dcrat | b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Size

1.7MB
MD5

9dd2bc624ea9c953ff5621fef397066b
SHA1

e4ea9a4db77e4a5b3f062d4a3bbe10aa04913593
SHA256

b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6
SHA512

c63117abd2afa7b97afa1439b44412439bf5c0608fdcd4d45fce397d1a2e30766e2df0a19fafcb43b3cf657abe379848dbed4eaa666474be19ec52b7e7740a12
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2844	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2844	schtasks.exe	30

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1680-1-0x00000000003C0000-0x0000000000580000-memory.dmp	dcrat
behavioral1/files/0x00050000000193df-27.dat	dcrat
behavioral1/files/0x00090000000194d8-173.dat	dcrat
behavioral1/files/0x000800000001961d-184.dat	dcrat
behavioral1/memory/3008-208-0x0000000001290000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/2792-281-0x00000000013B0000-0x0000000001570000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2788	powershell.exe
1316	powershell.exe
1724	powershell.exe
2868	powershell.exe
2040	powershell.exe
2428	powershell.exe
2976	powershell.exe
2840	powershell.exe
2624	powershell.exe
2660	powershell.exe
2016	powershell.exe
1640	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Executes dropped EXE 10 IoCs

pid	Process
3008	dllhost.exe
2792	dllhost.exe
1164	dllhost.exe
2944	dllhost.exe
1688	dllhost.exe
2160	dllhost.exe
1832	dllhost.exe
2904	dllhost.exe
2588	dllhost.exe
1636	dllhost.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXB6B8.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\69ddcba757bf72	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXA25B.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Windows Media Player\5940a34987c991	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\101b941d020240	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXB726.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sppsvc.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXADBB.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\dllhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sppsvc.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXA6D3.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Common Files\Services\dllhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Common Files\Services\5940a34987c991	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXADBC.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXBBBB.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXBBBC.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXA6D2.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows Media Player\dllhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXA25C.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXB2AF.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\101b941d020240	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXB2B0.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\0a1fd5f707cd16	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Windows Media Player\dllhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\5940a34987c991	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\CSC\v2.0.6\spoolsv.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\Globalization\RCXA944.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\Globalization\RCXA945.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\Globalization\dllhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\Globalization\dllhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2504	schtasks.exe
2840	schtasks.exe
2660	schtasks.exe
1992	schtasks.exe
2836	schtasks.exe
2148	schtasks.exe
2124	schtasks.exe
576	schtasks.exe
1556	schtasks.exe
2768	schtasks.exe
1800	schtasks.exe
2616	schtasks.exe
1632	schtasks.exe
2932	schtasks.exe
2432	schtasks.exe
1936	schtasks.exe
1616	schtasks.exe
2088	schtasks.exe
2800	schtasks.exe
2188	schtasks.exe
2644	schtasks.exe
644	schtasks.exe
1032	schtasks.exe
2224	schtasks.exe
2508	schtasks.exe
1500	schtasks.exe
2980	schtasks.exe
560	schtasks.exe
1092	schtasks.exe
2924	schtasks.exe
1612	schtasks.exe
1088	schtasks.exe
836	schtasks.exe
2676	schtasks.exe
764	schtasks.exe
840	schtasks.exe
1144	schtasks.exe
2100	schtasks.exe
892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2624	powershell.exe
2868	powershell.exe
1316	powershell.exe
2660	powershell.exe
2428	powershell.exe
2016	powershell.exe
2976	powershell.exe
1640	powershell.exe
2788	powershell.exe
1724	powershell.exe
2840	powershell.exe
2040	powershell.exe
3008	dllhost.exe
3008	dllhost.exe
3008	dllhost.exe
3008	dllhost.exe
3008	dllhost.exe
3008	dllhost.exe
3008	dllhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	3008	dllhost.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2792	dllhost.exe
Token: SeDebugPrivilege	1164	dllhost.exe
Token: SeDebugPrivilege	2944	dllhost.exe
Token: SeDebugPrivilege	1688	dllhost.exe
Token: SeDebugPrivilege	2160	dllhost.exe
Token: SeDebugPrivilege	1832	dllhost.exe
Token: SeDebugPrivilege	2904	dllhost.exe
Token: SeDebugPrivilege	2588	dllhost.exe
Token: SeDebugPrivilege	1636	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1316	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	70
PID 1680 wrote to memory of 1316	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	70
PID 1680 wrote to memory of 1316	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	70
PID 1680 wrote to memory of 2624	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	71
PID 1680 wrote to memory of 2624	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	71
PID 1680 wrote to memory of 2624	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	71
PID 1680 wrote to memory of 2660	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	72
PID 1680 wrote to memory of 2660	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	72
PID 1680 wrote to memory of 2660	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	72
PID 1680 wrote to memory of 1724	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	73
PID 1680 wrote to memory of 1724	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	73
PID 1680 wrote to memory of 1724	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	73
PID 1680 wrote to memory of 2016	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	74
PID 1680 wrote to memory of 2016	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	74
PID 1680 wrote to memory of 2016	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	74
PID 1680 wrote to memory of 2868	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	75
PID 1680 wrote to memory of 2868	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	75
PID 1680 wrote to memory of 2868	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	75
PID 1680 wrote to memory of 1640	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	76
PID 1680 wrote to memory of 1640	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	76
PID 1680 wrote to memory of 1640	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	76
PID 1680 wrote to memory of 2428	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	77
PID 1680 wrote to memory of 2428	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	77
PID 1680 wrote to memory of 2428	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	77
PID 1680 wrote to memory of 2976	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	78
PID 1680 wrote to memory of 2976	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	78
PID 1680 wrote to memory of 2976	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	78
PID 1680 wrote to memory of 2840	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	79
PID 1680 wrote to memory of 2840	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	79
PID 1680 wrote to memory of 2840	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	79
PID 1680 wrote to memory of 2040	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	80
PID 1680 wrote to memory of 2040	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	80
PID 1680 wrote to memory of 2040	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	80
PID 1680 wrote to memory of 2788	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	81
PID 1680 wrote to memory of 2788	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	81
PID 1680 wrote to memory of 2788	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	81
PID 1680 wrote to memory of 3008	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	94
PID 1680 wrote to memory of 3008	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	94
PID 1680 wrote to memory of 3008	1680	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	94
PID 3008 wrote to memory of 2728	3008	dllhost.exe	96
PID 3008 wrote to memory of 2728	3008	dllhost.exe	96
PID 3008 wrote to memory of 2728	3008	dllhost.exe	96
PID 3008 wrote to memory of 676	3008	dllhost.exe	97
PID 3008 wrote to memory of 676	3008	dllhost.exe	97
PID 3008 wrote to memory of 676	3008	dllhost.exe	97
PID 2728 wrote to memory of 2792	2728	WScript.exe	98
PID 2728 wrote to memory of 2792	2728	WScript.exe	98
PID 2728 wrote to memory of 2792	2728	WScript.exe	98
PID 2792 wrote to memory of 2700	2792	dllhost.exe	99
PID 2792 wrote to memory of 2700	2792	dllhost.exe	99
PID 2792 wrote to memory of 2700	2792	dllhost.exe	99
PID 2792 wrote to memory of 2320	2792	dllhost.exe	100
PID 2792 wrote to memory of 2320	2792	dllhost.exe	100
PID 2792 wrote to memory of 2320	2792	dllhost.exe	100
PID 2700 wrote to memory of 1164	2700	WScript.exe	101
PID 2700 wrote to memory of 1164	2700	WScript.exe	101
PID 2700 wrote to memory of 1164	2700	WScript.exe	101
PID 1164 wrote to memory of 1876	1164	dllhost.exe	102
PID 1164 wrote to memory of 1876	1164	dllhost.exe	102
PID 1164 wrote to memory of 1876	1164	dllhost.exe	102
PID 1164 wrote to memory of 2396	1164	dllhost.exe	103
PID 1164 wrote to memory of 2396	1164	dllhost.exe	103
PID 1164 wrote to memory of 2396	1164	dllhost.exe	103
PID 1876 wrote to memory of 2944	1876	WScript.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
"C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Program Files\Windows Media Player\dllhost.exe
  "C:\Program Files\Windows Media Player\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0f53ad2-616f-485a-9620-9cb3e2155b91.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Program Files\Windows Media Player\dllhost.exe
      "C:\Program Files\Windows Media Player\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe615b44-6a86-47eb-8103-3ad48b4b92f0.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Program Files\Windows Media Player\dllhost.exe
        
        "C:\Program Files\Windows Media Player\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0819810-7537-41cf-a094-69b7db3a553c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Program Files\Windows Media Player\dllhost.exe
        
        "C:\Program Files\Windows Media Player\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c7965a0-d352-4608-8b9b-17551b523882.vbs"
        9⤵
        
        PID:1084
        
        C:\Program Files\Windows Media Player\dllhost.exe
        
        "C:\Program Files\Windows Media Player\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\455f5cb6-14bc-42a8-9b99-8069405a8fec.vbs"
        11⤵
        
        PID:2744
        
        C:\Program Files\Windows Media Player\dllhost.exe
        
        "C:\Program Files\Windows Media Player\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6504404-1934-4e86-b438-9f56a02dac64.vbs"
        13⤵
        
        PID:1808
        
        C:\Program Files\Windows Media Player\dllhost.exe
        
        "C:\Program Files\Windows Media Player\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24e86934-037d-43c9-a6ed-3cd88b7de086.vbs"
        15⤵
        
        PID:1372
        
        C:\Program Files\Windows Media Player\dllhost.exe
        
        "C:\Program Files\Windows Media Player\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dcfeceb-e7ff-4d87-a9b0-ac9cf6c2a621.vbs"
        17⤵
        
        PID:2112
        
        C:\Program Files\Windows Media Player\dllhost.exe
        
        "C:\Program Files\Windows Media Player\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41fce370-c7c0-4875-98b6-3597deed69c4.vbs"
        19⤵
        
        PID:2648
        
        C:\Program Files\Windows Media Player\dllhost.exe
        
        "C:\Program Files\Windows Media Player\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92ffc83d-86d2-44ce-8b18-c3288217cb5b.vbs"
        21⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\622d9047-28c9-4797-9ee8-9ad147d46ace.vbs"
        21⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e334896-5f38-4492-a27e-d1bc3dd881fa.vbs"
        19⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03b6b270-3be0-44e2-a8c2-b76231b17efd.vbs"
        17⤵
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35dc3f94-c1a6-425f-93a4-51f693226e3e.vbs"
        15⤵
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5558eca1-ef16-46f6-a9e7-1e01fc1a7ccb.vbs"
        13⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fbcf845-c1ab-4c62-9ec1-0fe8d8126175.vbs"
        11⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8722ffbe-6167-4b8c-a72f-5bb429534d1d.vbs"
        9⤵
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c3ff731-f252-489c-890d-d992f2eaf947.vbs"
        7⤵
        
        PID:2396
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfae2aac-c988-482d-aad5-e756f9a57fa5.vbs"
        5⤵
        
        PID:2320
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\241d9289-2fff-4b77-917a-85f77a21ab0c.vbs"
    3⤵
    PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Globalization\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6b" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6b" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6b" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6b" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\smss.exe

Filesize
1.7MB

MD5
bee8035820dacedaa2ce3f260ee59b31

SHA1
44cf0db77386bd695712a61850e1618d465cd6cf

SHA256
31c5b27ecec216d40cc2f07263ad5a9a8acec5d4d6197f6f43699b2b5528dabf

SHA512
91e3e30bfa59e07b41719f4cfe2d43869e7573377f5d7ea37e0663e32b864b9083a2c161d1edcf924352347886e580386cdc07b6bc28123b71255aeeaa2c26d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\241d9289-2fff-4b77-917a-85f77a21ab0c.vbs

Filesize
501B

MD5
9c567a7ae8dc13e708d8c10a66d51bd4

SHA1
c9e4348291fc3eeec40af8185313b31d72fbf641

SHA256
1eb5d6be380bd71f48a8d059d81fd0df841f5578fcb3116e63ecce253a770cb4

SHA512
0f9b0664f88a47fe116f9a05b3bece19ddd52cd1e731bacfb8c588affa224d690d79d50b95d000473d435d3f2db62456ef2ac66dbd60bd65add24e994a39eed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\24e86934-037d-43c9-a6ed-3cd88b7de086.vbs

Filesize
725B

MD5
df245784dbd38923fb1a7feef6b0d296

SHA1
0b9a30f0d3d622c6852584713dc346385b3b10ef

SHA256
f566deab2ee0ece15cf0a204849300cff32641788e5bcea15717708e76f4f90d

SHA512
607f9f6f9828f82171f57a2123ef5235302b0ac5d681791c4f050ca17f31662c59515f7db58e0c88aea0735855e05fce24d7ea7677eeb9fef4be004421b7521f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41fce370-c7c0-4875-98b6-3597deed69c4.vbs

Filesize
725B

MD5
f15d67eb12e43a44b3cc858445c37dd3

SHA1
6d99c2ffbdb722cdc8c511d14a143b280a0b94aa

SHA256
0fc098346c639d2bc030ec362efbe4920602d27feeab142521abd2d2a5edfc61

SHA512
a8e3bd30fc9d9b09118c1c8d72118db3fec231697df38cd870aa7871a3e178ffee1460ac81ca25eddf96150d2a0b89cbdd6999611c9309d2ca987dba98e948a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\455f5cb6-14bc-42a8-9b99-8069405a8fec.vbs

Filesize
725B

MD5
03f28e23a988d1e77033dadc8ec7065b

SHA1
864fe77a5faab2c75c3605e309d0d5eaddbae9b6

SHA256
3d343b8688f2b05b296deb09bbad29fd68b2c3a6f678d1c13fd2b8eb64129e2d

SHA512
73b93c99971f998179a0d47ff2838b9873148d94674ee5c9a787ca1922f47841dcbb284138778caac6c17acfe1816e5070495450b6aac92682e678112965e2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c7965a0-d352-4608-8b9b-17551b523882.vbs

Filesize
725B

MD5
b257e676f00bd4cba969b1cc316bea4e

SHA1
4506d9a684a76f0454208d0cc099f5324ebc6172

SHA256
b04d5b08b0b9c80be6382d1f52fc743fee8abfd2158d868416c2e6f0d43bbc67

SHA512
b9d1d886161d1b02198860b754de47c27c4cf8e297b99f5748318ba846debf7944a8ba4f47c104d1cd81a328c7489ab91c9de20b081bfdbc73db30208a46df12

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dcfeceb-e7ff-4d87-a9b0-ac9cf6c2a621.vbs

Filesize
725B

MD5
4e34d5db5dc95ba1c2beef8119c75a32

SHA1
f27f7074b708ca6b3bb877050c992bf845ab264a

SHA256
29a02b792309beaf26e8ef653a54b50024c5f3b24a52b0261bbc90c6d708eadb

SHA512
399494b3c26b44f9544a2e96af065df6560aa080844d4827228feb27be685430a734ba40c97b6279f6efea631d9ed86fc16a7797d924964d841432d7b8685166

Download Submit
C:\Users\Admin\AppData\Local\Temp\92ffc83d-86d2-44ce-8b18-c3288217cb5b.vbs

Filesize
725B

MD5
bfc1da98b86334426d0f18cb0242f88a

SHA1
cc33e53a0e477f8316054702f1903038889c9f00

SHA256
0d31e8517bf88817fb09ac29ed765fd88443dbdac87f8d72ab9a5c7d31230885

SHA512
0e60783f34a987d17a1d0e2957fe3fa0e1fb03d6f67e2fc4627ea40e68e9bd694796121a7d5a9228db453d6791c811015d62eff1a2405d5bbb22d204382759d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0819810-7537-41cf-a094-69b7db3a553c.vbs

Filesize
725B

MD5
81fd9c054938648823d6c7c9177750aa

SHA1
bf631ba4aef131c4ab9d87c3c4bbba3e2373980e

SHA256
385cef984ef870778d5eea14caa3861e2d099f95de44d6acc0b212002ea0f873

SHA512
60eb301194c675d5e6b7a70142a2162bae97d4d9f3b9855e98cfafd4b2ffb5e9477d0783aa3ca6c8cd4400fb3d7ecb9252234439f15a628e5adc636abf4209b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6504404-1934-4e86-b438-9f56a02dac64.vbs

Filesize
725B

MD5
4f8ec4a19fed560a1cacf4732336e1d0

SHA1
01a55b68f43378705f96174d4951e2f625b495d3

SHA256
b504a25bc16760bf4c04a9a6b88fe3981009fe8691bdfc5354f618a577fc1413

SHA512
336a85dc2c98e5b14ef087e0ec5b58fe8adf5b64a7cf136dcb9ab349ab2862d01cd55fd821d75cf5053150ef3eb2d22c82e74086db0c41591cdf479ccc83317c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0f53ad2-616f-485a-9620-9cb3e2155b91.vbs

Filesize
725B

MD5
556d4cffea030c822e8f25d02a7987a3

SHA1
c8b810336e6d7f7c5710c7aaa25ca0220e95467e

SHA256
c9dbc2cd1fede0f663e555a3b7c34df5492c30a5cc6d75b78747f3e16f514d8d

SHA512
9c065cb2e4143bc595a2b95aa1994404a17cacce72cc291e23b35c00e46a1cf099918ca8185b981f3e905ae8a9844b9d32d9d146fab6fb86f06886919deabc76

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe615b44-6a86-47eb-8103-3ad48b4b92f0.vbs

Filesize
725B

MD5
88710a663cc99bc4d6c29f075c89fa51

SHA1
a3369af4bb1790b050c3d4944cb5e8ed6cba698d

SHA256
d7145d7200ad5b629a8bf8832d0d231d90014d75f7bf5f9348575d7e3c01313c

SHA512
858df2c14da0bf2672a3d23952f999f502e4ccd6051eb968ae95c2d911509eea0db24dac109e3b9c1dd661923200ff58c7a7aa2f39be3ab1ce1f03230b6da6e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6279e03783edcc7c8a75047ffe98ba2c

SHA1
052c64532c50eaf68a59d8999989714ea238eac4

SHA256
930e0173f93a2c7c3fcdfb923af7b09c99964040bcc95004044f5e9dbb0544be

SHA512
145420c3ea525cbde870ea5b8673ad91eecdef12aadc4166c3b04e36fdd4bcc9a802a7c169e560acc86808c281bd4457fc85349480b2bb725c770b468802844c

Download Submit
C:\Users\Public\Videos\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Filesize
1.7MB

MD5
1899a8456142d44791c297b867dc703d

SHA1
5164c7cf855631773d113cd3e693e217224b34d0

SHA256
c215343cb53bf98a5d5276c3bdc46c8e8d6e7c33492b50bbecc437ea6ae8d9af

SHA512
b622a99799069669356f986a0a83ccf080dfbb59337be35acb2d12e2378b1657e34907f9074f4f85280652f59a9e032ee9998f8e5e2b80414c9304f0c286637f

Download Submit
C:\Windows\Globalization\dllhost.exe

Filesize
1.7MB

MD5
9dd2bc624ea9c953ff5621fef397066b

SHA1
e4ea9a4db77e4a5b3f062d4a3bbe10aa04913593

SHA256
b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6

SHA512
c63117abd2afa7b97afa1439b44412439bf5c0608fdcd4d45fce397d1a2e30766e2df0a19fafcb43b3cf657abe379848dbed4eaa666474be19ec52b7e7740a12

Download Submit
memory/1316-224-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1680-11-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/1680-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/1680-17-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/1680-16-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/1680-15-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/1680-187-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/1680-201-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-209-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-1-0x00000000003C0000-0x0000000000580000-memory.dmp

Filesize
1.8MB

Download
memory/1680-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-13-0x00000000008D0000-0x00000000008DA000-memory.dmp

Filesize
40KB

Download
memory/1680-14-0x0000000000960000-0x000000000096E000-memory.dmp

Filesize
56KB

Download
memory/1680-12-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/1680-20-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-3-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/1680-9-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/1680-8-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/1680-7-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/1680-6-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/1680-4-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1680-5-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2588-359-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2624-225-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2792-281-0x00000000013B0000-0x0000000001570000-memory.dmp

Filesize
1.8MB

Download
memory/3008-208-0x0000000001290000-0x0000000001450000-memory.dmp

Filesize
1.8MB

Download