dcrat | 5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052

Analysis

max time kernel
122s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
Size

3.0MB
MD5

06d247f5cee1e9380b7cff8cfa4cdb70
SHA1

fa12163a5c3cff690d5bff9696a68a9df0789c8c
SHA256

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052
SHA512

c5e7013c86405be9d8fe3aa2b732092b3e6f58f7ae84fe51ac5b0dd7a363fc5458b1bed3fe0f81cfa168df272e62c0d0ad16965a71cbef9439d1403a3f37d0c3
SSDEEP

49152:wZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:k7ZJ89LDSKrq3iGnnw+1YXw9OK

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	4984	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4984	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4556-13-0x0000000000400000-0x0000000000648000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3352	powershell.exe
2392	powershell.exe
3356	powershell.exe
3016	powershell.exe
2772	powershell.exe
4360	powershell.exe
2192	powershell.exe
4928	powershell.exe
4324	powershell.exe
1948	powershell.exe
1512	powershell.exe
456	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

5764 RuntimeBroker.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 ip-api.com

pid	process
5764	RuntimeBroker.exe

flow	ioc
48	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

description	pid	process	target process
PID 1756 set thread context of 4556	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

Drops file in Program Files directory 16 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\ee2ad38f3d4382	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCXFE9.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\6ccacd8608530f	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCXF0E.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX1B7A.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX1C17.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files\Uninstall Information\Registry.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\e1ef82546f0b02	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files\WindowsApps\sppsvc.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files\Uninstall Information\Registry.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\SppExtComObj.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\SppExtComObj.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX2A99.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX2B27.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

Drops file in Windows directory 25 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

description	ioc	process
File opened for modification	C:\Windows\Downloaded Program Files\RCX2611.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\SchCache\RCX391C.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\Logs\dllhost.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\appcompat\6ccacd8608530f	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\SchCache\55b276f4edf653	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\appcompat\RCX31E2.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\Downloaded Program Files\csrss.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\appcompat\Idle.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\SchCache\StartMenuExperienceHost.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\ImmersiveControlPanel\images\WmiPrvSE.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\SchCache\StartMenuExperienceHost.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\SchCache\RCX393C.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\RCX36F8.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\Logs\5940a34987c991	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\ImmersiveControlPanel\images\24dbde2999530e	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Logs\RCX12D9.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Logs\dllhost.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\appcompat\Idle.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\WmiPrvSE.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File created	C:\Windows\Downloaded Program Files\886983d96e3d3e	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Logs\RCX122D.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX2631.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\Downloaded Program Files\csrss.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\appcompat\RCX3280.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\RCX36D8.tmp	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
4324	schtasks.exe
2980	schtasks.exe
2876	schtasks.exe
1320	schtasks.exe
888	schtasks.exe
4988	schtasks.exe
2460	schtasks.exe
2172	schtasks.exe
2644	schtasks.exe
2972	schtasks.exe
1968	schtasks.exe
3972	schtasks.exe
3760	schtasks.exe
224	schtasks.exe
764	schtasks.exe
3648	schtasks.exe
100	schtasks.exe
2328	schtasks.exe
212	schtasks.exe
5108	schtasks.exe
2292	schtasks.exe
880	schtasks.exe
3776	schtasks.exe
3356	schtasks.exe
4552	schtasks.exe
2412	schtasks.exe
1948	schtasks.exe
456	schtasks.exe
2004	schtasks.exe
4296	schtasks.exe
1208	schtasks.exe
1548	schtasks.exe
2796	schtasks.exe
1080	schtasks.exe
1824	schtasks.exe
1460	schtasks.exe
4960	schtasks.exe
3672	schtasks.exe
1172	schtasks.exe
64	schtasks.exe
460	schtasks.exe
4840	schtasks.exe
1704	schtasks.exe
1756	schtasks.exe
3580	schtasks.exe
4928	schtasks.exe
3964	schtasks.exe
4428	schtasks.exe
3660	schtasks.exe
4436	schtasks.exe
4012	schtasks.exe
3640	schtasks.exe
1696	schtasks.exe
4760	schtasks.exe

Modifies registry class 1 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
3016	powershell.exe
3016	powershell.exe
4928	powershell.exe
4928	powershell.exe
2392	powershell.exe
2392	powershell.exe
3356	powershell.exe
3356	powershell.exe
2192	powershell.exe
2192	powershell.exe
1948	powershell.exe
1948	powershell.exe
4324	powershell.exe
4324	powershell.exe
456	powershell.exe
456	powershell.exe
1512	powershell.exe
1512	powershell.exe
3352	powershell.exe
3352	powershell.exe
2772	powershell.exe
2772	powershell.exe
4360	powershell.exe
4360	powershell.exe
2772	powershell.exe
1512	powershell.exe
4324	powershell.exe
2392	powershell.exe
3016	powershell.exe
2192	powershell.exe
4928	powershell.exe
456	powershell.exe
3356	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
Token: SeDebugPrivilege	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe

description	pid	process	target process
PID 1756 wrote to memory of 3580	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 3580	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 3580	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4116	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4116	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4116	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4556	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4556	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4556	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4556	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4556	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4556	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4556	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 1756 wrote to memory of 4556	1756	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
PID 4556 wrote to memory of 1948	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 1948	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 1948	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 2392	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 2392	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 2392	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 456	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 456	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 456	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 1512	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 1512	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 1512	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 3016	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 3016	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 3016	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 3356	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 3356	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 3356	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 4324	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 4324	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 4324	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 4928	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 4928	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 4928	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 2192	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 2192	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 2192	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 4360	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 4360	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 4360	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 3352	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 3352	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 3352	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 2772	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 2772	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 2772	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	powershell.exe
PID 4556 wrote to memory of 5764	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	RuntimeBroker.exe
PID 4556 wrote to memory of 5764	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	RuntimeBroker.exe
PID 4556 wrote to memory of 5764	4556	5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
"C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
"C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe"
2⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
"C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe"
2⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe
"C:\Users\Admin\AppData\Local\Temp\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe"
2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Users\Public\RuntimeBroker.exe
"C:\Users\Public\RuntimeBroker.exe"
3⤵
- Executes dropped EXE
PID:5764

C:\Users\Public\RuntimeBroker.exe
"C:\Users\Public\RuntimeBroker.exe"
4⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Recent\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\appcompat\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\ImmersiveControlPanel\images\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\images\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\ImmersiveControlPanel\images\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SchCache\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\Registry.exe
Filesize
3.0MB

MD5
b7bff02c2a9885fda05b3d449dd04081

SHA1
f77729e95d02fc7d83be4b750febac0d45977afc

SHA256
d08d553ac29bd7d96715b16c012d974cd05447dc7e219f611ad70f9ee207cdb0

SHA512
90ae774ee58d9ac55e52a0610b5b9f41bc0334efec26c1e2812a2929952193dd28a8a4355e5dd022d3c58f43ba26cc29836613b13e85bc4dc1ae4058e107b721

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\Idle.exe
Filesize
3.0MB

MD5
63c49ae4469f204caf5a0fc8b500e709

SHA1
ce31c261e4e6537907dd2f471c31683589ae0a25

SHA256
f85a38a99bf0a05552cf3b666257533c18a50ae750e4f75cf735838f4fbd22fe

SHA512
f9efd8449f59f888024d738b13105d08f03b612ff8cf698e32dadbcd7a2f25e792cff32b773279858165a4735f9a0eabd1cc5cf7975757e97ab63155f229259f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052.exe.log
Filesize
1KB

MD5
95b0eabd8c9c516fc2d8632ff8f4dc10

SHA1
8118b2b54184a5add848198f36a905b9a511940e

SHA256
1ad8f00e485dbebe5a1f40f60b9e588e6563c4feef20b8134f335b3e16208dc3

SHA512
60147da0bc922f18e2eeae00dc7dda1caa432df6ed0f853cd4757535bf371536902c1ce1bc40db167540bbc79dedf9a742498fab5bafcbd1053c4b2dd9c79e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b9c716ed7ec7022e6ad14edbc578c983

SHA1
4e5e86cb4e20f1c32a83e4c73c6369951224371d

SHA256
8b42ba9b19c0f5865b5d25bd0cd650843fd17d24de35ed20eba7cc4445530c0c

SHA512
b9dee6e405b0447994c8609d219e1aca24ddf545d4f2f2cc5298fa7c453e05f29484a7a007079463097a16cc747fdce9173486a10f81e6454472ebc4866d683a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gszdrweg.qy3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Pictures\WmiPrvSE.exe
Filesize
3.0MB

MD5
0175e9b963f1c6ffcfb7bef99939ae8c

SHA1
9821f7d63159837463bcde2b57a56a218ad32600

SHA256
15a9e956212e6e76ffae3d129164023440e7c47d6d8c7f0396cd647b3424b834

SHA512
cf7f41d823b0528b4fa1f11bcf340b4d0e6c4318d59e72e0228acdd77cddc8c4fb7251181147500f9266e63c35405aa82e222b7b890b6d92d80b4d2873741584

Download Submit
C:\Windows\appcompat\Idle.exe
Filesize
3.0MB

MD5
d61974085d0e2a678a17902257309e39

SHA1
45a56f0b94351efe4f6a8b11f165cf633a31a415

SHA256
243962677cec5c4576a61d76657d3841aa2b14761bfca669995222f6c6d04ffd

SHA512
162e900d426d9218e5472c26d24898baf544cfc86b546982d791722d8003140822c93ae55d9c54c5b68c51b77c19972558ec8633512716d605e30dc0a920ff0f

Download Submit
C:\odt\csrss.exe
Filesize
3.0MB

MD5
06d247f5cee1e9380b7cff8cfa4cdb70

SHA1
fa12163a5c3cff690d5bff9696a68a9df0789c8c

SHA256
5f6b62b2a3a5ffe059fde9ac3de656a5aac60d50674e5f2f14e61d3d72443052

SHA512
c5e7013c86405be9d8fe3aa2b732092b3e6f58f7ae84fe51ac5b0dd7a363fc5458b1bed3fe0f81cfa168df272e62c0d0ad16965a71cbef9439d1403a3f37d0c3

Download Submit
memory/456-497-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/456-345-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/1512-577-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/1756-7-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/1756-6-0x00000000058F0000-0x000000000598C000-memory.dmp

Filesize
624KB

Download
memory/1756-11-0x0000000009CE0000-0x0000000009F5A000-memory.dmp

Filesize
2.5MB

Download
memory/1756-10-0x00000000011A0000-0x00000000011AA000-memory.dmp

Filesize
40KB

Download
memory/1756-1-0x00000000008F0000-0x0000000000C00000-memory.dmp

Filesize
3.1MB

Download
memory/1756-17-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/1756-9-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/1756-2-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/1756-8-0x00000000058D0000-0x00000000058E6000-memory.dmp

Filesize
88KB

Download
memory/1756-12-0x0000000009F60000-0x000000000A1D4000-memory.dmp

Filesize
2.5MB

Download
memory/1756-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/1756-5-0x00000000056A0000-0x00000000056AA000-memory.dmp

Filesize
40KB

Download
memory/1756-4-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/1756-3-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/1948-604-0x0000000006F70000-0x0000000006F7E000-memory.dmp

Filesize
56KB

Download
memory/1948-300-0x0000000002410000-0x0000000002446000-memory.dmp

Filesize
216KB

Download
memory/1948-534-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/2192-500-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/2192-606-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

Filesize
104KB

Download
memory/2192-548-0x0000000007840000-0x00000000078E3000-memory.dmp

Filesize
652KB

Download
memory/2392-487-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/2772-549-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/2772-462-0x00000000066C0000-0x000000000670C000-memory.dmp

Filesize
304KB

Download
memory/2772-600-0x00000000079C0000-0x00000000079DA000-memory.dmp

Filesize
104KB

Download
memory/3016-301-0x0000000004D20000-0x0000000005348000-memory.dmp

Filesize
6.2MB

Download
memory/3016-578-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/3352-527-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/3356-332-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/3356-567-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/3356-382-0x00000000057A0000-0x0000000005AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3356-602-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/3356-607-0x0000000007490000-0x0000000007498000-memory.dmp

Filesize
32KB

Download
memory/4324-461-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/4324-555-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/4360-517-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/4360-599-0x0000000007640000-0x0000000007CBA000-memory.dmp

Filesize
6.5MB

Download
memory/4360-603-0x0000000006F80000-0x0000000006F91000-memory.dmp

Filesize
68KB

Download
memory/4556-22-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4556-31-0x0000000006DA0000-0x0000000006DF6000-memory.dmp

Filesize
344KB

Download
memory/4556-39-0x0000000006F20000-0x0000000006F2A000-memory.dmp

Filesize
40KB

Download
memory/4556-40-0x0000000006FE0000-0x0000000006FEE000-memory.dmp

Filesize
56KB

Download
memory/4556-41-0x0000000007000000-0x0000000007008000-memory.dmp

Filesize
32KB

Download
memory/4556-42-0x0000000007010000-0x0000000007018000-memory.dmp

Filesize
32KB

Download
memory/4556-43-0x0000000007160000-0x000000000716C000-memory.dmp

Filesize
48KB

Download
memory/4556-38-0x0000000006F10000-0x0000000006F1C000-memory.dmp

Filesize
48KB

Download
memory/4556-37-0x0000000007500000-0x0000000007A2C000-memory.dmp

Filesize
5.2MB

Download
memory/4556-464-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4556-474-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4556-13-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4556-33-0x0000000006E50000-0x0000000006E58000-memory.dmp

Filesize
32KB

Download
memory/4556-16-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4556-18-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4556-34-0x0000000006E60000-0x0000000006E6C000-memory.dmp

Filesize
48KB

Download
memory/4556-35-0x0000000006E70000-0x0000000006E78000-memory.dmp

Filesize
32KB

Download
memory/4556-36-0x0000000006E90000-0x0000000006EA2000-memory.dmp

Filesize
72KB

Download
memory/4556-32-0x0000000006E40000-0x0000000006E4C000-memory.dmp

Filesize
48KB

Download
memory/4556-239-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4556-28-0x0000000006CA0000-0x0000000006CB6000-memory.dmp

Filesize
88KB

Download
memory/4556-30-0x0000000006E80000-0x0000000006E8C000-memory.dmp

Filesize
48KB

Download
memory/4556-29-0x0000000006CD0000-0x0000000006CD8000-memory.dmp

Filesize
32KB

Download
memory/4556-26-0x0000000005FD0000-0x0000000005FD8000-memory.dmp

Filesize
32KB

Download
memory/4556-19-0x0000000002C80000-0x0000000002C8E000-memory.dmp

Filesize
56KB

Download
memory/4556-27-0x0000000006C90000-0x0000000006CA0000-memory.dmp

Filesize
64KB

Download
memory/4556-25-0x0000000006CE0000-0x0000000006D30000-memory.dmp

Filesize
320KB

Download
memory/4556-24-0x0000000002D00000-0x0000000002D1C000-memory.dmp

Filesize
112KB

Download
memory/4556-23-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4556-20-0x0000000005E40000-0x0000000005EA6000-memory.dmp

Filesize
408KB

Download
memory/4556-21-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4928-601-0x0000000007140000-0x000000000714A000-memory.dmp

Filesize
40KB

Download
memory/4928-533-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/4928-605-0x0000000007310000-0x0000000007324000-memory.dmp

Filesize
80KB

Download
memory/4928-477-0x000000006F450000-0x000000006F49C000-memory.dmp

Filesize
304KB

Download
memory/4928-476-0x0000000006350000-0x0000000006382000-memory.dmp

Filesize
200KB

Download
memory/5764-475-0x00000000061A0000-0x00000000061B6000-memory.dmp

Filesize
88KB

Download