dcrat | d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5

Analysis

max time kernel
118s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Size

1.8MB
MD5

0f6832bc8381b05096f8ffac1272e400
SHA1

be7722fb36f12432f6da2e051d1f96761e97fcf4
SHA256

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5
SHA512

7fabcaac732873a97990faba9a06fee2b4c4febf8e5be1b223827c10671151854dcd755ca492c5738bebb18dd0dc3616a2e08768ae69d80bd681259008d04548
SSDEEP

24576:zyvTg4STbYSG65XZsTBsR36Y1864kHFLlb/sgaspAqsbTsIvVJUl52iFxA4Gbg:W6hdR3KlyFLlbsrs6PbTJU24Gb

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\OfficeClickToRun.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Program Files\\Windows Security\\fontdrvhost.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Program Files\\Windows Security\\fontdrvhost.exe\", \"C:\\Windows\\Vss\\Writers\\System\\smss.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Program Files\\Windows Security\\fontdrvhost.exe\", \"C:\\Windows\\Vss\\Writers\\System\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\upfc.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\OfficeClickToRun.exe\", \"C:\\Users\\Default\\Desktop\\System.exe\", \"C:\\Program Files\\Windows Security\\fontdrvhost.exe\", \"C:\\Windows\\Vss\\Writers\\System\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\upfc.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2116	schtasks.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exed10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exeOfficeClickToRun.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 12 IoCs

Processes:

pid	process
4456	OfficeClickToRun.exe
3056	OfficeClickToRun.exe
4776	OfficeClickToRun.exe
1052	OfficeClickToRun.exe
3848	OfficeClickToRun.exe
4632	OfficeClickToRun.exe
1600	OfficeClickToRun.exe
5072	OfficeClickToRun.exe
3216	OfficeClickToRun.exe
4972	OfficeClickToRun.exe
2188	OfficeClickToRun.exe
3700	OfficeClickToRun.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Security\\fontdrvhost.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Vss\\Writers\\System\\smss.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Vss\\Writers\\System\\smss.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\upfc.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\OfficeClickToRun.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\OfficeClickToRun.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\Desktop\\System.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\Desktop\\System.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\upfc.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Security\\fontdrvhost.exe\""	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC776EFE37231E43ECA9C5B517342554B.TMP	csc.exe
File created	\??\c:\Windows\System32\s_kgxh.exe	csc.exe

Drops file in Program Files directory 7 IoCs

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

description	ioc	process
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\e6c9b481da804f	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\ea1d8f6d871115	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
File created	C:\Program Files\Windows Security\fontdrvhost.exe	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
File created	C:\Program Files\Windows Security\5b884080fd4f94	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

Drops file in Windows directory 2 IoCs

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

description	ioc	process
File created	C:\Windows\Vss\Writers\System\smss.exe	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
File created	C:\Windows\Vss\Writers\System\69ddcba757bf72	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2380 PING.EXE
3660 PING.EXE
688 PING.EXE
4560 PING.EXE
3556 PING.EXE
3232 PING.EXE
1308 PING.EXE
3528 PING.EXE

pid	process
2380	PING.EXE
3660	PING.EXE
688	PING.EXE
4560	PING.EXE
3556	PING.EXE
3232	PING.EXE
1308	PING.EXE
3528	PING.EXE

Modifies registry class 13 IoCs

Processes:

OfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exed10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OfficeClickToRun.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3528 PING.EXE
2380 PING.EXE
3660 PING.EXE
688 PING.EXE
4560 PING.EXE
3556 PING.EXE
3232 PING.EXE
1308 PING.EXE

pid	process
3528	PING.EXE
2380	PING.EXE
3660	PING.EXE
688	PING.EXE
4560	PING.EXE
3556	PING.EXE
3232	PING.EXE
1308	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4784	schtasks.exe
4556	schtasks.exe
5012	schtasks.exe
1372	schtasks.exe
3124	schtasks.exe
1644	schtasks.exe
4680	schtasks.exe
4940	schtasks.exe
1388	schtasks.exe
2044	schtasks.exe
60	schtasks.exe
3852	schtasks.exe
4384	schtasks.exe
4212	schtasks.exe
3440	schtasks.exe
3220	schtasks.exe
2180	schtasks.exe
2260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

pid	process
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exeOfficeClickToRun.exe

description	pid	process
Token: SeDebugPrivilege	3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
Token: SeDebugPrivilege	4456	OfficeClickToRun.exe
Token: SeDebugPrivilege	3056	OfficeClickToRun.exe
Token: SeDebugPrivilege	4776	OfficeClickToRun.exe
Token: SeDebugPrivilege	1052	OfficeClickToRun.exe
Token: SeDebugPrivilege	3848	OfficeClickToRun.exe
Token: SeDebugPrivilege	4632	OfficeClickToRun.exe
Token: SeDebugPrivilege	1600	OfficeClickToRun.exe
Token: SeDebugPrivilege	5072	OfficeClickToRun.exe
Token: SeDebugPrivilege	3216	OfficeClickToRun.exe
Token: SeDebugPrivilege	4972	OfficeClickToRun.exe
Token: SeDebugPrivilege	2188	OfficeClickToRun.exe
Token: SeDebugPrivilege	3700	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.execsc.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exeOfficeClickToRun.execmd.exe

description	pid	process	target process
PID 3668 wrote to memory of 4896	3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe	csc.exe
PID 3668 wrote to memory of 4896	3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe	csc.exe
PID 4896 wrote to memory of 3016	4896	csc.exe	cvtres.exe
PID 4896 wrote to memory of 3016	4896	csc.exe	cvtres.exe
PID 3668 wrote to memory of 1968	3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe	cmd.exe
PID 3668 wrote to memory of 1968	3668	d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe	cmd.exe
PID 1968 wrote to memory of 4976	1968	cmd.exe	chcp.com
PID 1968 wrote to memory of 4976	1968	cmd.exe	chcp.com
PID 1968 wrote to memory of 4728	1968	cmd.exe	w32tm.exe
PID 1968 wrote to memory of 4728	1968	cmd.exe	w32tm.exe
PID 1968 wrote to memory of 4456	1968	cmd.exe	OfficeClickToRun.exe
PID 1968 wrote to memory of 4456	1968	cmd.exe	OfficeClickToRun.exe
PID 4456 wrote to memory of 3528	4456	OfficeClickToRun.exe	cmd.exe
PID 4456 wrote to memory of 3528	4456	OfficeClickToRun.exe	cmd.exe
PID 3528 wrote to memory of 4508	3528	cmd.exe	chcp.com
PID 3528 wrote to memory of 4508	3528	cmd.exe	chcp.com
PID 3528 wrote to memory of 3556	3528	cmd.exe	PING.EXE
PID 3528 wrote to memory of 3556	3528	cmd.exe	PING.EXE
PID 3528 wrote to memory of 3056	3528	cmd.exe	OfficeClickToRun.exe
PID 3528 wrote to memory of 3056	3528	cmd.exe	OfficeClickToRun.exe
PID 3056 wrote to memory of 1516	3056	OfficeClickToRun.exe	cmd.exe
PID 3056 wrote to memory of 1516	3056	OfficeClickToRun.exe	cmd.exe
PID 1516 wrote to memory of 3260	1516	cmd.exe	chcp.com
PID 1516 wrote to memory of 3260	1516	cmd.exe	chcp.com
PID 1516 wrote to memory of 3232	1516	cmd.exe	PING.EXE
PID 1516 wrote to memory of 3232	1516	cmd.exe	PING.EXE
PID 1516 wrote to memory of 4776	1516	cmd.exe	OfficeClickToRun.exe
PID 1516 wrote to memory of 4776	1516	cmd.exe	OfficeClickToRun.exe
PID 4776 wrote to memory of 1324	4776	OfficeClickToRun.exe	cmd.exe
PID 4776 wrote to memory of 1324	4776	OfficeClickToRun.exe	cmd.exe
PID 1324 wrote to memory of 2740	1324	cmd.exe	chcp.com
PID 1324 wrote to memory of 2740	1324	cmd.exe	chcp.com
PID 1324 wrote to memory of 2212	1324	cmd.exe	w32tm.exe
PID 1324 wrote to memory of 2212	1324	cmd.exe	w32tm.exe
PID 1324 wrote to memory of 1052	1324	cmd.exe	OfficeClickToRun.exe
PID 1324 wrote to memory of 1052	1324	cmd.exe	OfficeClickToRun.exe
PID 1052 wrote to memory of 3688	1052	OfficeClickToRun.exe	cmd.exe
PID 1052 wrote to memory of 3688	1052	OfficeClickToRun.exe	cmd.exe
PID 3688 wrote to memory of 3488	3688	cmd.exe	chcp.com
PID 3688 wrote to memory of 3488	3688	cmd.exe	chcp.com
PID 3688 wrote to memory of 1308	3688	cmd.exe	PING.EXE
PID 3688 wrote to memory of 1308	3688	cmd.exe	PING.EXE
PID 3688 wrote to memory of 3848	3688	cmd.exe	OfficeClickToRun.exe
PID 3688 wrote to memory of 3848	3688	cmd.exe	OfficeClickToRun.exe
PID 3848 wrote to memory of 2568	3848	OfficeClickToRun.exe	cmd.exe
PID 3848 wrote to memory of 2568	3848	OfficeClickToRun.exe	cmd.exe
PID 2568 wrote to memory of 4320	2568	cmd.exe	chcp.com
PID 2568 wrote to memory of 4320	2568	cmd.exe	chcp.com
PID 2568 wrote to memory of 4328	2568	cmd.exe	w32tm.exe
PID 2568 wrote to memory of 4328	2568	cmd.exe	w32tm.exe
PID 2568 wrote to memory of 4632	2568	cmd.exe	OfficeClickToRun.exe
PID 2568 wrote to memory of 4632	2568	cmd.exe	OfficeClickToRun.exe
PID 4632 wrote to memory of 4516	4632	OfficeClickToRun.exe	cmd.exe
PID 4632 wrote to memory of 4516	4632	OfficeClickToRun.exe	cmd.exe
PID 4516 wrote to memory of 724	4516	cmd.exe	chcp.com
PID 4516 wrote to memory of 724	4516	cmd.exe	chcp.com
PID 4516 wrote to memory of 3528	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 3528	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 1600	4516	cmd.exe	OfficeClickToRun.exe
PID 4516 wrote to memory of 1600	4516	cmd.exe	OfficeClickToRun.exe
PID 1600 wrote to memory of 1072	1600	OfficeClickToRun.exe	cmd.exe
PID 1600 wrote to memory of 1072	1600	OfficeClickToRun.exe	cmd.exe
PID 1072 wrote to memory of 4740	1072	cmd.exe	chcp.com
PID 1072 wrote to memory of 4740	1072	cmd.exe	chcp.com

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe
"C:\Users\Admin\AppData\Local\Temp\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\taigpvdy\taigpvdy.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABC1.tmp" "c:\Windows\System32\CSC776EFE37231E43ECA9C5B517342554B.TMP"
    3⤵
    PID:3016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2rcvYnL3y2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4976
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4728
- - C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
    "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A6hgcLYDdm.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4508
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3556
    - - C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3232
        
        C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8rw0eVXoN.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2212
        
        C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGPFa9vscR.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1308
        
        C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IqQTfaxkTv.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4328
        
        C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3528
        
        C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oe8YqT2ALj.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
        
        C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LK5jd7xSrl.bat"
        18⤵
        
        PID:3240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3660
        
        C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IB3ybkF286.bat"
        20⤵
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3196
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:688
        
        C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7d3QeoYVFw.bat"
        22⤵
        
        PID:1960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4552
        
        C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGPFa9vscR.bat"
        24⤵
        
        PID:4508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4560
        
        C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe
        
        "C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7d3QeoYVFw.bat"
        26⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\System\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5Nd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5Nd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsPowerShell\Modules\Pester\OfficeClickToRun.exe

Filesize
1.8MB

MD5
0f6832bc8381b05096f8ffac1272e400

SHA1
be7722fb36f12432f6da2e051d1f96761e97fcf4

SHA256
d10f5b84ae114c7ad063b9e8397da1aad8074cee7d9bcac500a353459daf7ab5

SHA512
7fabcaac732873a97990faba9a06fee2b4c4febf8e5be1b223827c10671151854dcd755ca492c5738bebb18dd0dc3616a2e08768ae69d80bd681259008d04548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat

Filesize
198B

MD5
44def03addab76ebdce7f239c3ddc4ba

SHA1
16dc97adbedc3d8317609ff39144fee4221dc7bb

SHA256
5ed5dc1af63e0293c4329c633a4ea81595ecb80780b3481503b5dddcf4d54c45

SHA512
fcd50337f3a10232d422b7b12c0309676f3d28c8c73331010d17297976c60c743219ae645df350f5a60f9ca164c3bc643739fc0a99ed53d5a0271243873bb2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2rcvYnL3y2.bat

Filesize
246B

MD5
e737aa5cd48c7e9980b8bcf8d3b9dfb8

SHA1
c7e34c5c9747d233a2083659efea2dca66f3d2f8

SHA256
bda23eca78474bf09fc6a0a6225d051da75f88c79a43c8048040f57527f04ce0

SHA512
52c3a775495d10c2579764d3de7ea7813ef07ae3793979511ab79248602ac1c30f9f6cb8b3b3c289ad334e3d9af38b47a4d881b6637ebe007a833a5e6aa2645e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d3QeoYVFw.bat

Filesize
246B

MD5
4ae2a0e7de222ab275a46e618ce199d2

SHA1
3d6e1b2ce07e90b5c3d51e3cedfba3ed123084ea

SHA256
2975de96f4c39a28a15fdc0b8dff172b30db02255c797f5a78cfc5853aac74db

SHA512
bdfdccbfca0e7b888ca851f254e3b6c8eaf30fdf88f7eb2815ad2154efc2eeb9a97c822a2f8cf441ccf4d968bebb6a86ebf51b233a6735a72e00ebb98107d51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6hgcLYDdm.bat

Filesize
198B

MD5
34605fc8d09664bd7b7b6fd918998c4a

SHA1
ea34022f0454f8cdf52d0eb8be8b8a3714f0909a

SHA256
e9263ff07847d8e7a00b869476890621d44c171ebd6735901b84760346b537a3

SHA512
f99b3cfe8bb6424863874eeda52f6dbda25c9b35405dea600e79ca7a8e37c63b63365499893ee580f7f2c68c34dbf6ac742a2b429ee4ddcc9e0bcd0c8e6a67fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IB3ybkF286.bat

Filesize
198B

MD5
adfa21e7dc05da65186739b0bb05578b

SHA1
8dd12ae709e6e2c85a120b1181141c2ced4a6b1f

SHA256
c4655b8a20477ceb2d61adde97c25225e99c71c1143a110493f247fd41d12018

SHA512
70c9cef49ef5c9fc93707abe55dcf2dd56f3345cdf0a07d846592756da27e42c62775914c7c4775697bbd81341e7578c0f8431e550afae7aad39a2f5de8cf79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IqQTfaxkTv.bat

Filesize
246B

MD5
ef92e45b4c682a55cf2644aad0e08013

SHA1
12828d49a89cc92d223feecb49fc9000374f2763

SHA256
696ea09343d67b7f15f38c359a62f05595fec0a6fb2a0b6d0c12f99653b335e4

SHA512
231e896e2296411bfc3ae5a640352aba752f9d55846eb3832e13944b7535c6ebb135fbaeba0668fc0d2c9ef5307cbc124c8a9c19369481b9423a63bafdd84bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat

Filesize
198B

MD5
8e22f662ffb1f93e01d4564244c165e7

SHA1
620889dac84168460979501df8c220e4e4e96336

SHA256
e108b9ae5913f588e8e46cc072cdfe7a990902a9a6af48bc6046341d37f110ca

SHA512
93d293ef5a32cf87745b2667b1f458d6e0bbf90c107d6359e0194fe0300d58538501054d57a01e10211732f55d53b44bc85fc03517d06ccfa9e5e9400f287c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\LK5jd7xSrl.bat

Filesize
198B

MD5
53a3a2648545b99fd4affcc907897b2b

SHA1
46ae2ed2f22c524a2d7bcb940fad3a7bfb2b12d3

SHA256
dc3a62da7bbfeedc9924a2f902615181ce9c6dff233b57c7d0df4a6f0732f27c

SHA512
5fb0466dc5ec238a6707b7681f5490b6660b460ca5232c6bdcb3bbc8460052837fa3f42b783b092a4647d1d5bb1c2df10b4b15bafca92d29525b7feb1dc5e685

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGPFa9vscR.bat

Filesize
198B

MD5
f835be4bd3c3769df419245b549a926d

SHA1
db4bae41a18326615f269eaa182a96539fddbf0c

SHA256
d82a9980aaf225abc57a7b8ffe3ade6998713552a7e469c541a7060516c15739

SHA512
b2badc6854d83124447b591cb27bb66074c12fe3f4661dad00aa15add2a8fcfbdc126e06f29151396c7d85caef0690f8483bdab76726569d80a74200c80dbb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESABC1.tmp

Filesize
1KB

MD5
69d6ec513e57f2649db314ad75dd3812

SHA1
03f8459cb8e729f0a64b1d72f6f72272f4cc76f2

SHA256
4bb76e79498c07a2e8f71c63c7c2e6632d8223257ffb76291574bef0403318eb

SHA512
a1391f1792ef62258ae729aba1d9b2fc6e181252331bfa2739aae326515d3dbd04c84ecfdaff1ade1403c65f536269c311e9da3444a9528c7712123222a39cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8rw0eVXoN.bat

Filesize
246B

MD5
c56607e16b75ea6384dae6502caed18b

SHA1
2434fa874d8d9abf64d1ad9ab6a329a83dff4b4d

SHA256
7f63aa54bb06c5204d5504435549321bd42f9a657f1d38e430300a5486a452f4

SHA512
bdc7db6e4d0096ccfdb84146c4ea45528ad19fb95d4817e42d1b8cb4c2f183fd59e08aa131a378e6d4fda57d5ca09a8be4d3eb1a6d45f2e0d2bef200302404c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oe8YqT2ALj.bat

Filesize
198B

MD5
495f3e43b87c2dfa68705a0725aabdba

SHA1
55c23f6f6cff87114cd557568bf657b1a5191709

SHA256
c154ba08a8e2607f12e63eff7b475c60f4519ecab356f614d3a288bd141842bb

SHA512
976d93882144c88104c6f47a4d6529a58b51a87ba4d0b0331943b461117ddc5e577d5ea8b9f3d731d0c9964c64c419cf7dcb97a305576fbb77feb2a5e744fcd1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\taigpvdy\taigpvdy.0.cs

Filesize
402B

MD5
79e47407ade41d1728cc896d35fd6963

SHA1
a405ef7fdb366b83ead9fddc12790ef335efacbf

SHA256
be6fed94c18aa5d9bea4543b856c5041eb5dffacb10aaff0f9b58cb7630b95ce

SHA512
c7b2551086ecc227ae8654348e825bb3e0971b5b7818b01d28cce4e0cb8a3f575e566b96be087aa4b2feb3099a551ac1646d9a8eb33147fcfa2d7211f111164e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\taigpvdy\taigpvdy.cmdline

Filesize
235B

MD5
bd4a2a1c4c32865d2e907971a077f8cb

SHA1
05aeec35958a6657bcb38868d807148ea7866654

SHA256
953383e919263b5cf9986aff39ac6df487fb5e5b1a57c4f8b4015dd61a0b7ee1

SHA512
d563afb267beee41b2424191fd390066a4589d89759da2e85f843c22ab039294ee04bf697cd5f0a789d44f4a16e962e235375e8cbc96a42920cf66c0261ec11d

Download Submit
\??\c:\Windows\System32\CSC776EFE37231E43ECA9C5B517342554B.TMP

Filesize
1KB

MD5
634e281a00b7b9f516c3048badfa1530

SHA1
af6369715ce2fe9b99609e470d4f66698880a35a

SHA256
0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8

SHA512
1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

Download Submit
memory/1052-96-0x000000001CDF0000-0x000000001CE99000-memory.dmp

Filesize
676KB

Download
memory/1600-129-0x000000001C420000-0x000000001C4C9000-memory.dmp

Filesize
676KB

Download
memory/2188-173-0x000000001C0B0000-0x000000001C159000-memory.dmp

Filesize
676KB

Download
memory/3056-74-0x000000001D080000-0x000000001D129000-memory.dmp

Filesize
676KB

Download
memory/3216-151-0x000000001C3C0000-0x000000001C469000-memory.dmp

Filesize
676KB

Download
memory/3668-16-0x0000000002B00000-0x0000000002B0C000-memory.dmp

Filesize
48KB

Download
memory/3668-14-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-49-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-47-0x000000001B980000-0x000000001BA29000-memory.dmp

Filesize
676KB

Download
memory/3668-23-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-19-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-1-0x0000000000630000-0x000000000080A000-memory.dmp

Filesize
1.9MB

Download
memory/3668-13-0x0000000002BB0000-0x0000000002BC8000-memory.dmp

Filesize
96KB

Download
memory/3668-0-0x00007FFA7BF23000-0x00007FFA7BF25000-memory.dmp

Filesize
8KB

Download
memory/3668-6-0x0000000002AF0000-0x0000000002AFE000-memory.dmp

Filesize
56KB

Download
memory/3668-3-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-11-0x000000001B6F0000-0x000000001B740000-memory.dmp

Filesize
320KB

Download
memory/3668-4-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-10-0x0000000002B90000-0x0000000002BAC000-memory.dmp

Filesize
112KB

Download
memory/3668-8-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-7-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-2-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3700-184-0x000000001C2F0000-0x000000001C399000-memory.dmp

Filesize
676KB

Download
memory/3848-107-0x000000001BD60000-0x000000001BE09000-memory.dmp

Filesize
676KB

Download
memory/4456-62-0x000000001C410000-0x000000001C4B9000-memory.dmp

Filesize
676KB

Download
memory/4632-118-0x000000001B0B0000-0x000000001B159000-memory.dmp

Filesize
676KB

Download
memory/4776-85-0x000000001C290000-0x000000001C339000-memory.dmp

Filesize
676KB

Download
memory/4972-162-0x000000001C9B0000-0x000000001CA59000-memory.dmp

Filesize
676KB

Download
memory/5072-140-0x000000001BF50000-0x000000001BFF9000-memory.dmp

Filesize
676KB

Download