dcrat | d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Size

857KB
MD5

31c3f45b0054b2592dfbe98cc2b2ae6f
SHA1

b3b09b956a490a2558ffd7a5bd75cad36198ad85
SHA256

d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805
SHA512

737face1e81289120aecb19e64073c6c8bb4bd4efcbe4277a6a567e504267c9f82783973b55e08b1c9007521da7256c8494234eb5c57290ed71fba01c6bb5656
SSDEEP

12288:JWTnfLcX02i56n+XomvfJJMA+ApW3Ari4VVyZC0+1cw2jINofMVbmsaxZ6:JWTnZ20XomvhJMA+A3iE0nHp6

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\spoolsv.exe\", \"C:\\Windows\\Performance\\csrss.exe\", \"C:\\Windows\\System32\\sr-Latn-CS\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\spoolsv.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\spoolsv.exe\", \"C:\\Windows\\Performance\\csrss.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\spoolsv.exe\", \"C:\\Windows\\Performance\\csrss.exe\", \"C:\\Windows\\System32\\sr-Latn-CS\\OSPPSVC.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\spoolsv.exe\", \"C:\\Windows\\Performance\\csrss.exe\", \"C:\\Windows\\System32\\sr-Latn-CS\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\spoolsv.exe\", \"C:\\Windows\\Performance\\csrss.exe\", \"C:\\Windows\\System32\\sr-Latn-CS\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\dllhost.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2948	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2948	schtasks.exe	30

DCRat payload 9 IoCs

rat

resource	yara_rule
behavioral1/memory/1624-1-0x0000000000F80000-0x000000000105C000-memory.dmp	family_dcrat_v2
behavioral1/files/0x000500000001938e-26.dat	family_dcrat_v2
behavioral1/memory/1464-144-0x0000000000370000-0x000000000044C000-memory.dmp	family_dcrat_v2
behavioral1/memory/1792-157-0x0000000000A50000-0x0000000000B2C000-memory.dmp	family_dcrat_v2
behavioral1/memory/1592-170-0x0000000000C20000-0x0000000000CFC000-memory.dmp	family_dcrat_v2
behavioral1/memory/344-183-0x0000000001080000-0x000000000115C000-memory.dmp	family_dcrat_v2
behavioral1/memory/1528-232-0x0000000000220000-0x00000000002FC000-memory.dmp	family_dcrat_v2
behavioral1/memory/1676-245-0x0000000000AB0000-0x0000000000B8C000-memory.dmp	family_dcrat_v2
behavioral1/memory/2540-260-0x0000000000FB0000-0x000000000108C000-memory.dmp	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2132	powershell.exe
2232	powershell.exe
2156	powershell.exe
2084	powershell.exe
2624	powershell.exe
2468	powershell.exe
2032	powershell.exe
876	powershell.exe
2284	powershell.exe
1912	powershell.exe
2088	powershell.exe
2392	powershell.exe
2364	powershell.exe
2644	powershell.exe
2292	powershell.exe
1620	powershell.exe
1796	powershell.exe
1848	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1464	spoolsv.exe
1792	spoolsv.exe
1592	spoolsv.exe
344	spoolsv.exe
1744	spoolsv.exe
1492	spoolsv.exe
2520	spoolsv.exe
1528	spoolsv.exe
1676	spoolsv.exe
1028	spoolsv.exe
2540	spoolsv.exe
3000	spoolsv.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\spoolsv.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\System32\\sr-Latn-CS\\OSPPSVC.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\csrss.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\spoolsv.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Performance\\csrss.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Performance\\csrss.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Windows\\System32\\sr-Latn-CS\\OSPPSVC.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\csrss.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\dllhost.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\dllhost.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\9w3j6e.exe	csc.exe
File created	C:\Windows\System32\sr-Latn-CS\OSPPSVC.exe	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Windows\System32\sr-Latn-CS\1610b97d3ab4a7	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	\??\c:\Windows\System32\CSCB3490E72A1B2495CAEAE54419BFA5B4E.TMP	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\886983d96e3d3e	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\f3b6ecef712a24	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Program Files (x86)\MSBuild\csrss.exe	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Performance\csrss.exe	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Windows\Performance\886983d96e3d3e	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1260	PING.EXE
2724	PING.EXE
2500	PING.EXE
572	PING.EXE
2556	PING.EXE

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1260	PING.EXE
2724	PING.EXE
2500	PING.EXE
572	PING.EXE
2556	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1180	schtasks.exe
1136	schtasks.exe
1984	schtasks.exe
3068	schtasks.exe
1080	schtasks.exe
1972	schtasks.exe
2956	schtasks.exe
1640	schtasks.exe
1468	schtasks.exe
2932	schtasks.exe
2808	schtasks.exe
2720	schtasks.exe
2680	schtasks.exe
1244	schtasks.exe
2912	schtasks.exe
2992	schtasks.exe
2556	schtasks.exe
2212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	1464	spoolsv.exe
Token: SeDebugPrivilege	1792	spoolsv.exe
Token: SeDebugPrivilege	1592	spoolsv.exe
Token: SeDebugPrivilege	344	spoolsv.exe
Token: SeDebugPrivilege	1744	spoolsv.exe
Token: SeDebugPrivilege	1492	spoolsv.exe
Token: SeDebugPrivilege	2520	spoolsv.exe
Token: SeDebugPrivilege	1528	spoolsv.exe
Token: SeDebugPrivilege	1676	spoolsv.exe
Token: SeDebugPrivilege	2540	spoolsv.exe
Token: SeDebugPrivilege	3000	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2864	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	34
PID 1624 wrote to memory of 2864	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	34
PID 1624 wrote to memory of 2864	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	34
PID 2864 wrote to memory of 2812	2864	csc.exe	36
PID 2864 wrote to memory of 2812	2864	csc.exe	36
PID 2864 wrote to memory of 2812	2864	csc.exe	36
PID 1624 wrote to memory of 2292	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	52
PID 1624 wrote to memory of 2292	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	52
PID 1624 wrote to memory of 2292	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	52
PID 1624 wrote to memory of 2232	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	53
PID 1624 wrote to memory of 2232	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	53
PID 1624 wrote to memory of 2232	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	53
PID 1624 wrote to memory of 2156	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	54
PID 1624 wrote to memory of 2156	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	54
PID 1624 wrote to memory of 2156	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	54
PID 1624 wrote to memory of 1796	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	55
PID 1624 wrote to memory of 1796	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	55
PID 1624 wrote to memory of 1796	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	55
PID 1624 wrote to memory of 1620	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	58
PID 1624 wrote to memory of 1620	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	58
PID 1624 wrote to memory of 1620	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	58
PID 1624 wrote to memory of 2644	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	59
PID 1624 wrote to memory of 2644	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	59
PID 1624 wrote to memory of 2644	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	59
PID 1624 wrote to memory of 2132	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	60
PID 1624 wrote to memory of 2132	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	60
PID 1624 wrote to memory of 2132	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	60
PID 1624 wrote to memory of 2392	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	61
PID 1624 wrote to memory of 2392	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	61
PID 1624 wrote to memory of 2392	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	61
PID 1624 wrote to memory of 1848	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	62
PID 1624 wrote to memory of 1848	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	62
PID 1624 wrote to memory of 1848	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	62
PID 1624 wrote to memory of 2088	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	63
PID 1624 wrote to memory of 2088	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	63
PID 1624 wrote to memory of 2088	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	63
PID 1624 wrote to memory of 2624	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	64
PID 1624 wrote to memory of 2624	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	64
PID 1624 wrote to memory of 2624	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	64
PID 1624 wrote to memory of 2284	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	65
PID 1624 wrote to memory of 2284	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	65
PID 1624 wrote to memory of 2284	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	65
PID 1624 wrote to memory of 2364	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	66
PID 1624 wrote to memory of 2364	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	66
PID 1624 wrote to memory of 2364	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	66
PID 1624 wrote to memory of 2084	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	67
PID 1624 wrote to memory of 2084	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	67
PID 1624 wrote to memory of 2084	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	67
PID 1624 wrote to memory of 1912	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	69
PID 1624 wrote to memory of 1912	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	69
PID 1624 wrote to memory of 1912	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	69
PID 1624 wrote to memory of 2468	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	70
PID 1624 wrote to memory of 2468	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	70
PID 1624 wrote to memory of 2468	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	70
PID 1624 wrote to memory of 2032	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	71
PID 1624 wrote to memory of 2032	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	71
PID 1624 wrote to memory of 2032	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	71
PID 1624 wrote to memory of 876	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	72
PID 1624 wrote to memory of 876	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	72
PID 1624 wrote to memory of 876	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	72
PID 1624 wrote to memory of 3032	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	88
PID 1624 wrote to memory of 3032	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	88
PID 1624 wrote to memory of 3032	1624	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	88
PID 3032 wrote to memory of 2716	3032	cmd.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
"C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ukzgdc4e\ukzgdc4e.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAE6.tmp" "c:\Windows\System32\CSCB3490E72A1B2495CAEAE54419BFA5B4E.TMP"
    3⤵
    PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sr-Latn-CS\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iao8pW3e0r.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2716
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1932
- - C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
    "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BLXo76X4ph.bat"
      4⤵
      PID:3040
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:956
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1260
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\36HI2G4svI.bat"
        6⤵
        
        PID:1964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:828
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat"
        8⤵
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2724
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat"
        10⤵
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2924
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yeUV7n97Dr.bat"
        12⤵
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1992
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1XGPdNpiQu.bat"
        14⤵
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HY3kVmQ00V.bat"
        16⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:572
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YuP7FABH7o.bat"
        18⤵
        
        PID:1336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2556
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RKW7EBQnZE.bat"
        20⤵
        
        PID:2912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1772
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        21⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x0UH1pL55G.bat"
        22⤵
        
        PID:1796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2104
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat"
        24⤵
        
        PID:2560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2996
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\sr-Latn-CS\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\System32\sr-Latn-CS\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\sr-Latn-CS\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805d" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805d" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe

Filesize
857KB

MD5
31c3f45b0054b2592dfbe98cc2b2ae6f

SHA1
b3b09b956a490a2558ffd7a5bd75cad36198ad85

SHA256
d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805

SHA512
737face1e81289120aecb19e64073c6c8bb4bd4efcbe4277a6a567e504267c9f82783973b55e08b1c9007521da7256c8494234eb5c57290ed71fba01c6bb5656

Download Submit
C:\Users\Admin\AppData\Local\Temp\1XGPdNpiQu.bat

Filesize
197B

MD5
f0c5ba7aeebcddd2566d810338ba639b

SHA1
c2d3627b3075ccb136b310acb9a9a6343c6c9a6b

SHA256
b0ba31bbaec9929d60dc4b68da23d3fe1b16c0c7767f45954ec270bb99571b60

SHA512
0edf273014217aec3d426f693e0a615774da7775010a18bf436f0a1145fea7d0945db59d4f3c353c0ef2802d9260c7447cf6f274ef6035ca09fd6157f4839f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\36HI2G4svI.bat

Filesize
245B

MD5
bf9f5d091a3ae90b573162e9d47da7af

SHA1
2b427e149ccc0258d06aabd2e33b32d0aad42def

SHA256
254916ab4024cc981a6c75dfb88ab6a2d921ef5a64bead8b99eeaa5c666ae4cd

SHA512
dd91f00b0fe83ee40afb1cc4a1e8cdaa4291f4723b9a62d2848bfd795da15a4ad5fd4e92722826ec92383d31d2aefb83c54e078b798b3c7626db7924af26b489

Download Submit
C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat

Filesize
245B

MD5
b6e62c629c10b3889325616a7c5a2d6b

SHA1
6b88dd5f3f6f5b6e357c5d8478b47712fe5b51b6

SHA256
06ee4ae10261c0ea44d51a7e300b51727e4b464c85c2fb44e23583b71d3ee04d

SHA512
97ee27824cc57f86a6f832c406baa35724c11fd25d138b306e22376bf42b16040c8da8f0b28268e2f8e33b40b7ba26c84431545056544d9fcbce3388e555e6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLXo76X4ph.bat

Filesize
197B

MD5
69833007f84ae48760650b535a755f9c

SHA1
568ba62c7ee311c43307f33d67c7b13a5bf8940c

SHA256
ef914ffd55e78bf4848c3e245fc61530364350ee3949c5b532ee80ffed0906e9

SHA512
4de831ae466c1f8cc9b225d21ce31c976c8fe0e2e271425a5bc3c76749042c13af834b4edc6344ccce0eaba0a9e7f7184f6b2c194cf75dbb63c0d3af645c0e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\HY3kVmQ00V.bat

Filesize
197B

MD5
94ed8e84a4374f54d3ea8f295373df96

SHA1
e748099e01c6147f53e782e9f19c5188662a01af

SHA256
8cfe7c5454a0de66bd0abb7df429e8b6e9f3c7969bdc027cbbc92f2871061e94

SHA512
7e4cd2cbecefebdb192ba771093fe6ff6db9a5e4aebd9f4d53398927c982512a4a0c89cb17276081bd80ed27c3900cbcd1b9d49ba6ec9453eebdf9d35a0fc02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat

Filesize
245B

MD5
cfcdcc84840d76db9eec12e824fdcd6b

SHA1
409486f3bafb060e15d0d4bd20d7af6921294ab5

SHA256
69368de6ede2d52b56ee5e4a93a51e33c44298c0bfff09900df2e33b436f6ae0

SHA512
cb9f9ed87486d3dec23d9ee47caba775458742ddab39b456ad9d6d4867a2c065979ce0abb645cf4e2af4e7c84ced1d21b75c0bfd94e55b1e85428cad371f029b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBAE6.tmp

Filesize
1KB

MD5
14a5bb47a961189fc5430b49ba52f5b8

SHA1
b18bdfe3b407ee3a113c196d03474cc905864827

SHA256
2b21dec1074f59a05ee7a3f4a1dc0cf32bcc12f9211a4432fa02ad8a3c2073f2

SHA512
45825dd57759ee0956d16fe6a9f382730bb83d92da37198c9142bb5a305bc5b76808b44b95a42f035a638b78feeeddfc99a6890d0f2fcde6a1b67433dd4a8b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKW7EBQnZE.bat

Filesize
245B

MD5
867aed11230831654c643c5e5f8da5ea

SHA1
88d5e80dc11118a91d699d405b755c3659f89aec

SHA256
5366f6422535e92d61f1daea361c6057a2d4e6f5c1de2b1f3a1ecf5cc0a9bdb4

SHA512
9f03914f1bc55de6bd563df8f6a6632660f42ee0c1c000fb36e8c2ae51c687d0c9da1f3d793e5d8397e1f63d3f3f2ec91d877c5ceaeaf42218e94cadee416179

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuP7FABH7o.bat

Filesize
197B

MD5
99f565f2dc469fdee6b23a5e8ee3b690

SHA1
ccb6853477bf720cc2eaa5e5278f4d75d5771d64

SHA256
cfda6a81a96491ed657f1c186d3822f03bd27f9dbbdb233d98f2f75511084ef0

SHA512
14ae4150b8fe79bb5e4a452bc2009307f6b6271762a3b9d8d39e5e5fb2330dcd176b30713d407a206324231659c20a19035e8042ff999b78eb345fc2abd125e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat

Filesize
197B

MD5
56ffa6eeec2d824f5778e2567c511afb

SHA1
1690d9dbb12c0b65f018be3025c2935236462cd6

SHA256
cfd36258fb4e5ca01b98e5e30365242efdb949ebdb438bb8371e23f5fc28ca01

SHA512
79ddb0b5f66fbe61a69f0aa67fc4fb1f75b4b96097f44f9ce4d8a9df7277ba9c750f9da29b0a704efcef185317a34b7ef4d9e6184a0c44a4d414a5e39995b5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iao8pW3e0r.bat

Filesize
245B

MD5
cafca06f178c461bf94f46813f9ba220

SHA1
b9b6ebd54301a5e57902dedc704f6b4908dbb728

SHA256
9155414a61e392f6852e78df6394ee437432b0c1182e5252dfccf7ad7d0e8381

SHA512
805faf1b857daece544d7115cabea309d42bedf5b1b91c4cf36b33fe11d6cb997a021ac28c8ba1a7437bc96aaed8557ba9ae756de32940f68c54e78bd73dbacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\yeUV7n97Dr.bat

Filesize
245B

MD5
e41413b06b1b90cacdef67e138fe6166

SHA1
3b9114c97e42d0cbe67c09dbcf1edeed0c9d6d77

SHA256
0a943f624ec4b0b95f28ceb4b1c7ceaa4247172a6cc4a3e7548cae4a70187ee9

SHA512
3abea67af6bec6aeda80376a3075ece6ba08f0d6882cac3c49462f9f464a5efbd3750502125c7ae8ba7135efa3052d03d7a2d2f90e8934f37e534bc6e0163cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9ec59be808b35f9a8eda6a7ca75c8cf4

SHA1
36c6b4d2ffefb1249c0421a99ab6a3635708e58b

SHA256
9571cf3394d29e55d52bd1eac17113cfa58fc66b77c315d1cf4e7e89ebeac5be

SHA512
271a815d05378fb9434f9cc7a873e13052cfef308c8e12b6c4836fbde76b63c464963551f566d611b60bd62735ef0bc152a9aefa699aec12a5d7e1049453d953

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukzgdc4e\ukzgdc4e.0.cs

Filesize
401B

MD5
731cb83048ba3ac18b5751fd1fa40f64

SHA1
1065f36c97bdbe014964536b0a7e725a49f43c71

SHA256
85b152cba7252e26a48582652873e7293f7f6e3efe615668ecefde12ce71c7ea

SHA512
2ff0db90eff262ee1ded7e8d2f71bbfb3339dc320bea7c1957d4250cd8b63fd52b2b268047d6c29876373da3aa80c0dbf7a0a5406fd9ae39269665b098b0d08d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukzgdc4e\ukzgdc4e.cmdline

Filesize
235B

MD5
fc11ad444ca92950b6b879d2df7c1156

SHA1
c49eafe2825d4f1db8612a2f5f86a233a1b0fe75

SHA256
4985aaf35dfe04e800862c1e245f3f3a2156df737c8f4530c101b4d3d5e21dbf

SHA512
ae4420438e3cc8469cbe5577af04a69f124a1ab0d80b26ba2f340f275a9117dd8fae7d9c3a8792b97de2b79438fc23c97c5146c98e781a17fbb815a3aba68c7c

Download Submit
\??\c:\Windows\System32\CSCB3490E72A1B2495CAEAE54419BFA5B4E.TMP

Filesize
1KB

MD5
70046c6c63d509bb29450ef32b59dda3

SHA1
26802b73997ee22a7cd3d07ae77016969603cf00

SHA256
dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0

SHA512
d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

Download Submit
memory/344-183-0x0000000001080000-0x000000000115C000-memory.dmp

Filesize
880KB

Download
memory/1464-144-0x0000000000370000-0x000000000044C000-memory.dmp

Filesize
880KB

Download
memory/1528-232-0x0000000000220000-0x00000000002FC000-memory.dmp

Filesize
880KB

Download
memory/1592-170-0x0000000000C20000-0x0000000000CFC000-memory.dmp

Filesize
880KB

Download
memory/1624-16-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-32-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-15-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/1624-76-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-31-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-30-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-29-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-13-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/1624-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

Filesize
4KB

Download
memory/1624-1-0x0000000000F80000-0x000000000105C000-memory.dmp

Filesize
880KB

Download
memory/1624-4-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/1624-28-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-11-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/1624-9-0x0000000000440000-0x0000000000458000-memory.dmp

Filesize
96KB

Download
memory/1624-7-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-6-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1676-245-0x0000000000AB0000-0x0000000000B8C000-memory.dmp

Filesize
880KB

Download
memory/1792-157-0x0000000000A50000-0x0000000000B2C000-memory.dmp

Filesize
880KB

Download
memory/2540-260-0x0000000000FB0000-0x000000000108C000-memory.dmp

Filesize
880KB

Download
memory/2644-59-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/2644-60-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download