2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d

Analysis

max time kernel
95s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Size

3.5MB
MD5

8784f682b99ff4d525e623544ae67e24
SHA1

4bc752a2fbe5964b1cdfe57f62ab80531c181912
SHA256

2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d
SHA512

08a376c53e2488067e6145d7583478ceef1ae7d01aeedc185d84e849fba89dd201bc8720ff291c65ceb3e4b7223fe08d2e7ae01c070ef4bf0461f3e6531eaeaf
SSDEEP

98304:74qk4B+JfG/r17Z64wNlnadfucOS+MgZk:7HJr/r17Z64SaebRy

Score

10^/10

credential_access discovery execution persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SearchApp.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SearchApp.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SearchApp.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SearchApp.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe\""	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe\""	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\RuntimeBroker.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SearchApp.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SearchApp.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe\""	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe\""	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe\""	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\backgroundTaskHost.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5248	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6004	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5988	3736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	3736	schtasks.exe	86

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
376	powershell.exe
5036	powershell.exe
4652	powershell.exe
1560	powershell.exe
1504	powershell.exe
1600	powershell.exe
2344	powershell.exe
2548	powershell.exe
4424	powershell.exe
1704	powershell.exe
3756	powershell.exe
1072	powershell.exe
3976	powershell.exe
2912	powershell.exe
4116	powershell.exe
2760	powershell.exe
864	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe

Deletes itself 1 IoCs

pid	Process
5568	System.exe

Executes dropped EXE 1 IoCs

pid	Process
5568	System.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\backgroundTaskHost.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\backgroundTaskHost.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\SearchApp.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\RuntimeBroker.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Portable Devices\\System.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows NT\\RuntimeBroker.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows NT\\RuntimeBroker.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\SearchApp.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\RuntimeBroker.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Portable Devices\\System.exe\""	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCF1277D10748B4DACAD868CBF3B7BAC.TMP	csc.exe
File created	\??\c:\Windows\System32\9hsi6j.exe	csc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\9e8d7a4ca61bd9	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\eddb19405b7ce1	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
File created	C:\Program Files\Windows NT\RuntimeBroker.exe	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
File opened for modification	C:\Program Files\Windows Portable Devices\System.exe	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\38384e6a620884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\backgroundTaskHost.exe	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5156	PING.EXE
4068	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	System.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5156	PING.EXE
4068	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2892	schtasks.exe
1008	schtasks.exe
3432	schtasks.exe
1740	schtasks.exe
1388	schtasks.exe
2036	schtasks.exe
4800	schtasks.exe
1644	schtasks.exe
2408	schtasks.exe
3172	schtasks.exe
440	schtasks.exe
4704	schtasks.exe
3912	schtasks.exe
4068	schtasks.exe
5092	schtasks.exe
4732	schtasks.exe
4936	schtasks.exe
3144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	5568	System.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3960	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	90
PID 2884 wrote to memory of 3960	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	90
PID 3960 wrote to memory of 4676	3960	csc.exe	92
PID 3960 wrote to memory of 4676	3960	csc.exe	92
PID 2884 wrote to memory of 4116	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	108
PID 2884 wrote to memory of 4116	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	108
PID 2884 wrote to memory of 376	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	109
PID 2884 wrote to memory of 376	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	109
PID 2884 wrote to memory of 2344	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	110
PID 2884 wrote to memory of 2344	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	110
PID 2884 wrote to memory of 2760	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	111
PID 2884 wrote to memory of 2760	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	111
PID 2884 wrote to memory of 2912	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	112
PID 2884 wrote to memory of 2912	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	112
PID 2884 wrote to memory of 3976	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	113
PID 2884 wrote to memory of 3976	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	113
PID 2884 wrote to memory of 1704	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	114
PID 2884 wrote to memory of 1704	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	114
PID 2884 wrote to memory of 1600	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	115
PID 2884 wrote to memory of 1600	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	115
PID 2884 wrote to memory of 1072	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	116
PID 2884 wrote to memory of 1072	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	116
PID 2884 wrote to memory of 1504	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	117
PID 2884 wrote to memory of 1504	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	117
PID 2884 wrote to memory of 1560	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	118
PID 2884 wrote to memory of 1560	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	118
PID 2884 wrote to memory of 4652	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	120
PID 2884 wrote to memory of 4652	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	120
PID 2884 wrote to memory of 4424	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	121
PID 2884 wrote to memory of 4424	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	121
PID 2884 wrote to memory of 2548	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	122
PID 2884 wrote to memory of 2548	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	122
PID 2884 wrote to memory of 864	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	123
PID 2884 wrote to memory of 864	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	123
PID 2884 wrote to memory of 5036	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	124
PID 2884 wrote to memory of 5036	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	124
PID 2884 wrote to memory of 3756	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	125
PID 2884 wrote to memory of 3756	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	125
PID 2884 wrote to memory of 2336	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	142
PID 2884 wrote to memory of 2336	2884	2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe	142
PID 2336 wrote to memory of 5808	2336	cmd.exe	144
PID 2336 wrote to memory of 5808	2336	cmd.exe	144
PID 2336 wrote to memory of 5156	2336	cmd.exe	145
PID 2336 wrote to memory of 5156	2336	cmd.exe	145
PID 2336 wrote to memory of 5568	2336	cmd.exe	146
PID 2336 wrote to memory of 5568	2336	cmd.exe	146
PID 5568 wrote to memory of 6108	5568	System.exe	161
PID 5568 wrote to memory of 6108	5568	System.exe	161
PID 6108 wrote to memory of 4736	6108	cmd.exe	163
PID 6108 wrote to memory of 4736	6108	cmd.exe	163
PID 6108 wrote to memory of 4068	6108	cmd.exe	164
PID 6108 wrote to memory of 4068	6108	cmd.exe	164

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe
"C:\Users\Admin\AppData\Local\Temp\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f3vmvu3z\f3vmvu3z.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA28.tmp" "c:\Windows\System32\CSCF1277D10748B4DACAD868CBF3B7BAC.TMP"
    3⤵
    PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uhpf48iHoY.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5808
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5156
- - C:\Program Files\Windows Portable Devices\System.exe
    "C:\Program Files\Windows Portable Devices\System.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5568
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6108
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4736
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d2" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d2" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:5248

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
- Process spawned unexpected child process
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "backgroundTaskHost" /f
1⤵
- Process spawned unexpected child process
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "backgroundTaskHostb" /f
1⤵
- Process spawned unexpected child process
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchApp" /f
1⤵
- Process spawned unexpected child process
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchAppS" /f
1⤵
- Process spawned unexpected child process
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
- Process spawned unexpected child process
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "System" /f
1⤵
- Process spawned unexpected child process
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SystemS" /f
1⤵
- Process spawned unexpected child process
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d" /f
1⤵
- Process spawned unexpected child process
PID:5988

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d2" /f
1⤵
- Process spawned unexpected child process
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\de-DE\eddb19405b7ce1

Filesize
202B

MD5
5e55154f678d614a716dce1117b9b97d

SHA1
29c862ccebfbdbb78be83b998ce47f14844c3d98

SHA256
a9a8ffa9d701ec7ca0aa6a53514555f556e4733f7a2bb4744d76c3a077314c33

SHA512
6ecfe3394ce7edb1707e7b2f48d42929e98a9f09f3ce1e6b0e614557bccf1c82b5ffdc7bf7da8fa62f568809572706513b5acf36b1e6654a16ff210fb336ba12

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\38384e6a620884

Filesize
245B

MD5
c747c899b5b1fd21df9800ea3721f798

SHA1
378e7101b32c84b238c526bc51ed0828ba457ef1

SHA256
c84304cd623dca0149b104c6d880c549f87f7a4de88f391d865e6cd41807fc74

SHA512
0f2b4ffa52d5c390b1cd193049f16aa6aede34a15be022097235af71522a725cba002416e9066856e25eca6bda09c70af4850bf6aa0df70f9c324633b59462fc

Download Submit
C:\Program Files\Windows NT\9e8d7a4ca61bd9

Filesize
463B

MD5
9d59b3bbe87893a47fca77be6173378a

SHA1
da3adda02b678a6b90f912c3c9615e0d67d2252b

SHA256
c5c95175fb9e5cd6d16aab620de2e456675f3c81f9751a4db0a2345beaa26ec9

SHA512
19b751b1256e238fff140aafbd6033af4e0ceee8f7ebb1f5e82d63912d8ba63a87232485013e869b7be241fb779aebcac23e09ad81d908cb05cb615270cb8776

Download Submit
C:\Program Files\Windows NT\RuntimeBroker.exe

Filesize
3.5MB

MD5
8784f682b99ff4d525e623544ae67e24

SHA1
4bc752a2fbe5964b1cdfe57f62ab80531c181912

SHA256
2615270e7885e810c6aecd156b2e926271134966a21813eac8136d5ec7a4d23d

SHA512
08a376c53e2488067e6145d7583478ceef1ae7d01aeedc185d84e849fba89dd201bc8720ff291c65ceb3e4b7223fe08d2e7ae01c070ef4bf0461f3e6531eaeaf

Download Submit
C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0

Filesize
390B

MD5
6ef3deed3ff571d08621cbae72d3a92d

SHA1
5ec540ef96667cf093663514fc887b199e93b51b

SHA256
009ed7d9db3b210e64990171ce64c8156354aab5c853ccd47dbb67d4bd404aae

SHA512
184b39310392680ab50b2176dc411a0cf7ba5250c8d5a605f21bb56459158995cf3ae3d0a2761d36bb38e55fc26c678d94dd2f3fdf68b8b630656fa44b20c4fe

Download Submit
C:\Users\Admin\9e8d7a4ca61bd9

Filesize
943B

MD5
23aeb76ad87e6cc58de0e9e7b8deacb1

SHA1
2a5fae50b55de5d4c232cbfac4f1b430e04d1bca

SHA256
98861d786e810edba50d7e03c2b8350320c973a8a600564eae58b0877910d2e4

SHA512
0516e131ee7286ec288b37a90229e3287c7c559b7fb5b5a65290ba2b3a52739243e3d4d01a075a0da76a5d49a09ce1948b78db5c5efb3d2bb24d7955ef222d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
240B

MD5
a78e291abdfa0d2ccef2efdf89b2d733

SHA1
e3119ffe4ce1c2818ad2dc45b0c674043f1266d2

SHA256
8ed45f48573af117248a0a971ab9befec5ca75a399c7e57e220396f3df02d32c

SHA512
7fa89055ed017ec3c17a4ea2febcba5301bc721a7418f8e9738d405766737054fa857ffff81f0f880665767085498349f3e1d0d2cdc9b7b681514bd2be3732b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBA28.tmp

Filesize
1KB

MD5
5d9765b168a0ced24aa6c7f18274ba97

SHA1
f2328e2d58bb1314145ac869f62157bd64e04046

SHA256
4cb7a2566b3bf33051b9737151a31229e6bcd9bc7a740f533a055cd151ce63d9

SHA512
4b4737a7d6faa7b3b8e37309b3bd66f93586c9a4bb8b89fde7c31fde609577f36e26ecf8c713cf57fa6458ca9337bd3a3cec617f98343c7e6e61b4942bf96813

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

Filesize
257B

MD5
4f4a01b674489260cbba62a5ccb58fae

SHA1
52ff83c6095431fb01f7de0b1507b9fcd3a97942

SHA256
e348a037c37471adc099938a8130eca2e35189d380839b09167311bc6d2b0757

SHA512
b9f824fa7e0465e50fee66c4413b3a9e632f06f3e830fb71012490701c84c210181188d63da3e6d73fe3284b112dc5af87dfa1df4cc27a1c5ede257586ddd527

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uub5npwd.cyr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0b8953a6e4c3f

Filesize
62B

MD5
1456f967e6b322fa81c31f73cbb61229

SHA1
7c4a30f62c8352177231b1216b74e7ae3728c46d

SHA256
5d0da1b898487cf23dd7783bdde813ca5f3b9da92fb95268061792c7229d9c6f

SHA512
a5531161775fdc3af25729f40cf2be61b9a9997aaeeedb8ec81b89943ee0f1f43a81cbcfbd50eaeede421746e190758f2d670f8c106a3b3340aa8a4f55598c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhpf48iHoY.bat

Filesize
180B

MD5
a3daf25779aacc2571e9974032840cfb

SHA1
24206a07a5960acbaa7e99291e5f2cda71391813

SHA256
6e941adc8ef12132ef7b0f8f93238dc18b2bf4904c01a1c826684c536d0575e9

SHA512
7013811b50e6dd32897a030489c36fee9c2bd4429bf272f059dd125f8bee3028219bd5d973f207da66f3f3d9ed4823c3a68fe57a435577971ddddcb1bc45d465

Download Submit
C:\windows\system32\9hsi6j.exe

Filesize
4KB

MD5
7ffa7abcc7bc9974913a1fd014f3f822

SHA1
b839ca344c192676d29e7ca87cee076cc5ec00fc

SHA256
e56a223a4d827f7b4912632f586a41d12cc3a944446c57d4002f37b9a5ac1062

SHA512
6c7e1678cce66f65b8d613b29c3cb8282823fc6185ee561adf2638c0ecfb313fea9a223656fd41cfec0ccd86e9a78ff91b319e4e7327767b731ec705d284c2c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f3vmvu3z\f3vmvu3z.0.cs

Filesize
377B

MD5
44b39f64cf24edb3f2be8bd18dc06f1b

SHA1
471e5c6472aac405baf0fcf2e85126144fb99492

SHA256
1d53c7456e3f3e85a158006c59bcd27e52f470d2e7fe42d1a84d480bcfb07276

SHA512
b021b2fba83a9a4a39848d71da4e38e0796c5c548024e6e06284fabaa0978f0414ac7f6e0cb689985dc2cdb558dc9af3cc76bf1a0f2322fb1e1bc9aff949ce49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f3vmvu3z\f3vmvu3z.cmdline

Filesize
235B

MD5
f27106fc9bafeef06439a8fd3535d7b1

SHA1
bb18a00f5c075e6801a7cbf36d87fb19cc5ce4f2

SHA256
e2b048ba5f232612ae5925bea43288051d3c6a6d4b3bd75a959a163e148e3ccf

SHA512
15170c15e6074cead633258fa6423c5b6823e3d2ccd1cf4ce0ca91003031b153d21ef6aca510bede23c10050c987091c4b925bb1d44f9810deaa9a44b3594710

Download Submit
\??\c:\Windows\System32\CSCF1277D10748B4DACAD868CBF3B7BAC.TMP

Filesize
1KB

MD5
da358acc1c776804f760de9f97ab5559

SHA1
038168a232be9db3c170b6d8dccac62cfbb8e969

SHA256
f46ed0361ae7838e338b8dad157daf7c0848d76dfe0f2d9db12bb64bed6ef343

SHA512
97cea7270ba86a760adf14409ecad511999f591b680fb6ac62c6c75957257feb22f6a2fefe673b2c648a3935ffe192bc3cb16e965c2bdf83d6140b38dfeb9f3b

Download Submit
memory/2760-95-0x000001FAAD7E0000-0x000001FAAD802000-memory.dmp

Filesize
136KB

Download
memory/2884-24-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-28-0x000000001BD20000-0x000000001BD32000-memory.dmp

Filesize
72KB

Download
memory/2884-40-0x000000001BD50000-0x000000001BD60000-memory.dmp

Filesize
64KB

Download
memory/2884-42-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/2884-43-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-45-0x000000001D410000-0x000000001D46A000-memory.dmp

Filesize
360KB

Download
memory/2884-46-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-48-0x000000001BDF0000-0x000000001BDFE000-memory.dmp

Filesize
56KB

Download
memory/2884-50-0x000000001BE00000-0x000000001BE10000-memory.dmp

Filesize
64KB

Download
memory/2884-51-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-53-0x000000001BE10000-0x000000001BE1E000-memory.dmp

Filesize
56KB

Download
memory/2884-55-0x000000001D670000-0x000000001D688000-memory.dmp

Filesize
96KB

Download
memory/2884-57-0x000000001BE20000-0x000000001BE2C000-memory.dmp

Filesize
48KB

Download
memory/2884-59-0x000000001D6E0000-0x000000001D72E000-memory.dmp

Filesize
312KB

Download
memory/2884-38-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-35-0x000000001BD10000-0x000000001BD1E000-memory.dmp

Filesize
56KB

Download
memory/2884-33-0x000000001BD60000-0x000000001BD76000-memory.dmp

Filesize
88KB

Download
memory/2884-29-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-31-0x000000001BD00000-0x000000001BD10000-memory.dmp

Filesize
64KB

Download
memory/2884-89-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-88-0x000000001D970000-0x000000001DA3D000-memory.dmp

Filesize
820KB

Download
memory/2884-37-0x000000001BD40000-0x000000001BD4C000-memory.dmp

Filesize
48KB

Download
memory/2884-26-0x0000000003410000-0x000000000341E000-memory.dmp

Filesize
56KB

Download
memory/2884-0-0x00007FFF42983000-0x00007FFF42985000-memory.dmp

Filesize
8KB

Download
memory/2884-23-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/2884-19-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-21-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/2884-18-0x00000000033F0000-0x0000000003408000-memory.dmp

Filesize
96KB

Download
memory/2884-16-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-15-0x0000000001930000-0x0000000001940000-memory.dmp

Filesize
64KB

Download
memory/2884-13-0x000000001BDA0000-0x000000001BDF0000-memory.dmp

Filesize
320KB

Download
memory/2884-10-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-1-0x0000000000DC0000-0x0000000001146000-memory.dmp

Filesize
3.5MB

Download
memory/2884-2-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-12-0x00000000033D0000-0x00000000033EC000-memory.dmp

Filesize
112KB

Download
memory/2884-9-0x0000000001920000-0x000000000192E000-memory.dmp

Filesize
56KB

Download
memory/2884-7-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-6-0x0000000001950000-0x0000000001976000-memory.dmp

Filesize
152KB

Download
memory/2884-4-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/2884-3-0x00007FFF42980000-0x00007FFF43441000-memory.dmp

Filesize
10.8MB

Download
memory/5568-305-0x000000001C150000-0x000000001C21D000-memory.dmp

Filesize
820KB

Download
memory/5568-355-0x000000001C150000-0x000000001C21D000-memory.dmp

Filesize
820KB

Download
memory/5568-356-0x000000001BDB0000-0x000000001BDB8000-memory.dmp

Filesize
32KB

Download
memory/5568-306-0x000000001BDB0000-0x000000001BDB8000-memory.dmp

Filesize
32KB

Download