	schtasks.exe
2336	schtasks.exe
5236	schtasks.exe
4840	schtasks.exe
3656	schtasks.exe
2828	schtasks.exe
320	schtasks.exe
5436	schtasks.exe
3820	schtasks.exe
5592	schtasks.exe
800	schtasks.exe
5508	schtasks.exe
6108	schtasks.exe
4924	schtasks.exe
2364	schtasks.exe
4900	schtasks.exe
4744	schtasks.exe
1276	schtasks.exe
4828	schtasks.exe
4292	schtasks.exe
1800	schtasks.exe
5948	schtasks.exe
1880	schtasks.exe
2028	schtasks.exe
2988	schtasks.exe
5496	schtasks.exe
4616	schtasks.exe
2828	schtasks.exe
5264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
2876	powershell.exe
2876	powershell.exe
4900	powershell.exe
4900	powershell.exe
6128	powershell.exe
6128	powershell.exe
5996	powershell.exe
5996	powershell.exe
5088	powershell.exe
5088	powershell.exe
2128	powershell.exe
2128	powershell.exe
5124	powershell.exe
5124	powershell.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
5236	cb81b6d0e80118002af4508f2d2df288.exe
2896	powershell.exe
2896	powershell.exe
3636	powershell.exe
3636	powershell.exe
6020	powershell.exe
6020	powershell.exe
5864	powershell.exe
5864	powershell.exe
2488	powershell.exe
2488	powershell.exe
5696	powershell.exe
5696	powershell.exe
2128	powershell.exe
4900	powershell.exe
6128	powershell.exe
5088	powershell.exe
2896	powershell.exe
2876	powershell.exe
2876	powershell.exe
5996	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	5236	cb81b6d0e80118002af4508f2d2df288.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	6128	powershell.exe
Token: SeDebugPrivilege	5996	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	5124	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	6020	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	5696	powershell.exe
Token: SeDebugPrivilege	688	cb81b6d0e80118002af4508f2d2df288.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	5312	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	5496	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2088	cb81b6d0e80118002af4508f2d2df288.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	6120	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4632	csrss.exe
Token: SeDebugPrivilege	2348	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5236 wrote to memory of 6128	5236	cb81b6d0e80118002af4508f2d2df288.exe	121
PID 5236 wrote to memory of 6128	5236	cb81b6d0e80118002af4508f2d2df288.exe	121
PID 5236 wrote to memory of 5088	5236	cb81b6d0e80118002af4508f2d2df288.exe	122
PID 5236 wrote to memory of 5088	5236	cb81b6d0e80118002af4508f2d2df288.exe	122
PID 5236 wrote to memory of 2488	5236	cb81b6d0e80118002af4508f2d2df288.exe	123
PID 5236 wrote to memory of 2488	5236	cb81b6d0e80118002af4508f2d2df288.exe	123
PID 5236 wrote to memory of 4900	5236	cb81b6d0e80118002af4508f2d2df288.exe	183
PID 5236 wrote to memory of 4900	5236	cb81b6d0e80118002af4508f2d2df288.exe	183
PID 5236 wrote to memory of 5996	5236	cb81b6d0e80118002af4508f2d2df288.exe	126
PID 5236 wrote to memory of 5996	5236	cb81b6d0e80118002af4508f2d2df288.exe	126
PID 5236 wrote to memory of 2896	5236	cb81b6d0e80118002af4508f2d2df288.exe	127
PID 5236 wrote to memory of 2896	5236	cb81b6d0e80118002af4508f2d2df288.exe	127
PID 5236 wrote to memory of 2876	5236	cb81b6d0e80118002af4508f2d2df288.exe	299
PID 5236 wrote to memory of 2876	5236	cb81b6d0e80118002af4508f2d2df288.exe	299
PID 5236 wrote to memory of 5696	5236	cb81b6d0e80118002af4508f2d2df288.exe	130
PID 5236 wrote to memory of 5696	5236	cb81b6d0e80118002af4508f2d2df288.exe	130
PID 5236 wrote to memory of 5864	5236	cb81b6d0e80118002af4508f2d2df288.exe	131
PID 5236 wrote to memory of 5864	5236	cb81b6d0e80118002af4508f2d2df288.exe	131
PID 5236 wrote to memory of 5124	5236	cb81b6d0e80118002af4508f2d2df288.exe	271
PID 5236 wrote to memory of 5124	5236	cb81b6d0e80118002af4508f2d2df288.exe	271
PID 5236 wrote to memory of 3636	5236	cb81b6d0e80118002af4508f2d2df288.exe	134
PID 5236 wrote to memory of 3636	5236	cb81b6d0e80118002af4508f2d2df288.exe	134
PID 5236 wrote to memory of 2128	5236	cb81b6d0e80118002af4508f2d2df288.exe	262
PID 5236 wrote to memory of 2128	5236	cb81b6d0e80118002af4508f2d2df288.exe	262
PID 5236 wrote to memory of 6020	5236	cb81b6d0e80118002af4508f2d2df288.exe	283
PID 5236 wrote to memory of 6020	5236	cb81b6d0e80118002af4508f2d2df288.exe	283
PID 5236 wrote to memory of 688	5236	cb81b6d0e80118002af4508f2d2df288.exe	147
PID 5236 wrote to memory of 688	5236	cb81b6d0e80118002af4508f2d2df288.exe	147
PID 688 wrote to memory of 736	688	cb81b6d0e80118002af4508f2d2df288.exe	208
PID 688 wrote to memory of 736	688	cb81b6d0e80118002af4508f2d2df288.exe	208
PID 688 wrote to memory of 448	688	cb81b6d0e80118002af4508f2d2df288.exe	209
PID 688 wrote to memory of 448	688	cb81b6d0e80118002af4508f2d2df288.exe	209
PID 688 wrote to memory of 1664	688	cb81b6d0e80118002af4508f2d2df288.exe	210
PID 688 wrote to memory of 1664	688	cb81b6d0e80118002af4508f2d2df288.exe	210
PID 688 wrote to memory of 5312	688	cb81b6d0e80118002af4508f2d2df288.exe	212
PID 688 wrote to memory of 5312	688	cb81b6d0e80118002af4508f2d2df288.exe	212
PID 688 wrote to memory of 4464	688	cb81b6d0e80118002af4508f2d2df288.exe	213
PID 688 wrote to memory of 4464	688	cb81b6d0e80118002af4508f2d2df288.exe	213
PID 688 wrote to memory of 540	688	cb81b6d0e80118002af4508f2d2df288.exe	214
PID 688 wrote to memory of 540	688	cb81b6d0e80118002af4508f2d2df288.exe	214
PID 688 wrote to memory of 5344	688	cb81b6d0e80118002af4508f2d2df288.exe	215
PID 688 wrote to memory of 5344	688	cb81b6d0e80118002af4508f2d2df288.exe	215
PID 688 wrote to memory of 2792	688	cb81b6d0e80118002af4508f2d2df288.exe	216
PID 688 wrote to memory of 2792	688	cb81b6d0e80118002af4508f2d2df288.exe	216
PID 688 wrote to memory of 5496	688	cb81b6d0e80118002af4508f2d2df288.exe	278
PID 688 wrote to memory of 5496	688	cb81b6d0e80118002af4508f2d2df288.exe	278
PID 688 wrote to memory of 752	688	cb81b6d0e80118002af4508f2d2df288.exe	218
PID 688 wrote to memory of 752	688	cb81b6d0e80118002af4508f2d2df288.exe	218
PID 688 wrote to memory of 644	688	cb81b6d0e80118002af4508f2d2df288.exe	219
PID 688 wrote to memory of 644	688	cb81b6d0e80118002af4508f2d2df288.exe	219
PID 688 wrote to memory of 4284	688	cb81b6d0e80118002af4508f2d2df288.exe	220
PID 688 wrote to memory of 4284	688	cb81b6d0e80118002af4508f2d2df288.exe	220
PID 688 wrote to memory of 2928	688	cb81b6d0e80118002af4508f2d2df288.exe	221
PID 688 wrote to memory of 2928	688	cb81b6d0e80118002af4508f2d2df288.exe	221
PID 688 wrote to memory of 2920	688	cb81b6d0e80118002af4508f2d2df288.exe	234
PID 688 wrote to memory of 2920	688	cb81b6d0e80118002af4508f2d2df288.exe	234
PID 2920 wrote to memory of 3944	2920	cmd.exe	236
PID 2920 wrote to memory of 3944	2920	cmd.exe	236
PID 2920 wrote to memory of 2088	2920	cmd.exe	316
PID 2920 wrote to memory of 2088	2920	cmd.exe	316
PID 2088 wrote to memory of 1712	2088	cb81b6d0e80118002af4508f2d2df288.exe	286
PID 2088 wrote to memory of 1712	2088	cb81b6d0e80118002af4508f2d2df288.exe	286
PID 2088 wrote to memory of 4432	2088	cb81b6d0e80118002af4508f2d2df288.exe	287
PID 2088 wrote to memory of 4432	2088	cb81b6d0e80118002af4508f2d2df288.exe	287

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cb81b6d0e80118002af4508f2d2df288.exe
"C:\Users\Admin\AppData\Local\Temp\cb81b6d0e80118002af4508f2d2df288.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/60739cf6f660743813/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/900323d723f1dd1206/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6020
- C:\Users\Admin\AppData\Local\Temp\cb81b6d0e80118002af4508f2d2df288.exe
  "C:\Users\Admin\AppData\Local\Temp\cb81b6d0e80118002af4508f2d2df288.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/60739cf6f660743813/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/900323d723f1dd1206/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DRqjMplmzP.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\cb81b6d0e80118002af4508f2d2df288.exe
      "C:\Users\Admin\AppData\Local\Temp\cb81b6d0e80118002af4508f2d2df288.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/60739cf6f660743813/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/900323d723f1dd1206/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3hmLaVAz9.bat"
        5⤵
        
        PID:5972
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5680
      - C:\60739cf6f660743813\csrss.exe
        
        "C:\60739cf6f660743813\csrss.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb738fef-d301-4911-819c-6e8a54870d31.vbs"
        7⤵
        
        PID:2088
        
        C:\60739cf6f660743813\csrss.exe
        
        C:\60739cf6f660743813\csrss.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fd71e95-3932-49dc-99d9-3df142f6f828.vbs"
        9⤵
        
        PID:656
        
        C:\60739cf6f660743813\csrss.exe
        
        C:\60739cf6f660743813\csrss.exe
        10⤵
        
        PID:5220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a62873c-98f8-460d-b179-428693329d52.vbs"
        11⤵
        
        PID:4492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b7bac3a-8252-4c0a-8f6e-bbf63927eb55.vbs"
        11⤵
        
        PID:4876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d4adde0-cdd2-437a-9871-3261ab7fbec2.vbs"
        9⤵
        
        PID:5996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28839319-19e7-4071-940d-c8d01cef84db.vbs"
        7⤵
        
        PID:5556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\60739cf6f660743813\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\60739cf6f660743813\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4764_811068770\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4764_811068770\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4764_811068770\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\900323d723f1dd1206\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\backgroundTaskHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\60739cf6f660743813\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\60739cf6f660743813\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:5552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\services.exe'" /f
1⤵
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\services.exe'" /rl HIGHEST /f
1⤵
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:6008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\encapsulation\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\encapsulation\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /f
1⤵
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\900323d723f1dd1206\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\60739cf6f660743813\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\60739cf6f660743813\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\60739cf6f660743813\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\60739cf6f660743813\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\taskhostw.exe'" /f
1⤵
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Links\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\60739cf6f660743813\SppExtComObj.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\60739cf6f660743813\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\60739cf6f660743813\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /f
1⤵
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
PID:5616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\900323d723f1dd1206\TrustedInstaller.exe'" /f
1⤵
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\900323d723f1dd1206\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
PID:5300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\900323d723f1dd1206\dwm.exe'" /rl HIGHEST /f
1⤵
PID:5540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\dwm.exe'" /rl HIGHEST /f
1⤵
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cb81b6d0e80118002af4508f2d2df288c" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\cb81b6d0e80118002af4508f2d2df288.exe'" /f
1⤵
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cb81b6d0e80118002af4508f2d2df288" /sc ONLOGON /tr "'C:\900323d723f1dd1206\cb81b6d0e80118002af4508f2d2df288.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cb81b6d0e80118002af4508f2d2df288c" /sc MINUTE /mo 12 /tr "'C:\900323d723f1dd1206\cb81b6d0e80118002af4508f2d2df288.exe'" /rl HIGHEST /f
1⤵
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\csrss.exe'" /f
1⤵
PID:5124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\60739cf6f660743813\csrss.exe'" /rl HIGHEST /f
1⤵
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\60739cf6f660743813\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv AKb7BTjKNU2bUMbUczjqhA.0.2
1⤵
PID:6020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\60739cf6f660743813\121e5b5079f7c0

Filesize
959B

MD5
be42078f7dab6237aab63d0faaada94a

SHA1
1d24d619eefbc2fdfcc8e2bc6636200bb09f4f81

SHA256
ea86a516acaa3e6a7e1a5e10f172899a8f3f97d0a519f4306c0524c1d0324cbe

SHA512
1d6dc705516b4d0d18eb67d97b6087f3ba99a0571019d2282d6c36a9544c3af0b3ffd434ea7427678e538b236409d7fc0cf2423dc2c97541a15dc31ec39648f6

Download Submit
C:\60739cf6f660743813\886983d96e3d3e

Filesize
207B

MD5
9a4325a181933bd3efcdbf7439028307

SHA1
5b59895612dc294fb7d011b7c232f15c419c79ff

SHA256
70cb3f3eb173a01e7287f4916d54c2b3909349a7f205098b7e13d655b0af9184

SHA512
ce85f12e2a51af5ba8722ad20733a1a4ccb7732d1606b9a3c77db6fde0f98f8aa6b10d2f0da1e126a19e829cebd1dad9a340ee50e2c9368b7f37a3b0f6f0c885

Download Submit
C:\60739cf6f660743813\csrss.exe

Filesize
5.9MB

MD5
0a26d4365d0083fdd87b57e83a77a78e

SHA1
c940e46f1afa478706ae679744637184594c0e50

SHA256
feb414876937ea8c6f838cf895aed52a2e15b434e03ec9b95bf522d6b10ec332

SHA512
e9674fe20ebc2a03f4f1a9f40cdc5e7b70a02a22fc68c0cbf72a4722234555f804cd940508b1144d7d5b08ac4e2cfc609d892f4076da3bd0c85ad32ab3a34c21

Download Submit
C:\900323d723f1dd1206\04c1e7795967e4

Filesize
942B

MD5
cf9c7fd3f5dcc891f7b3d4441e3c6a7e

SHA1
c1847b252b0e11e41070c0d55072b363449a34b6

SHA256
d80a99c4e46679f2ba6d159c6be92fe049f0605f3a880395f1d58a706abd9094

SHA512
f29cf7716573da5aa90ed4733b5bea3d68f758fd3a116cd0e8e8a0b2fd41ff77f961f9dc1e7062bfbf4e54decb54665510853e89b18cab9570388e77a2b2aea7

Download Submit
C:\900323d723f1dd1206\9e8d7a4ca61bd9

Filesize
281B

MD5
69c9efa293b114dc668f4788dc09bbaa

SHA1
2dafdbcadabec7816ac04881c7010ced7f1bdc23

SHA256
3ff9815242535c585abd4c981dd3903fa483550c605453ecb96ca7f21aec7f91

SHA512
be99b31b2ee8210ed2ee8928c779603a28dcf91143b9dcf26127775d4450701ccc01221c32929814dd26ef57a9f8fa6adccb7f3c936714b0ce876b98e4e5448c

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe

Filesize
5.9MB

MD5
cb81b6d0e80118002af4508f2d2df288

SHA1
d0f10e3d9df31a7528fda382bd759bb27af00920

SHA256
24ab80aa8bf163a7fc00cb6bfa5922269eb438ca6ce02da56016f6579106bfa2

SHA512
028e8bc13cce23c611bf8e1362dc1ceedce8b2d88af4fe8276ae1e631ccb90f3274a23a3e628bd45737a53efe1b08e6851db27823b6eb73b3105012b43083e34

Download Submit
C:\Recovery\WindowsRE\5b884080fd4f94

Filesize
865B

MD5
a2efd90616e38fe146bc6a8c8edd7820

SHA1
f21996eedfba1ddcdcdfacae3c5e824203959bb1

SHA256
528de1a9698bcdfb51bca372c83dfbe209ffe222e45a3fbf640dc065c5347203

SHA512
1c55b95bf9022182d18bacfd108fa605503bcb8ac3e3b296745055c8c30822139c1c13f4bf16b730de1916a8e33b2d3a9e4cbaf6866f4e2c8ce70a08b0859195

Download Submit
C:\Recovery\WindowsRE\9e8d7a4ca61bd9

Filesize
908B

MD5
74b529428960dd93c91beab148dc7768

SHA1
fd050a8b41b7fa122a6d907859aba2a52f57245f

SHA256
bda18dc2177bdd618aa2293af2a87e0fcefd7ebf6b06783ccd18fff5f0dc5b35

SHA512
12c89df9a4438aa60c039ed323197c5a8b18ef0b4e165836346e93dd88b29b1db2b76b35ae92e13cca27bc9e36c3102980dc597842dc4f9d50098bd24ab35474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cb81b6d0e80118002af4508f2d2df288.exe.log

Filesize
1KB

MD5
612072f28dae34eb75a144057666a2ba

SHA1
3b965a3b1b492b77c9cdbc86e04898bdd4eb948c

SHA256
ee0e6893ee76e6e771eea4116de524ce047ccdd04c7d6267a52b4a8e8198db26

SHA512
b0e397c2dac42d19f0864c223d6f2f74149de7d1d6f1e67d5da99695ac9ad1f6019d0ac392852d4c285182f97fec708dc01d0a6e5a8646d06e0da3ab863cd07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4021b258cd26ad91b3208444aca2f1

SHA1
617431aae43c616ecb3680101f01939d427479ef

SHA256
64edd4e5aafb2dd9117768e239f4368bc2a224de1ec5103a13d80f68ae74c00e

SHA512
5ede51408ee2b94b3d5e9cb192f59bff2ce7521d1f6704141ca40ff1d09b39700bf70b0e482ab55f45e206e0f73b215a2a6bff5e455e5916d2e35aa5122a3af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
091f20bbaff3637ace005fce1590be7b

SHA1
00d1ef232fc560231ff81adc227a8f2918235a29

SHA256
bd50b50b5e08067840cf1e6bb16f3ed0242649d826544899056db26876dec9fe

SHA512
ebc04d7de6bcbd6505c60432c6455bde985ac422cbda875ef5c1dd6ef44155ec0d43a882dd793e692d3723a257e3d12c48ac8c0dad7c21a99d446d4b3b257890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2cb0c163f92e343cbfa657ce4d842fb6

SHA1
0299696d7430f09f9e3d32aa5b95f01363b405f5

SHA256
c604c709aa50f7f59c87b4420713c8563bc5b80d9bce8f812d26e0a7c25d13f7

SHA512
780353a0fa086a96d6b186a4f38160b0521e972ccfa18803db64ecd2ef6d3c1c69ea4dba0b557f1cf7c1ff6ab8720e447e827c92549b6aea5a0ecacd0494b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8e7675df15697eee65b731b90f33a5f

SHA1
8fe1308e032c5cb61b8ea50672fd650889cecdcd

SHA256
656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932

SHA512
fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
76c4d3c87da7e0fe580b97f942028fe6

SHA1
d182259b34f7c96471edd28e97470888ffe150d1

SHA256
d9f1c9c92ee57bbb51767eeba0cdab1c3b11d4cd735f07fc206b6f2014f15439

SHA512
23466bc0414638ac0d90ecf79e47c21fbe7a0308acb69d64b4cc72ae6cf045b66147c54ae7488ca76391b0fffd7c7ca39d093789b25af720b8a0e62f3e0841ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3357c199be211a745818714039e25935

SHA1
7d50d07ff2e234f3d10a88363796cbd615b1e9a3

SHA256
668bb751b77a8c5c53c7efcb71e3ee9b2902388e0503e6d6ad3647587a0a0a38

SHA512
052751067bede3dba675313a1c0d88c0e76d62bbc903dbd9ba4cf2b8d03530716c021926bbe34242af9516a77e27df080d1cedde04d8cb51c88c1484ea8a1077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d14ccefeb263594e60b1765e131f7a3

SHA1
4a9ebdc0dff58645406c40b7b140e1b174756721

SHA256
57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

SHA512
2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cbc41bceec6e8cf6d23f68d952487858

SHA1
f52edbceff042ded7209e8be90ec5e09086d62eb

SHA256
b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d

SHA512
0f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e232627459d4d39d4f62ef240bbce08b

SHA1
502ed4a74502271cdde819daa632a894a24546bb

SHA256
dbd81702bec29aceb441d72cd3842769b02b35b689e313622af57df4e4c12708

SHA512
cc4dae212bd7f7823f417d8f119d9c42320d843d42123c3d8dbcf9a8db1ca38244be34568408f44744d30ca678feb4db3e788b6c346c67f1bea0710abbdd8bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f545274ba19d9199a78f74cd05e8187

SHA1
4036cf78d3f310af42963c8f16ae27c5922b5dff

SHA256
3b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c

SHA512
b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9405862a3b15dc34824f6a0e5f077f4f

SHA1
bbe0000e06be94fa61d6e223fb38b1289908723d

SHA256
0a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210

SHA512
fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7e289a3d34516b4e7de2611b6c12f0b2

SHA1
e8e03cc1bfdc8ba943a4b3d63096972fa17709a0

SHA256
0b4cbf3ad8768569a414f60e265701cdf7ebb2d2f5a32519d72604ead942f97f

SHA512
ce91056d04768defa621cbd08c03892a5861ee620fcb9ee5a376f9f884ebb8bff7f53f28c351093baca1f7be767a37ed4e52ee7dc77fa6d5b645001c05b47ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a672fcf7facce635c83caf7b195d0bf8

SHA1
fec2f6c2456efe713ba08fa692a4a356f2f37ba8

SHA256
71945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c

SHA512
12713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17e45724e81fad9d4f4eda74fe6b349e

SHA1
0ef309ee5638e1055c0f0fe7cd693a5643a1e4a3

SHA256
444084a5dd84f5aeaa084a27da160ea4501574fbb27da9d7aab3c6c5b3269eb6

SHA512
c1b0dd77c2ae9c15843b3bac8de6874609ebeffa5e10e552b364340c51bde690ac563c132dbc14f93e68d3a7939ea840fa687eb1bd603d646acf88a3430b6e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3e242d3c4b39d344f66c494424020c61

SHA1
194e596f33d54482e7880e91dc05e0d247a46399

SHA256
f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

SHA512
27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e59140d6693b6a0f6a8617b45bdef9fe

SHA1
7157a22b2533d10fe8ed91d2c5782b44c79bbcde

SHA256
baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

SHA512
117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cdf53a8d33065a245392f78709efa842

SHA1
8fc4d913b1dab05957039d0b833c881c407eccd3

SHA256
d315a04bcbf533b71ce12a01142bc160304c3a71cf8017cb569b16c066e529ac

SHA512
768e54a1f775e3bfc93d78a58c6a33b0b3a1a1559667990c6462bbeafab283747e91d11f93728a66505a8ffe70f5bdb2e3d16e10838a38905292ccf0947db7b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6115924914d99b02793be952e93f1b2d

SHA1
1d3d4b64d1a9d6b634caf6c7e6acb2151f689f8d

SHA256
471a4b98b4c5ad7326cafe5520c19ec60bb2eb11424d34e3260b2732b4991b86

SHA512
b52003ce863e808fd4cfabc6abdf39d479f174eb04104879f068f8ad1c068f3fc40b94f438bae6376729fedfeefab5322d07d3b2eebd5501cafff18f53de1e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8320aeea03d40a74715d8b9613f9d0cc

SHA1
09fcf3cf06de496b434aaf3181f5aed78731425e

SHA256
54d89ac6af0379f2fa8afc5137450f796cd22f70da2b6b68a299b23c521eb205

SHA512
7d6fd85c54a4c8a63069fa02cd8b892f448be8b11b97190653864a076bfe5f2d4061b354ce2e3ad8b49a0e482ee90992493bb823f5e6f664dc7ac3937a547dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b22bcc023ccf6782c755f5b743aa3a52

SHA1
141150057021a07fa6aa03f46c9f2fd5719b3eeb

SHA256
a977c9d6fc409dbc0abbaa17e306eca391657f1f3c974cf1b004826000b8d1b4

SHA512
05c78b755324319a86857f3d249cfc9cc0c6c51a4f8ee94350a1936853e323af668fa8ee224d60eea618f1a7684897c3ce24713365dbeeba02e7718cbe4b3b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4f473e15a0686d0c819ad40b5f232368

SHA1
a769892ae2e8203e7d4a992a317189b56723da33

SHA256
53d6c0d9a801d45fefdcec9b3ecf217fef683efc4e40ba9c72f0116ee4d20237

SHA512
d9b43132432078d5496688717253e58e7caab0dcbd20fc41fa8a718d11d699e93ee198f18be4243ed34bcf8912e1377888fe72ae5b26d920e765ab523f0bdf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fd71e95-3932-49dc-99d9-3df142f6f828.vbs

Filesize
707B

MD5
b5961d6828be6bcd37e316a3b2052616

SHA1
7ff796baf94be3f319f166dff0fb298507cd9e31

SHA256
df603055879386cd5a0ef2f0a46da86e2272b10a4ade5e0713a86604839cb0e1

SHA512
7f8bca889a387d67aaa02eaec4b24ebf11beaeb983293b75dc2ad4f5d299fc1840784591ea02497bea1354287113c5c5bd21046a9f0344349c361d46ac5e1f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\28839319-19e7-4071-940d-c8d01cef84db.vbs

Filesize
483B

MD5
9e78d558d2575cd3e4a56d7730a44a5e

SHA1
3f3c2d90f20ff649744859bb4bd9cf478cdaee39

SHA256
0b4817baeac1e619137c03593051f3c7921772297cf13b6af012a62aa8168fa8

SHA512
e06f2ac3b949abcd51958cc00022c3784f600511b4a45c851981645bb0d4a5248cf01590d1fe78da383644781fe85af32c516d6ca7065ac1406ded577acbfe44

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRqjMplmzP.bat

Filesize
235B

MD5
4f618da59bc0bfc6b8060f8ed0525336

SHA1
223aa3d56fd8e3432912eba66a5123e975d085f2

SHA256
d0905304055e3f7ae418beb393a2e54d14b2f8ab98d8af0e2e819073e0edd04c

SHA512
d55bfebccf2b4c313b8862f7d87e51c380acf1da6c276c88e8aea2c8f0a374a726b394494175eecb58b19f93af4c2d2913e53ffdc7132ed665ae2f065daad4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3hmLaVAz9.bat

Filesize
196B

MD5
a1cf55a0a95d518cf3f25f5ab4fdcab2

SHA1
1d05281d3a4b887a8fb6cdd270fb49a21c815549

SHA256
8209602dc94b2e8f6e692142e708de47c155340a322c631f0bcd966d988937a9

SHA512
6e248cfbdbe1ff9503bf4fbb655c68591e85f4744f36c462f55f94abee189f95beb810f578afdd96cfe4deb87c4129185281b537a7fcc04ebc0ad75e5b0da5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_grjdxemo.4f4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb738fef-d301-4911-819c-6e8a54870d31.vbs

Filesize
707B

MD5
b7a120817adcbf953db6d3707dae130c

SHA1
4387c7b8375c9f89d81d01774daa0305e9af9b77

SHA256
3c1a5e81e5bd54f691a6b0b25adf534facf882bb4b2d3e111912a0a66ce76b97

SHA512
03a0e3a57da2741bdfe6e4dd0814ffd84ec34f45b5f76c9f36648dad2ff55382aa81e29f968ba360d19b9486689788b49b4a4fc691684c873e92fb9871cee55e

Download Submit
memory/688-293-0x000000001B550000-0x000000001B562000-memory.dmp

Filesize
72KB

Download
memory/2088-522-0x000000001CD80000-0x000000001CD92000-memory.dmp

Filesize
72KB

Download
memory/2348-760-0x000000001E110000-0x000000001E122000-memory.dmp

Filesize
72KB

Download
memory/4632-746-0x000000001D9B0000-0x000000001DA06000-memory.dmp

Filesize
344KB

Download
memory/4632-745-0x000000001D980000-0x000000001D992000-memory.dmp

Filesize
72KB

Download
memory/4900-152-0x000001F0342A0000-0x000001F0342C2000-memory.dmp

Filesize
136KB

Download
memory/5220-771-0x000000001DBA0000-0x000000001DBB2000-memory.dmp

Filesize
72KB

Download
memory/5236-33-0x000000001CBF0000-0x000000001CBFA000-memory.dmp

Filesize
40KB

Download
memory/5236-37-0x000000001CD40000-0x000000001CD48000-memory.dmp

Filesize
32KB

Download
memory/5236-12-0x000000001C000000-0x000000001C008000-memory.dmp

Filesize
32KB

Download
memory/5236-14-0x000000001C230000-0x000000001C23C000-memory.dmp

Filesize
48KB

Download
memory/5236-10-0x000000001BFD0000-0x000000001BFE0000-memory.dmp

Filesize
64KB

Download
memory/5236-15-0x000000001C9A0000-0x000000001C9A8000-memory.dmp

Filesize
32KB

Download
memory/5236-17-0x000000001C9B0000-0x000000001C9BA000-memory.dmp

Filesize
40KB

Download
memory/5236-20-0x000000001CA20000-0x000000001CA28000-memory.dmp

Filesize
32KB

Download
memory/5236-21-0x000000001CA30000-0x000000001CA3C000-memory.dmp

Filesize
48KB

Download
memory/5236-22-0x000000001CA40000-0x000000001CA48000-memory.dmp

Filesize
32KB

Download
memory/5236-25-0x000000001CFF0000-0x000000001D518000-memory.dmp

Filesize
5.2MB

Download
memory/5236-27-0x000000001CA90000-0x000000001CA9C000-memory.dmp

Filesize
48KB

Download
memory/5236-28-0x000000001CAA0000-0x000000001CAA8000-memory.dmp

Filesize
32KB

Download
memory/5236-29-0x000000001CAC0000-0x000000001CACC000-memory.dmp

Filesize
48KB

Download
memory/5236-30-0x000000001CAD0000-0x000000001CADC000-memory.dmp

Filesize
48KB

Download
memory/5236-31-0x000000001CD30000-0x000000001CD38000-memory.dmp

Filesize
32KB

Download
memory/5236-8-0x000000001C850000-0x000000001C8A0000-memory.dmp

Filesize
320KB

Download
memory/5236-34-0x000000001CC00000-0x000000001CC0E000-memory.dmp

Filesize
56KB

Download
memory/5236-35-0x000000001CD10000-0x000000001CD18000-memory.dmp

Filesize
32KB

Download
memory/5236-264-0x00007FF803C10000-0x00007FF8046D1000-memory.dmp

Filesize
10.8MB

Download
memory/5236-36-0x000000001CD20000-0x000000001CD2E000-memory.dmp

Filesize
56KB

Download
memory/5236-11-0x000000001BFE0000-0x000000001BFF6000-memory.dmp

Filesize
88KB

Download
memory/5236-38-0x000000001CD50000-0x000000001CD5C000-memory.dmp

Filesize
48KB

Download
memory/5236-39-0x000000001CD60000-0x000000001CD68000-memory.dmp

Filesize
32KB

Download
memory/5236-40-0x000000001CD70000-0x000000001CD7A000-memory.dmp

Filesize
40KB

Download
memory/5236-41-0x000000001CD80000-0x000000001CD8C000-memory.dmp

Filesize
48KB

Download
memory/5236-32-0x000000001CBE0000-0x000000001CBEC000-memory.dmp

Filesize
48KB

Download
memory/5236-26-0x000000001CA80000-0x000000001CA8C000-memory.dmp

Filesize
48KB

Download
memory/5236-24-0x000000001CA50000-0x000000001CA62000-memory.dmp

Filesize
72KB

Download
memory/5236-19-0x000000001CA10000-0x000000001CA1C000-memory.dmp

Filesize
48KB

Download
memory/5236-18-0x000000001C9C0000-0x000000001CA16000-memory.dmp

Filesize
344KB

Download
memory/5236-16-0x000000001CAB0000-0x000000001CAC0000-memory.dmp

Filesize
64KB

Download
memory/5236-13-0x000000001C010000-0x000000001C022000-memory.dmp

Filesize
72KB

Download
memory/5236-5-0x000000001BF80000-0x000000001BF8E000-memory.dmp

Filesize
56KB

Download
memory/5236-9-0x000000001BFC0000-0x000000001BFC8000-memory.dmp

Filesize
32KB

Download
memory/5236-0-0x00007FF803C13000-0x00007FF803C15000-memory.dmp

Filesize
8KB

Download
memory/5236-4-0x0000000003550000-0x000000000355E000-memory.dmp

Filesize
56KB

Download
memory/5236-3-0x00007FF803C10000-0x00007FF8046D1000-memory.dmp

Filesize
10.8MB

Download
memory/5236-2-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/5236-6-0x000000001BF90000-0x000000001BF98000-memory.dmp

Filesize
32KB

Download
memory/5236-1-0x0000000000B80000-0x0000000001478000-memory.dmp

Filesize
9.0MB

Download
memory/5236-7-0x000000001BFA0000-0x000000001BFBC000-memory.dmp

Filesize
112KB

Download