dcrat | 95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e

Analysis

max time kernel
119s
max time network
116s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Size

1.7MB
MD5

274dfd128512553bde18a7d5e63afcf1
SHA1

3579d08a2a108e03cda8a8439380896106e998d9
SHA256

95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e
SHA512

6466138438bb2168112b99302d8f65c316d62ad393e7c395fef916f6debfa5989d2a7673a3be46908a587b942f527fd44e9b24e86cd8826bac2ec2c44daa3f3a
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvQ:OTHUxUoh1IF9gl2x

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2788	schtasks.exe	31

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1488-1-0x0000000000090000-0x0000000000250000-memory.dmp	dcrat
behavioral1/files/0x000500000001a4a5-27.dat	dcrat
behavioral1/files/0x000800000001a4b5-100.dat	dcrat
behavioral1/files/0x000a0000000194e6-111.dat	dcrat
behavioral1/files/0x000700000001a4a5-120.dat	dcrat
behavioral1/files/0x000600000001a4b9-145.dat	dcrat
behavioral1/files/0x000d00000001a4c1-223.dat	dcrat
behavioral1/files/0x000600000001a4bd-312.dat	dcrat
behavioral1/memory/2676-313-0x00000000009F0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/1880-324-0x0000000001180000-0x0000000001340000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe
2424	powershell.exe
2468	powershell.exe
3004	powershell.exe
1444	powershell.exe
2708	powershell.exe
2948	powershell.exe
2228	powershell.exe
2380	powershell.exe
1312	powershell.exe
1160	powershell.exe
928	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Executes dropped EXE 6 IoCs

pid	Process
2676	OSPPSVC.exe
1880	OSPPSVC.exe
2824	OSPPSVC.exe
1748	OSPPSVC.exe
2904	OSPPSVC.exe
1580	OSPPSVC.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXF41E.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\cc11b995f2a76d	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\Windows Sidebar\es-ES\winlogon.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXF40E.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXF70D.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX432.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files\Windows Sidebar\es-ES\cc11b995f2a76d	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXEA08.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\winlogon.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX433.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\1610b97d3ab4a7	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXEA07.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXF68F.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCXFB83.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\taskhost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX85B.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\Offline Web Pages\csrss.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\Branding\Basebrd\en-US\taskhost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\twain_32\RCXEC8A.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\Offline Web Pages\csrss.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\Offline Web Pages\886983d96e3d3e	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX85C.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\twain_32\taskhost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\twain_32\b75386f1303e64	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCXFB84.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\CSC\v2.0.6\csrss.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\twain_32\RCXEC1C.tmp	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File created	C:\Windows\Branding\Basebrd\en-US\b75386f1303e64	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
File opened for modification	C:\Windows\twain_32\taskhost.exe	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
868	schtasks.exe
2916	schtasks.exe
2964	schtasks.exe
1776	schtasks.exe
952	schtasks.exe
1540	schtasks.exe
1504	schtasks.exe
1296	schtasks.exe
2948	schtasks.exe
1880	schtasks.exe
108	schtasks.exe
1636	schtasks.exe
760	schtasks.exe
1704	schtasks.exe
536	schtasks.exe
784	schtasks.exe
2992	schtasks.exe
1508	schtasks.exe
2284	schtasks.exe
496	schtasks.exe
2096	schtasks.exe
2136	schtasks.exe
2868	schtasks.exe
660	schtasks.exe
2036	schtasks.exe
2996	schtasks.exe
2276	schtasks.exe
1988	schtasks.exe
1372	schtasks.exe
2568	schtasks.exe
2604	schtasks.exe
2880	schtasks.exe
308	schtasks.exe
2468	schtasks.exe
1680	schtasks.exe
316	schtasks.exe
2400	schtasks.exe
2492	schtasks.exe
1144	schtasks.exe
2040	schtasks.exe
448	schtasks.exe
1772	schtasks.exe
2836	schtasks.exe
2892	schtasks.exe
2648	schtasks.exe
2688	schtasks.exe
3064	schtasks.exe
2320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
2236	powershell.exe
2468	powershell.exe
1312	powershell.exe
3004	powershell.exe
1444	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2676	OSPPSVC.exe
Token: SeDebugPrivilege	1880	OSPPSVC.exe
Token: SeDebugPrivilege	2824	OSPPSVC.exe
Token: SeDebugPrivilege	1748	OSPPSVC.exe
Token: SeDebugPrivilege	2904	OSPPSVC.exe
Token: SeDebugPrivilege	1580	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1312	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	80
PID 1488 wrote to memory of 1312	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	80
PID 1488 wrote to memory of 1312	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	80
PID 1488 wrote to memory of 2468	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	81
PID 1488 wrote to memory of 2468	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	81
PID 1488 wrote to memory of 2468	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	81
PID 1488 wrote to memory of 3004	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	82
PID 1488 wrote to memory of 3004	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	82
PID 1488 wrote to memory of 3004	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	82
PID 1488 wrote to memory of 1444	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	83
PID 1488 wrote to memory of 1444	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	83
PID 1488 wrote to memory of 1444	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	83
PID 1488 wrote to memory of 1160	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	84
PID 1488 wrote to memory of 1160	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	84
PID 1488 wrote to memory of 1160	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	84
PID 1488 wrote to memory of 2236	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	85
PID 1488 wrote to memory of 2236	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	85
PID 1488 wrote to memory of 2236	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	85
PID 1488 wrote to memory of 928	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	86
PID 1488 wrote to memory of 928	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	86
PID 1488 wrote to memory of 928	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	86
PID 1488 wrote to memory of 2708	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	87
PID 1488 wrote to memory of 2708	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	87
PID 1488 wrote to memory of 2708	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	87
PID 1488 wrote to memory of 2948	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	88
PID 1488 wrote to memory of 2948	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	88
PID 1488 wrote to memory of 2948	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	88
PID 1488 wrote to memory of 2424	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	89
PID 1488 wrote to memory of 2424	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	89
PID 1488 wrote to memory of 2424	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	89
PID 1488 wrote to memory of 2228	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	90
PID 1488 wrote to memory of 2228	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	90
PID 1488 wrote to memory of 2228	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	90
PID 1488 wrote to memory of 2380	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	91
PID 1488 wrote to memory of 2380	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	91
PID 1488 wrote to memory of 2380	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	91
PID 1488 wrote to memory of 2148	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	104
PID 1488 wrote to memory of 2148	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	104
PID 1488 wrote to memory of 2148	1488	95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe	104
PID 2148 wrote to memory of 2552	2148	cmd.exe	106
PID 2148 wrote to memory of 2552	2148	cmd.exe	106
PID 2148 wrote to memory of 2552	2148	cmd.exe	106
PID 2148 wrote to memory of 2676	2148	cmd.exe	107
PID 2148 wrote to memory of 2676	2148	cmd.exe	107
PID 2148 wrote to memory of 2676	2148	cmd.exe	107
PID 2676 wrote to memory of 1592	2676	OSPPSVC.exe	108
PID 2676 wrote to memory of 1592	2676	OSPPSVC.exe	108
PID 2676 wrote to memory of 1592	2676	OSPPSVC.exe	108
PID 2676 wrote to memory of 1032	2676	OSPPSVC.exe	109
PID 2676 wrote to memory of 1032	2676	OSPPSVC.exe	109
PID 2676 wrote to memory of 1032	2676	OSPPSVC.exe	109
PID 1592 wrote to memory of 1880	1592	WScript.exe	110
PID 1592 wrote to memory of 1880	1592	WScript.exe	110
PID 1592 wrote to memory of 1880	1592	WScript.exe	110
PID 1880 wrote to memory of 1868	1880	OSPPSVC.exe	111
PID 1880 wrote to memory of 1868	1880	OSPPSVC.exe	111
PID 1880 wrote to memory of 1868	1880	OSPPSVC.exe	111
PID 1880 wrote to memory of 1224	1880	OSPPSVC.exe	112
PID 1880 wrote to memory of 1224	1880	OSPPSVC.exe	112
PID 1880 wrote to memory of 1224	1880	OSPPSVC.exe	112
PID 1868 wrote to memory of 2824	1868	WScript.exe	113
PID 1868 wrote to memory of 2824	1868	WScript.exe	113
PID 1868 wrote to memory of 2824	1868	WScript.exe	113
PID 2824 wrote to memory of 1504	2824	OSPPSVC.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe
"C:\Users\Admin\AppData\Local\Temp\95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JpXqSaXt99.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2552
- - C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe
    "C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21ffd848-85d2-4659-8352-b90ad2378cc5.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ccd674d-5241-496e-91e2-8f0a699de7d3.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f1d0696-90e0-4209-b2cd-a74b5bbf55c6.vbs"
        8⤵
        
        PID:1504
        
        C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6eb5b20-47e3-4551-b8fb-fb061a2fdde6.vbs"
        10⤵
        
        PID:2644
        
        C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f5df1a5-dfb3-40cf-96a8-25d4b9401e70.vbs"
        12⤵
        
        PID:2208
        
        C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e885db5-1dbf-42eb-a8f1-f05e576b1525.vbs"
        14⤵
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a62ac3e6-2b31-4d67-aa49-594fb6c98ef8.vbs"
        14⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98a76d5f-b0ba-447a-9996-bc89535ed860.vbs"
        12⤵
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26b6f591-35ef-4c06-a165-004ad41df0ee.vbs"
        10⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4728b441-a18b-4814-9c10-d41dadcbbebc.vbs"
        8⤵
        
        PID:792
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\200952c6-01b6-4e12-8ecb-71250a742d6f.vbs"
        6⤵
        
        PID:1224
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb2c368b-a247-4775-913c-f8f17750b099.vbs"
      4⤵
      PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\twain_32\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\Basebrd\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\Basebrd\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\PrintHood\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
1.7MB

MD5
274dfd128512553bde18a7d5e63afcf1

SHA1
3579d08a2a108e03cda8a8439380896106e998d9

SHA256
95cfec29ef4f45d31e2da1126a9aea3b8e226f3ca480b9162a7c589fbd9d783e

SHA512
6466138438bb2168112b99302d8f65c316d62ad393e7c395fef916f6debfa5989d2a7673a3be46908a587b942f527fd44e9b24e86cd8826bac2ec2c44daa3f3a

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
1.7MB

MD5
8d9c14cee0c894e003ab565ac88c61d1

SHA1
d9cea02029ad650cfd0c5186b51765963bd498cd

SHA256
dd0e78a8195f1dea8dba2363257d7620914d087974bbb5675d17ec54c5e70647

SHA512
7a3108b6db650be7631ccea00f1298dd8b6d0fd9bf2f1745636bfe15110844694db147aa481d0be9269bec016cdcb93c17106688395a491165580d871ce79ea3

Download Submit
C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe

Filesize
1.7MB

MD5
71cf8d606c066e5d43f2bb53c2d22540

SHA1
5e8c5e1efd7142f1a28e64d4736eea679eccd538

SHA256
14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32

SHA512
9688ecad23e7bc7f95df762ff4f140b37cacd31968d244c4db8daf8a1738e5f1811e4d1df63802b4889439dee5c5999f6853864df4010c82300ac1bc09b575e0

Download Submit
C:\Program Files\Windows Sidebar\es-ES\RCXF70D.tmp

Filesize
1.7MB

MD5
8a35c7ccf4a3e7c2d9d8f943e8d0a627

SHA1
c3373be42a443d105e461e2650edeb6b476fbc9a

SHA256
bfe3bce1f2b386586862576fd2c33e4eda16aa9c54eff31052fd0a1a151b0e04

SHA512
b0204df78f50e1eb4128e6ea41691b051b90bc475a0ce0242548edc40707472aea8a88b255a8ad0938521fecf3b7e4e66dfc16df236e54b3e413ebfd4590d956

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\RCX656.tmp

Filesize
1.7MB

MD5
74d1cda60a22a8780b0380f242274761

SHA1
ef5932259de48e85c56aa5671741144c7b809bdb

SHA256
3ecefec1a3981e2bc7f4bc2c05523d8d7aef6610b7cdc7f3c3171ddb0e51445e

SHA512
e0a250c8010f6b9bfddf048c048927c04db156745fa22ebf93b2b1004eba6f325e7ed07ab60ff72cc23430f647947546bc30d7f6116d5da79109e8d7d90b0353

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe

Filesize
1.7MB

MD5
d952eb3d664549c90e965993a784b2b2

SHA1
c1d679f9f53e9177d62611c3538c452c0e0d7be4

SHA256
ffaa10f5f9e54400128342e76164a2bd4151c58fcb094425340ffbf98e8562d9

SHA512
b4b2d09fcf12151002a6b22ff3bc43741eefc313c2b3f9632c8ee3952c8d3445084afb67200cfebd55f623984f826490ef271428cf476be31d5f2a7d24ab0792

Download Submit
C:\Users\Admin\AppData\Local\Temp\21ffd848-85d2-4659-8352-b90ad2378cc5.vbs

Filesize
729B

MD5
d9e33db4afd1f9c7982179d78f94d8d7

SHA1
2fdb462c4e4560bde81544a3c594c21cf338b47b

SHA256
a2fd488cd389f624bee583bcbc33ecd164f12f8e7388b313324a9e27b52e3fcd

SHA512
662600814e85898a9e2c3b5850fa05962c39c5f9bc29fbdf19e7dddc7f82737d865c15e59ecd4ab45277a3b5ea9f4220e841dff19f2081e038da19a515f35a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e885db5-1dbf-42eb-a8f1-f05e576b1525.vbs

Filesize
729B

MD5
5b69156783a94661e7b085def01c9b25

SHA1
3c163ceb7d8e29e66176ceae007d3fb9eb52a77f

SHA256
194688648a20c54f7e0c4b6e94c5a78a80a68e40f4f24555d29f1624e0d164cf

SHA512
9f95d8af91395d72f517f11dba7904a1261505e1b451431d2e3da7da35ff28cd5dfb00b5d43c9712558b3277f756fac414b6da46739584703bee2b1dd8d9b0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f5df1a5-dfb3-40cf-96a8-25d4b9401e70.vbs

Filesize
729B

MD5
54bea63644a413552c7545aca7dfd05a

SHA1
0252b7fe48096a127fe5d004aa222858ed1a9b30

SHA256
523fcf9bc8ef79bee2b9819610c8e0f93ae1a91ec3d38d558fb3c63999051bdb

SHA512
521e7ac04f5d091049a8ed699c0477c461fa2b5bf1910ff6b9f47afc24c62d7b44ecb1e72375a14074fbd69cc13efab6c436ac69288b35ef6342a44d50b45a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ccd674d-5241-496e-91e2-8f0a699de7d3.vbs

Filesize
729B

MD5
317149b491f300c78e6631a5c2ce13b1

SHA1
d87ef7fc290eac389aec64fc0c63b03a98e1741f

SHA256
6cf7ce520a72cf1752b9c2e2b71835ab91d451a1370da76322e16e294de75931

SHA512
cb0c6dbca40c991999a1e0844d50b12c28dc707915baebc1e0e0b02c63fe972f26337b68ddac2552664c4f44bacdf67791f0b3ad5b59757494fc38734483f7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f1d0696-90e0-4209-b2cd-a74b5bbf55c6.vbs

Filesize
729B

MD5
c6b0ac590f1f25bc235ad0a349a0f790

SHA1
38251f2d5aaa824434f2fbb93dbb92d46a7c7edd

SHA256
69726b1553c9acfb8cc65ef856e1cab33a7a05c3fd6016b165960a439a4301f1

SHA512
b1814beec8e240db216f4a3e2d300733100e9cfb850cf50a7ccf59927c083261541d7478e81a0cd7a5a8c3de047f1c1e0de93ae66b6c3486d4a1f0a626fcde7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JpXqSaXt99.bat

Filesize
218B

MD5
605424921642dff8612a9578bbc6bc70

SHA1
bcfce42be315b280306e8419e782e95ba2d62fad

SHA256
ac753408af06cc10f293c9ba4d9f5f3693e217a5acb14394641d83a4ee5a05ce

SHA512
782c602f17931e93e07eccf9834ceed9dff7c2ac878ee6ead768bd077d05df30cfa154e09b1c144662cab66aa3519fa793b235faf2e383d3e79eb329bcfbc2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6eb5b20-47e3-4551-b8fb-fb061a2fdde6.vbs

Filesize
729B

MD5
bb29cd2d6f2189dfd31bfeeeb6ce2bdb

SHA1
a9cfd2e261cfa35b8b37de72c3db3806f7a5e4d2

SHA256
493126f844575fe51330d06a41eac8beacf9d2e7f587817dd1fad8fc0607eaad

SHA512
75a85b8de02e08df09a2c521380043c39f0ac755aecbe04e673dce43efd42239687a40b5b31d2c884ff5ad09d99ab9514c640d0056fdeddd1661ee50745883b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb2c368b-a247-4775-913c-f8f17750b099.vbs

Filesize
505B

MD5
88054836a5dded27a98fa01dc14213b9

SHA1
004817858ca9fcf025f3b568fe0f53b1eca1c12d

SHA256
fa490ade02b1c1d758ddd7ab76f3f6f51f000b4a321afcb8165c9c81ee185741

SHA512
f1677894000da132bd0a47ff03001418f529a472e7902110c14dccc79a61106279f276900ccf2be8e9b201a604170399ec0240aa171a25a91e0fe2dc1123cfee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c0fd543b387309cf2bd505d6fbb34b9

SHA1
0b3ded0e72be7fbf8676a68f0b9486c784e50153

SHA256
1011cf6d4a1192bc8aa05a880aaacfaf90f08f7be5e6572fb109afde28d14886

SHA512
0f10acd03a71b45ca4f172f2f93d89d6216a76f81c42fb6f0251c18c31f3c4bc34e0d50db76a4118fdd9f7e1d1a93ec8f132d7332588b34d36e66d6e798489c2

Download Submit
C:\Windows\twain_32\taskhost.exe

Filesize
1.7MB

MD5
83674843b57162b4184aec054d3f1d2e

SHA1
57a401a968e1febb7f2bc43f3777c0a67f77a51c

SHA256
e8e3ab98b43ca6820e74c24b0fdf162ea05313636e41983e34de6eb5f0bc731b

SHA512
311c2411d44be9907cb8970eb2bd5b52eb8364265ced29637ac0e7a43e59e4881388b3cc302cbe5f14eed2311e7b1bce5f4f7b002aa33f0e863b59be9c945029

Download Submit
memory/1488-12-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/1488-7-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/1488-17-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download
memory/1488-15-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/1488-16-0x00000000023A0000-0x00000000023AC000-memory.dmp

Filesize
48KB

Download
memory/1488-13-0x0000000002210000-0x000000000221A000-memory.dmp

Filesize
40KB

Download
memory/1488-14-0x0000000002220000-0x000000000222E000-memory.dmp

Filesize
56KB

Download
memory/1488-158-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

Filesize
4KB

Download
memory/1488-182-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1488-207-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1488-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

Filesize
4KB

Download
memory/1488-248-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1488-11-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1488-1-0x0000000000090000-0x0000000000250000-memory.dmp

Filesize
1.8MB

Download
memory/1488-2-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1488-9-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/1488-8-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/1488-3-0x0000000000820000-0x000000000083C000-memory.dmp

Filesize
112KB

Download
memory/1488-6-0x0000000000840000-0x0000000000856000-memory.dmp

Filesize
88KB

Download
memory/1488-18-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1488-4-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1488-5-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/1880-325-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/1880-324-0x0000000001180000-0x0000000001340000-memory.dmp

Filesize
1.8MB

Download
memory/2236-263-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2236-269-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2676-313-0x00000000009F0000-0x0000000000BB0000-memory.dmp

Filesize
1.8MB

Download
memory/2824-337-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download