dcrat | 5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
Size

3.0MB
MD5

06d247f5cee1e9380b7cff8cfa4cdb70
SHA1

fa12163a5c3cff690d5bff9696a68a9df0789c8c
SHA256

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052
SHA512

c5e7013c86405be9d8fe3aa2b732092b3e6f58f7ae84fe51ac5b0dd7a363fc5458b1bed3fe0f81cfa168df272e62c0d0ad16965a71cbef9439d1403a3f37d0c3
SSDEEP

49152:wZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:k7ZJ89LDSKrq3iGnnw+1YXw9OK

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	284	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	284	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2744-21-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2744-19-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2744-17-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2744-14-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat
behavioral1/memory/2744-13-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2804	powershell.exe
2812	powershell.exe
2784	powershell.exe
2260	powershell.exe
2508	powershell.exe
2720	powershell.exe
1336	powershell.exe
772	powershell.exe
1272	powershell.exe
1972	powershell.exe
1652	powershell.exe
2728	powershell.exe

Executes dropped EXE 6 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid process

1560 spoolsv.exe
2192 spoolsv.exe
608 spoolsv.exe
2636 spoolsv.exe
2716 spoolsv.exe
2564 spoolsv.exe

pid	process
1560	spoolsv.exe
2192	spoolsv.exe
608	spoolsv.exe
2636	spoolsv.exe
2716	spoolsv.exe
2564	spoolsv.exe

Loads dropped DLL 7 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exespoolsv.exe

pid	process
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

description	pid	process	target process
PID 2420 set thread context of 2744	2420	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

Drops file in Program Files directory 25 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

description	ioc	process
File created	C:\Program Files\MSBuild\c5b4cb5e9653cc	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\0a1fd5f707cd16	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXD2E6.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCXD981.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files\MSBuild\RCXC9E8.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files\MSBuild\services.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXCE01.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXE658.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files (x86)\Windows Portable Devices\winlogon.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXCE6F.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files\MSBuild\services.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\winlogon.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXD2E5.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXE678.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\taskhost.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\b75386f1303e64	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files\MSBuild\RCXC9E9.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCXD980.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\taskhost.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

Drops file in Windows directory 15 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

description	ioc	process
File created	C:\Windows\Logs\DPX\b75386f1303e64	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\Media\Festival\6cb0b6c459d5d3	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Media\Festival\dwm.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Media\RCXCBEE.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Media\spoolsv.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\Media\spoolsv.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\Media\f3b6ecef712a24	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Media\RCXCBED.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Logs\DPX\RCXD4F9.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Media\Festival\RCXEB5B.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\Logs\DPX\taskhost.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\Media\Festival\dwm.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Logs\DPX\RCXD4FA.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Logs\DPX\taskhost.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Media\Festival\RCXEBC9.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
1272	schtasks.exe
1392	schtasks.exe
2024	schtasks.exe
2812	schtasks.exe
1916	schtasks.exe
2892	schtasks.exe
868	schtasks.exe
2920	schtasks.exe
1788	schtasks.exe
2772	schtasks.exe
2220	schtasks.exe
2424	schtasks.exe
292	schtasks.exe
920	schtasks.exe
2148	schtasks.exe
2112	schtasks.exe
2032	schtasks.exe
2544	schtasks.exe
3044	schtasks.exe
2832	schtasks.exe
2972	schtasks.exe
1332	schtasks.exe
1128	schtasks.exe
1484	schtasks.exe
3004	schtasks.exe
2492	schtasks.exe
1504	schtasks.exe
2988	schtasks.exe
1988	schtasks.exe
2344	schtasks.exe
2172	schtasks.exe
1276	schtasks.exe
840	schtasks.exe
2728	schtasks.exe
1056	schtasks.exe
1452	schtasks.exe
532	schtasks.exe
484	schtasks.exe
1564	schtasks.exe
988	schtasks.exe
2660	schtasks.exe
2704	schtasks.exe
2932	schtasks.exe
2808	schtasks.exe
2640	schtasks.exe
296	schtasks.exe
1736	schtasks.exe
2612	schtasks.exe
876	schtasks.exe
980	schtasks.exe
2212	schtasks.exe
1968	schtasks.exe
2948	schtasks.exe
772	schtasks.exe
1716	schtasks.exe
2736	schtasks.exe
824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exe

pid	process
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
2508	powershell.exe
1272	powershell.exe
1972	powershell.exe
2804	powershell.exe
2728	powershell.exe
772	powershell.exe
1652	powershell.exe
2784	powershell.exe
2260	powershell.exe
1336	powershell.exe
2812	powershell.exe
2720	powershell.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	1560	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exespoolsv.exe

description	pid	process	target process
PID 2420 wrote to memory of 2744	2420	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 2420 wrote to memory of 2744	2420	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 2420 wrote to memory of 2744	2420	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 2420 wrote to memory of 2744	2420	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 2420 wrote to memory of 2744	2420	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 2420 wrote to memory of 2744	2420	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 2420 wrote to memory of 2744	2420	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 2420 wrote to memory of 2744	2420	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 2420 wrote to memory of 2744	2420	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 2744 wrote to memory of 2720	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2720	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2720	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2720	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2804	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2804	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2804	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2804	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2812	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2812	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2812	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2812	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2260	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2260	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2260	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2260	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1272	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1272	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1272	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1272	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2784	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2784	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2784	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2784	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1336	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1336	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1336	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1336	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 772	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 772	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 772	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 772	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2728	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2728	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2728	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2728	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2508	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2508	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2508	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 2508	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1972	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1972	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1972	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1972	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1652	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1652	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1652	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1652	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 2744 wrote to memory of 1560	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	spoolsv.exe
PID 2744 wrote to memory of 1560	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	spoolsv.exe
PID 2744 wrote to memory of 1560	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	spoolsv.exe
PID 2744 wrote to memory of 1560	2744	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	spoolsv.exe
PID 1560 wrote to memory of 2192	1560	spoolsv.exe	spoolsv.exe
PID 1560 wrote to memory of 2192	1560	spoolsv.exe	spoolsv.exe
PID 1560 wrote to memory of 2192	1560	spoolsv.exe	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
"C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
  "C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\Media\spoolsv.exe
    "C:\Windows\Media\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\Media\spoolsv.exe
      "C:\Windows\Media\spoolsv.exe"
      4⤵
      Executes dropped EXE
      PID:2192
  - - C:\Windows\Media\spoolsv.exe
      "C:\Windows\Media\spoolsv.exe"
      4⤵
      Executes dropped EXE
      PID:608
  - - C:\Windows\Media\spoolsv.exe
      "C:\Windows\Media\spoolsv.exe"
      4⤵
      Executes dropped EXE
      PID:2636
  - - C:\Windows\Media\spoolsv.exe
      "C:\Windows\Media\spoolsv.exe"
      4⤵
      Executes dropped EXE
      PID:2716
  - - C:\Windows\Media\spoolsv.exe
      "C:\Windows\Media\spoolsv.exe"
      4⤵
      Executes dropped EXE
      PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Media\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Favorites\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DPX\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DPX\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d724430525" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d724430525" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Festival\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\Festival\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Festival\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\RCXE87C.tmp

Filesize
3.0MB

MD5
17f2407b5963176cf1e9bd260d1334a1

SHA1
54c7db671a20f2194d68b589e5d02c64305c986d

SHA256
7fc99fea876a7133e6f4c9f0dc900e6aa41d91afc350cf1ddf6e445922efd439

SHA512
a1e0ba2dc37fd8311ce95384f13f55c8dc432ca521cdce01efed64b2026cca1ac98d9bb2550349ce887eafd9f86b2b602b074bed825235c51763a93516380a1f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

Filesize
3.0MB

MD5
c77900f74efe98e131b788f9dc9d5eb2

SHA1
84be8ae590216852097301d7b41476b2f1ba5655

SHA256
c4779562426f4d5c40c755f4d873929dc1c61860517f4f120820ab25b4cfcba4

SHA512
3cfb94d528f51c797a793ffa93e91d4be3e77305318949a927cddecc0dae2499bc569c43a3ac019cad753a2192ee87aff06d70312daac02b136398da2ecc653c

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe

Filesize
3.0MB

MD5
b14acbfc18dc51ae15befec97950162a

SHA1
6a09579a19ac092340e58d4e40fa29f268e5704c

SHA256
2a124628d59e7555c83da348bd287980a50068b9cb92444297c778dff62c2482

SHA512
22d6f6671e4d66e24f6e1303c203de678533100af56939bab60d058a4c7a9e6fbecb02d4e98d37d91144f4e44bc3767e8b2c11c54389bae1ec1278335695c0dd

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\RCXE658.tmp

Filesize
3.0MB

MD5
ad22d4e735960d4edb756552a18bc144

SHA1
6fa5269bfb3ee4be5602567d2cdb5aa55ccb36db

SHA256
58c929d275771c305e798b3c0f66411358827ac9426bba8b8089a9184e6833ad

SHA512
b548ac1a16c2908bd907c5def0e12baaa380c18ebefd4849c9c200ff2d899de237e77229f7a4783224f273d12a52176ea136edaa213a6cf4a07026faaef361dd

Download Submit
C:\Program Files (x86)\Windows Portable Devices\winlogon.exe

Filesize
3.0MB

MD5
81531a34dcc5f7a2519c35d9110cf187

SHA1
ccadab4b898223bfe0aa3f93338c1def3a608d27

SHA256
7bff04a4d2ede308b3deef8051c6eb4a1fa9c28b56cc91bb7b9f9e8061ba2e25

SHA512
04d916a360bb055513bb5975c032c4e4ad663366a7fb385e121b41ad40391c5c51614d63b33dbd15d1312a61dcfb6077b1bd6338cb154851d0fcebfc0deefb1e

Download Submit
C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe

Filesize
3.0MB

MD5
da4d5b0d82b4e641c8e39bb6b3734c15

SHA1
282dac557f63ef6c407f9c9a22e76f31c64739fb

SHA256
aa4385252e6f48dfda52920e9f21db09537748ae976bcbdfb8c4e1708e85e1e3

SHA512
b0ee465537d60cbf726290eebb84ad832b420a855c8aae3d10e2cba82ad9fdc028829b729ea888d559d12b33f24f1f76867dcffe431931ab69edd09b57a17644

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a68bd9dda49e897b08e18760de6f6d59

SHA1
c6a1eee7467bd4bd7115cb331d341b58ec867133

SHA256
2d1c7d55507be28f25e2532b501026118a675a074b06c9e0c7988e696118306f

SHA512
6ef5acaf7fff63fcc1e97524cdd7722f549f13d143c2c6d3ff9e9073ab0cbf703f94318c931f41b5b5c90fd02dc7ed41aa45ba2ae9c92deb0a63847a52ade18a

Download Submit
C:\Users\Public\Favorites\System.exe

Filesize
3.0MB

MD5
06d247f5cee1e9380b7cff8cfa4cdb70

SHA1
fa12163a5c3cff690d5bff9696a68a9df0789c8c

SHA256
5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052

SHA512
c5e7013c86405be9d8fe3aa2b732092b3e6f58f7ae84fe51ac5b0dd7a363fc5458b1bed3fe0f81cfa168df272e62c0d0ad16965a71cbef9439d1403a3f37d0c3

Download Submit
C:\Windows\Media\Festival\dwm.exe

Filesize
3.0MB

MD5
e056f688c5b79adddbf07366bd983f51

SHA1
1676bf51a361b06e8a13734fe9bf3e746bec606e

SHA256
83e5bef0e3f88baddf92dbd2692bf59468614a58949d0e22af0a41322585c17e

SHA512
ba819fdd1c81180d00465853f8fa6a6ce82594c4a6b8a2bd9468e58d56418de632f2fe8bf69daa3e79987b72fbb750d5eb8df1c3673050b8f0a3b7989242615f

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1560-356-0x0000000000900000-0x0000000000916000-memory.dmp

Filesize
88KB

Download
memory/1560-350-0x00000000002A0000-0x00000000005B0000-memory.dmp

Filesize
3.1MB

Download
memory/2420-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2420-8-0x00000000099C0000-0x0000000009C34000-memory.dmp

Filesize
2.5MB

Download
memory/2420-7-0x0000000009740000-0x00000000099BA000-memory.dmp

Filesize
2.5MB

Download
memory/2420-6-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2420-5-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-4-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2420-23-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2420-2-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-1-0x0000000000A90000-0x0000000000DA0000-memory.dmp

Filesize
3.1MB

Download
memory/2744-31-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2744-42-0x0000000004CD0000-0x0000000004CD8000-memory.dmp

Filesize
32KB

Download
memory/2744-29-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2744-30-0x0000000002480000-0x0000000002496000-memory.dmp

Filesize
88KB

Download
memory/2744-27-0x0000000000A30000-0x0000000000A4C000-memory.dmp

Filesize
112KB

Download
memory/2744-32-0x00000000045B0000-0x00000000045BC000-memory.dmp

Filesize
48KB

Download
memory/2744-33-0x0000000004600000-0x0000000004656000-memory.dmp

Filesize
344KB

Download
memory/2744-34-0x0000000004780000-0x000000000478C000-memory.dmp

Filesize
48KB

Download
memory/2744-35-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/2744-36-0x00000000047A0000-0x00000000047AC000-memory.dmp

Filesize
48KB

Download
memory/2744-37-0x0000000004C20000-0x0000000004C28000-memory.dmp

Filesize
32KB

Download
memory/2744-38-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/2744-39-0x0000000004C50000-0x0000000004C5C000-memory.dmp

Filesize
48KB

Download
memory/2744-40-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/2744-41-0x0000000004CC0000-0x0000000004CCE000-memory.dmp

Filesize
56KB

Download
memory/2744-28-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2744-43-0x0000000004CE0000-0x0000000004CE8000-memory.dmp

Filesize
32KB

Download
memory/2744-44-0x0000000004CF0000-0x0000000004CFC000-memory.dmp

Filesize
48KB

Download
memory/2744-26-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-25-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2744-24-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-11-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2744-13-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2744-14-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2744-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-17-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2744-22-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-19-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2744-347-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-21-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2744-9-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download