zgrat | 747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Size

1.6MB
MD5

0d6496f71fd24be93348c354faf7dfa6
SHA1

47f195a3996d4e3bd051d54e879d1ae68d2ed9a0
SHA256

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9
SHA512

0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c
SSDEEP

49152:TGJ95iN4KodXZCQRBHt268KDDljKrTrv:iJ9Z3dXLrHt2nYDKX

Score

10^/10

zgrat execution persistence rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/4076-1-0x0000000000F80000-0x000000000112C000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023280-23.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\msedge.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\RuntimeBroker.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\", \"C:\\odt\\Idle.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\", \"C:\\odt\\Idle.exe\", \"C:\\odt\\csrss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\", \"C:\\odt\\Idle.exe\", \"C:\\odt\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	4924	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4924	schtasks.exe	91

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral2/memory/4076-1-0x0000000000F80000-0x000000000112C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0007000000023280-23.dat	INDICATOR_EXE_Packed_DotNetReactor

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4524	powershell.exe
1420	powershell.exe
368	powershell.exe
536	powershell.exe
448	powershell.exe
404	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 14 IoCs

pid	Process
4476	csrss.exe
4168	csrss.exe
2988	csrss.exe
4152	msedge.exe
5076	csrss.exe
3616	csrss.exe
4492	csrss.exe
456	csrss.exe
912	csrss.exe
3484	csrss.exe
3876	csrss.exe
2744	csrss.exe
3732	csrss.exe
2592	csrss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Admin\\msedge.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Admin\\msedge.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\RuntimeBroker.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\odt\\Idle.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\RuntimeBroker.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\odt\\Idle.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\odt\\csrss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD5C7933DBAF3419BA7C96425A2AE4F8.TMP	csc.exe
File created	\??\c:\Windows\System32\_iyiwy.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\5940a34987c991	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC3791067D5E37485B9D3798EE555CD41E.TMP	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1508	schtasks.exe
212	schtasks.exe
1092	schtasks.exe
4988	schtasks.exe
1740	schtasks.exe
4264	schtasks.exe
4132	schtasks.exe
4716	schtasks.exe
3872	schtasks.exe
3912	schtasks.exe
1812	schtasks.exe
1444	schtasks.exe
3388	schtasks.exe
3384	schtasks.exe
2676	schtasks.exe
3200	schtasks.exe
1440	schtasks.exe
4900	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	csrss.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2964	PING.EXE
3952	PING.EXE
2192	PING.EXE
1404	PING.EXE
4116	PING.EXE
2336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
536	powershell.exe
536	powershell.exe
404	powershell.exe
404	powershell.exe
448	powershell.exe
448	powershell.exe
1420	powershell.exe
1420	powershell.exe
368	powershell.exe
368	powershell.exe
448	powershell.exe
4524	powershell.exe
4524	powershell.exe
536	powershell.exe
368	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4476	csrss.exe
Token: SeDebugPrivilege	4168	csrss.exe
Token: SeDebugPrivilege	2988	csrss.exe
Token: SeDebugPrivilege	5076	csrss.exe
Token: SeDebugPrivilege	3616	csrss.exe
Token: SeDebugPrivilege	4492	csrss.exe
Token: SeDebugPrivilege	456	csrss.exe
Token: SeDebugPrivilege	912	csrss.exe
Token: SeDebugPrivilege	3484	csrss.exe
Token: SeDebugPrivilege	3876	csrss.exe
Token: SeDebugPrivilege	2744	csrss.exe
Token: SeDebugPrivilege	3732	csrss.exe
Token: SeDebugPrivilege	2592	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 2980	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	95
PID 4076 wrote to memory of 2980	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	95
PID 2980 wrote to memory of 4964	2980	csc.exe	97
PID 2980 wrote to memory of 4964	2980	csc.exe	97
PID 4076 wrote to memory of 4496	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	98
PID 4076 wrote to memory of 4496	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	98
PID 4496 wrote to memory of 3968	4496	csc.exe	100
PID 4496 wrote to memory of 3968	4496	csc.exe	100
PID 4076 wrote to memory of 4524	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	116
PID 4076 wrote to memory of 4524	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	116
PID 4076 wrote to memory of 404	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	117
PID 4076 wrote to memory of 404	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	117
PID 4076 wrote to memory of 448	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	118
PID 4076 wrote to memory of 448	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	118
PID 4076 wrote to memory of 536	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	119
PID 4076 wrote to memory of 536	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	119
PID 4076 wrote to memory of 368	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	120
PID 4076 wrote to memory of 368	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	120
PID 4076 wrote to memory of 1420	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	121
PID 4076 wrote to memory of 1420	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	121
PID 4076 wrote to memory of 832	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	128
PID 4076 wrote to memory of 832	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	128
PID 832 wrote to memory of 4988	832	cmd.exe	130
PID 832 wrote to memory of 4988	832	cmd.exe	130
PID 832 wrote to memory of 4900	832	cmd.exe	131
PID 832 wrote to memory of 4900	832	cmd.exe	131
PID 832 wrote to memory of 4476	832	cmd.exe	135
PID 832 wrote to memory of 4476	832	cmd.exe	135
PID 4476 wrote to memory of 2196	4476	csrss.exe	137
PID 4476 wrote to memory of 2196	4476	csrss.exe	137
PID 2196 wrote to memory of 1376	2196	cmd.exe	139
PID 2196 wrote to memory of 1376	2196	cmd.exe	139
PID 2196 wrote to memory of 2192	2196	cmd.exe	140
PID 2196 wrote to memory of 2192	2196	cmd.exe	140
PID 2196 wrote to memory of 4168	2196	cmd.exe	144
PID 2196 wrote to memory of 4168	2196	cmd.exe	144
PID 4168 wrote to memory of 4028	4168	csrss.exe	145
PID 4168 wrote to memory of 4028	4168	csrss.exe	145
PID 4028 wrote to memory of 2336	4028	cmd.exe	147
PID 4028 wrote to memory of 2336	4028	cmd.exe	147
PID 4028 wrote to memory of 4636	4028	cmd.exe	148
PID 4028 wrote to memory of 4636	4028	cmd.exe	148
PID 4028 wrote to memory of 2988	4028	cmd.exe	149
PID 4028 wrote to memory of 2988	4028	cmd.exe	149
PID 2988 wrote to memory of 936	2988	csrss.exe	150
PID 2988 wrote to memory of 936	2988	csrss.exe	150
PID 936 wrote to memory of 3432	936	cmd.exe	152
PID 936 wrote to memory of 3432	936	cmd.exe	152
PID 936 wrote to memory of 1404	936	cmd.exe	153
PID 936 wrote to memory of 1404	936	cmd.exe	153
PID 936 wrote to memory of 5076	936	cmd.exe	155
PID 936 wrote to memory of 5076	936	cmd.exe	155
PID 5076 wrote to memory of 1664	5076	csrss.exe	156
PID 5076 wrote to memory of 1664	5076	csrss.exe	156
PID 1664 wrote to memory of 2296	1664	cmd.exe	158
PID 1664 wrote to memory of 2296	1664	cmd.exe	158
PID 1664 wrote to memory of 4116	1664	cmd.exe	159
PID 1664 wrote to memory of 4116	1664	cmd.exe	159
PID 1664 wrote to memory of 3616	1664	cmd.exe	160
PID 1664 wrote to memory of 3616	1664	cmd.exe	160
PID 3616 wrote to memory of 1048	3616	csrss.exe	161
PID 3616 wrote to memory of 1048	3616	csrss.exe	161
PID 1048 wrote to memory of 2304	1048	cmd.exe	163
PID 1048 wrote to memory of 2304	1048	cmd.exe	163

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
"C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ta2g4ndp\ta2g4ndp.cmdline"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29DA.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC3791067D5E37485B9D3798EE555CD41E.TMP"
    3⤵
    PID:4964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k5arxfaw\k5arxfaw.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BBE.tmp" "c:\Windows\System32\CSCD5C7933DBAF3419BA7C96425A2AE4F8.TMP"
    3⤵
    PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DcZ7UUIR3W.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4988
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4900
- - C:\odt\csrss.exe
    "C:\odt\csrss.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R64HSi6Xsg.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1376
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2192
    - - C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u4X4n42Gpx.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4636
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwaRxMoVB5.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:1404
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iHhOMNMslr.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:4116
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3VSOeTt4rz.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:836
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lQjAOk5IUW.bat"
        14⤵
        
        PID:3264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:2336
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\euqVpFfbpH.bat"
        16⤵
        
        PID:3592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3848
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bCL7Nxg3GW.bat"
        18⤵
        
        PID:3700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2964
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7sJHAbaLmY.bat"
        20⤵
        
        PID:3508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1088
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R64HSi6Xsg.bat"
        22⤵
        
        PID:3996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:3952
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6dU9gqbUad.bat"
        24⤵
        
        PID:3264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3128
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u4X4n42Gpx.bat"
        26⤵
        
        PID:4368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2768
        
        C:\odt\csrss.exe
        
        "C:\odt\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3VSOeTt4rz.bat"
        28⤵
        
        PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Admin\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a97" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a97" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3872 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
- Executes dropped EXE
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4KB

MD5
2c778c019b04a18380f4f89ba6ad93ef

SHA1
494f42e8afdd926c3a8ab5a4425435474f3527a4

SHA256
4cbd0e2330ba91e23dca2362a1ad1ceb29286d97f06086641488c0d95e92e888

SHA512
e763b9b98feb519bf4366d3cd196497de8685271d0033f1aa64b3417ba9f022f49ed4aba36af15285af2ef7f405f0343cef1b71db8e642f2c2d0019ec5599d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
11aa02596ceccef38b448c52a899f470

SHA1
6da94dc9579e969d39d5e65c066af3a5251e39b4

SHA256
e778ec777a79a1a9c9a3b605ab9681558395d2f3ef46f6c34dca1e00dcd771fd

SHA512
5de4fd51ae76cce8de25c5257ee873a71668acdf407bc3351410f9f840a9b074099d4c018657d2cc8f33273e6fd03e4365165e4834ba12c052d735212bf5d0d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
120B

MD5
dcb8b186bc0f1fcb8010bae519a06373

SHA1
b9f967c6cfa5460d6bdc78564f25655671529a2c

SHA256
37a6332bf9a2e503474f58cc0e8a7c27348e2e985497c0263b24afa9016b5505

SHA512
30ef7f3aba4133a4972fc498f0029d2baf927597d52c8b7bd223a2fab70c88fdc56a26135116d76600381ab24c454e6102b348cbed793d76a59f7c4b501f61c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3VSOeTt4rz.bat

Filesize
192B

MD5
c0e9f10660ea4105c8e7459e7e9ff8bb

SHA1
ae347339b3e4a8aebb7409fcb78090cacdbdd9b5

SHA256
6dcc68a1c9bd962ad84864cd5de33040e88d79a7547a27c6148a755d227695f2

SHA512
abafd36f09f30418a078751a5720903cb81d6204cc9e8a1d5d559942713e07a9b6ada79f096fbffa2e8160fdf50f46ee062626007ec033678a94c21ab821cce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dU9gqbUad.bat

Filesize
192B

MD5
5fb8db0b8cf37c4064bcc46aa7d9ab69

SHA1
be296a38ffc2f4947f3d93564cba2f7048a320e4

SHA256
9d555acc9cbb86eab433edeef86f458c98b10c83140d75399affbdc9aa4ab279

SHA512
fad61a753da3240310b2439405dc244cd77210173678b7229b42dae7c1729347cb6f3e546cadf077c9f9381ea595bf9fae328191a46580d395bbae827f0ed53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7sJHAbaLmY.bat

Filesize
192B

MD5
16d6b410b1042bc644f894bbedf27ee0

SHA1
de39a215687a6bee567fc12bbdb03c53cdd7e511

SHA256
405c77b222b97fe9b2c5fc0abce6044ae43c668abf8d9659ec008dd8b99c88f2

SHA512
21cc8ce6a7fcb73fd4ef77ab0cec979c2db45c03fbc9045cd198376507ab26e2af2a1366959483525732b24abad40040ea82c431ef7c4a1bcd1c862c6c1562f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcZ7UUIR3W.bat

Filesize
192B

MD5
fa01ce08a3c34c08c106f6efe2b0938e

SHA1
ff321f33c0dc709b797236659ebffed948c23385

SHA256
6cd086bf3978b7987673344fd0ecad9cfc7aaff9260a0f380730bdaba3a4c945

SHA512
f349d79f79fea90274e95ca92a939d4bb2594f57d5187090add0f46824ec1be60abe96678fd24711e59a5cdbda79636725980f6de2ccd6d99c619aefbec7c857

Download Submit
C:\Users\Admin\AppData\Local\Temp\R64HSi6Xsg.bat

Filesize
144B

MD5
0f91a55c2daa6d80039b4b8895b5c5b1

SHA1
2bda5e32336d7c1f7febdcd51e39c50e3edd2cd7

SHA256
480704469a30306ade17c5152fef70f5e0f617ae21d29a338f7192aa35e45246

SHA512
b7d031e4bc4aa3c4c1abe26d59c8a26b44c7802fd13214e05e664e17b05709c73fd70f2181ce28817c27b4bab653a2aca4465e24188a1f100acfbe718763b9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29DA.tmp

Filesize
1KB

MD5
cc347dc9f4153198e518d69f79af0062

SHA1
3fd4ced857846751fa22519b4ea73bc2b124f047

SHA256
ae3087243a52fb5837710681b206add265ef463bb29c786b9b272f778c6ac969

SHA512
0da7353cc066a67e6e44106892642b7ebbcb0ecf23358bc548f124961179e1b30d36dfed07a7390d17d366a8b871b367579d5f831eb17c3bb94d8b38ff221dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2BBE.tmp

Filesize
1KB

MD5
88ec528a3634c047d662b2ea85e37ccb

SHA1
699b901b92f9d4e950d53711cd121f4bb730b803

SHA256
edadb3ee0db8e3f4abc40110525e8f76e5695bb20581fe54790fb253cb3852de

SHA512
d89defff4cefdeddc727a79bb5c70945a8a49a37d2a592260579141471d7f7b83425c882171076f90cc709fb5a5855cc88dab2a70fa0a69c7bb438578f191ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwaRxMoVB5.bat

Filesize
144B

MD5
be2268585b39969393272acfbe2abb5e

SHA1
f5d48a801a6c20272bdf303037ae4120780cbc9c

SHA256
234e65b5dc7e080b1f0e9dd8ec7c39486e6d70b43f9a221dd3cf18a0e977cb6a

SHA512
2bf6d122e1d5a1e084ef51280c83e501e7aa93280e97da833500f469f13df627d7a670c165b077abc6f5570a201f8454996fb5e0c49f0a2739d72155add81194

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_adfuroq2.bqn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCL7Nxg3GW.bat

Filesize
144B

MD5
14687aa0d595f98d11dac6a87f39a263

SHA1
65cf4d5fe1f7e2db4f5876d2ac538af786344ddc

SHA256
738d462700819968addc7f100c36e2315510f41fb6dab117f0c05c76296396f4

SHA512
bf5dc6390884942b752cf8fdb5973627f512f75dc97944eb2ebd3a488879b005925daf625a9a3937565a2b3c668ea73ee72e41984e0d9103fcee83753f0ad669

Download Submit
C:\Users\Admin\AppData\Local\Temp\euqVpFfbpH.bat

Filesize
192B

MD5
7d6ca04264025c3b626272a8e45d08b2

SHA1
a731a7ef44794085584f86da76b55136acc18d24

SHA256
eca357e4fab126c45ac9ab23358a01289b2565bba20b6ec7e83520494c679313

SHA512
a3fe3153f059b80294bb732f32e0bd5cb9f136bd31a52e1a450a0100e5b0210d888fc5a376d6451819b6e1a905a24d3212c8d63860907c89923b5d0fdd8f4490

Download Submit
C:\Users\Admin\AppData\Local\Temp\iHhOMNMslr.bat

Filesize
144B

MD5
7251a4a338c91636b5b32c88d4a07522

SHA1
e67821016d74bf181836767f5ece06a6f313b44c

SHA256
2c575804529cd965649af24f2801cf0e6a6a5f7fa00d00755d59035dc7303b85

SHA512
68b7ba8c2b6ecb3d53e4b875b511fceecc6faba7b409358aedea6fff00668ee652412c3eeba8ca34884654d72a98c6e7ff94ee68b9a22861ec2e8c1bccc1f375

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQjAOk5IUW.bat

Filesize
144B

MD5
7d51ad7119295243674b742d1a0443d6

SHA1
54beda051bc7dc69419e450abdc9db93351754fe

SHA256
93a86e74a9256c5bc862ce8d7f55cab8e6adb64daa5eb4a075872422b7b18980

SHA512
07f780e7526fdea4eec5654ef3c495a6734d16dd56a0807e8862ae61cf07a9b77be76c342c144a85878c6f170b5e08e2ea59d4bd2592fb2ed4731a154121224a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4X4n42Gpx.bat

Filesize
192B

MD5
270847a21da633ce376e2345c588e075

SHA1
95bc27fd9293412e49549fedef62b64e289a2ca9

SHA256
4fc2d1b450c3062a1dc48edc23cf60ab9c9c16a0c06e1f91b068fd0cd9b6f76b

SHA512
6d6aaf81743c4903e38b87a6a5d4dd7debb03de33776aa12341357c467768970f82871a7bf943e9b90a5a694352b61e99d270caa96dc24df2254a7c12760d26d

Download Submit
C:\Users\Admin\msedge.exe

Filesize
1.6MB

MD5
0d6496f71fd24be93348c354faf7dfa6

SHA1
47f195a3996d4e3bd051d54e879d1ae68d2ed9a0

SHA256
747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

SHA512
0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC3791067D5E37485B9D3798EE555CD41E.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k5arxfaw\k5arxfaw.0.cs

Filesize
357B

MD5
3d9132cd7adf5ae60c8033171c22f313

SHA1
8b43f97898730074a6ca529a83f811315427858e

SHA256
1a18165fef01746bcb518965b0ea42232a3f0c91ce0ae904aa07b92a965e520e

SHA512
8e73e0da7c4c26bbd76d331cd5c6a3055f8f3f36bc5c7ea561c265beb590d64a01cb9eb623a357b3f9d2a5a2fd77101d3a7846895fab3879ec1d4317d2ae47f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k5arxfaw\k5arxfaw.cmdline

Filesize
235B

MD5
b13c04e4ebec114a118a51aaeba3fe2e

SHA1
0af0ac6acf430aebfab276d693daae3c6bcb6a12

SHA256
6bdca2310442a28810473758b403d46428f44fc86052ed65a083b6b715a9945a

SHA512
fd9be485f1a0b38ee924fa07ac62ab3302530863404b13362a1ab4f76148bac753e56f25583725fec16da5173500052a44facd4c479958034217832936fd86ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta2g4ndp\ta2g4ndp.0.cs

Filesize
387B

MD5
d2471447ca3a283b18753965a0051959

SHA1
8a9a210fea5d51ab8df290d35c3e8b0a2266b006

SHA256
26d02c6e34ba9559adda54cd4563bf886f46a746ec6db2c458a8d73ed1598d39

SHA512
94cf94852894b3a327c61a4af8e82e602f8db25431eb8b0390e8a5a01aa7823500ec8ab08573c66d9af8fe3dcb3fa135f15d008ce9c7acae55ead122fdcc1857

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ta2g4ndp\ta2g4ndp.cmdline

Filesize
265B

MD5
707dc06dfd39596e713d58655b32d6e1

SHA1
33886b488dafd28bc5d4c35e945f96b6f299ade0

SHA256
73b9240460de40c8c846eb59948c1a0d86e42373bd4af40b780c56ecfc6e2dc3

SHA512
94745686b7a557e76d2e6f1263a72bdb7675871f33823b5f5a15e8e3e5c0824e90aa46196ce2ee3de6e95f6cc7803247ccbcdc2ee9d7ff3d226709b90e094376

Download Submit
\??\c:\Windows\System32\CSCD5C7933DBAF3419BA7C96425A2AE4F8.TMP

Filesize
1KB

MD5
188249e3f31caa0264351fc374794895

SHA1
323a707d1a37ac8cbae6d6e502cc850f69ae2e15

SHA256
1bf68148c555d0e84720c497dcf3ad708da300ee7472df12c9307a3acd4abde1

SHA512
28a0d97e83b6b6d10c0114166e8f23845663a34c8f262aa5a31ffb885abe232badb6f95bba99b8688559cac81f8ff93c3609ac363d8903d35f535d7c5e1e02d5

Download Submit
memory/404-53-0x0000020F32F30000-0x0000020F32F52000-memory.dmp

Filesize
136KB

Download
memory/456-191-0x000000001D740000-0x000000001D7E9000-memory.dmp

Filesize
676KB

Download
memory/912-200-0x000000001D540000-0x000000001D5E9000-memory.dmp

Filesize
676KB

Download
memory/2592-245-0x000000001C340000-0x000000001C3E9000-memory.dmp

Filesize
676KB

Download
memory/2744-227-0x000000001CD40000-0x000000001CDE9000-memory.dmp

Filesize
676KB

Download
memory/2988-154-0x000000001DFF0000-0x000000001E099000-memory.dmp

Filesize
676KB

Download
memory/3484-209-0x000000001BF40000-0x000000001BFE9000-memory.dmp

Filesize
676KB

Download
memory/3616-173-0x000000001D4F0000-0x000000001D599000-memory.dmp

Filesize
676KB

Download
memory/3732-236-0x000000001CD40000-0x000000001CDE9000-memory.dmp

Filesize
676KB

Download
memory/3876-218-0x000000001B920000-0x000000001B9C9000-memory.dmp

Filesize
676KB

Download
memory/4076-9-0x00000000031C0000-0x00000000031CC000-memory.dmp

Filesize
48KB

Download
memory/4076-15-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-0-0x00007FFCA3103000-0x00007FFCA3105000-memory.dmp

Filesize
8KB

Download
memory/4076-7-0x00000000031B0000-0x00000000031BE000-memory.dmp

Filesize
56KB

Download
memory/4076-5-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-96-0x000000001C390000-0x000000001C439000-memory.dmp

Filesize
676KB

Download
memory/4076-110-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-10-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-4-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-11-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-3-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-1-0x0000000000F80000-0x000000000112C000-memory.dmp

Filesize
1.7MB

Download
memory/4076-2-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-21-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-145-0x000000001D5F0000-0x000000001D699000-memory.dmp

Filesize
676KB

Download
memory/4476-135-0x000000001C120000-0x000000001C1C9000-memory.dmp

Filesize
676KB

Download
memory/4492-182-0x000000001D4F0000-0x000000001D599000-memory.dmp

Filesize
676KB

Download
memory/5076-164-0x000000001DAF0000-0x000000001DB99000-memory.dmp

Filesize
676KB

Download