dcrat | 2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Size

1.7MB
MD5

b2b9f784a9e98c98a8ddd644eb168fa6
SHA1

9e8c68675777a2718322ae626a5187d95e9d5210
SHA256

2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c
SHA512

d17d6ab45e162319bd30511019f7befa54e8aa245497d7bbc868043f851fbddbc5fb4aeb20f93aadc3e690c4a6b301ff763055513e5eed6e78f087610360f681
SSDEEP

49152:/+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvD:STHUxUoh1IF9gl2M

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2380	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2380	schtasks.exe	83

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3492-1-0x0000000000E10000-0x0000000000FD0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b8c-30.dat	dcrat
behavioral2/files/0x000c000000023b9e-65.dat	dcrat
behavioral2/files/0x000c000000023b80-74.dat	dcrat
behavioral2/files/0x000300000001e767-87.dat	dcrat
behavioral2/files/0x000d000000023b9f-110.dat	dcrat
behavioral2/files/0x000c000000023b8f-121.dat	dcrat
behavioral2/files/0x000c000000023ba0-144.dat	dcrat
behavioral2/memory/1500-309-0x0000000000F20000-0x00000000010E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3380	powershell.exe
372	powershell.exe
2308	powershell.exe
2796	powershell.exe
1316	powershell.exe
1428	powershell.exe
4712	powershell.exe
516	powershell.exe
4308	powershell.exe
4304	powershell.exe
4300	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 11 IoCs

pid	Process
1500	RuntimeBroker.exe
1440	RuntimeBroker.exe
4400	RuntimeBroker.exe
2192	RuntimeBroker.exe
2156	RuntimeBroker.exe
4728	RuntimeBroker.exe
1088	RuntimeBroker.exe
3772	RuntimeBroker.exe
2084	RuntimeBroker.exe
4688	RuntimeBroker.exe
5104	RuntimeBroker.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\e1ef82546f0b02	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX76B9.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\f3b6ecef712a24	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Google\SppExtComObj.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\smss.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Google\RCX8985.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Google\RCX8A03.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX7DD3.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Windows NT\69ddcba757bf72	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX7699.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX7BCE.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX7E51.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Google\SppExtComObj.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Microsoft.NET\38384e6a620884	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\29c1c3cc0f7685	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Windows NT\smss.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX7B50.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX8056.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX8057.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Microsoft.NET\SearchApp.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\SearchApp.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\RuntimeBroker.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\ja-JP\wininit.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\ja-JP\RCX78DD.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\ja-JP\RCX794C.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\ja-JP\wininit.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\Globalization\RCX826B.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\ja-JP\56085415360792	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\Globalization\RuntimeBroker.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\Globalization\9e8d7a4ca61bd9	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\Globalization\RCX82D9.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3428	schtasks.exe
3016	schtasks.exe
3916	schtasks.exe
1204	schtasks.exe
4348	schtasks.exe
2032	schtasks.exe
2996	schtasks.exe
4012	schtasks.exe
4616	schtasks.exe
1184	schtasks.exe
2092	schtasks.exe
712	schtasks.exe
2320	schtasks.exe
2572	schtasks.exe
1984	schtasks.exe
4132	schtasks.exe
2212	schtasks.exe
832	schtasks.exe
2500	schtasks.exe
1832	schtasks.exe
4480	schtasks.exe
2072	schtasks.exe
3832	schtasks.exe
2956	schtasks.exe
5076	schtasks.exe
2868	schtasks.exe
1960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
1316	powershell.exe
1316	powershell.exe
2796	powershell.exe
2796	powershell.exe
1428	powershell.exe
1428	powershell.exe
4304	powershell.exe
4304	powershell.exe
372	powershell.exe
372	powershell.exe
516	powershell.exe
516	powershell.exe
4308	powershell.exe
4308	powershell.exe
2308	powershell.exe
2308	powershell.exe
4712	powershell.exe
4712	powershell.exe
4300	powershell.exe
4300	powershell.exe
3380	powershell.exe
3380	powershell.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2796	powershell.exe
4304	powershell.exe
1428	powershell.exe
4308	powershell.exe
1316	powershell.exe
372	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	1500	RuntimeBroker.exe
Token: SeDebugPrivilege	1440	RuntimeBroker.exe
Token: SeDebugPrivilege	4400	RuntimeBroker.exe
Token: SeDebugPrivilege	2192	RuntimeBroker.exe
Token: SeDebugPrivilege	2156	RuntimeBroker.exe
Token: SeDebugPrivilege	4728	RuntimeBroker.exe
Token: SeDebugPrivilege	1088	RuntimeBroker.exe
Token: SeDebugPrivilege	3772	RuntimeBroker.exe
Token: SeDebugPrivilege	2084	RuntimeBroker.exe
Token: SeDebugPrivilege	4688	RuntimeBroker.exe
Token: SeDebugPrivilege	5104	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 1316	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	117
PID 3492 wrote to memory of 1316	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	117
PID 3492 wrote to memory of 1428	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	118
PID 3492 wrote to memory of 1428	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	118
PID 3492 wrote to memory of 4300	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	119
PID 3492 wrote to memory of 4300	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	119
PID 3492 wrote to memory of 4304	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	120
PID 3492 wrote to memory of 4304	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	120
PID 3492 wrote to memory of 4308	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	121
PID 3492 wrote to memory of 4308	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	121
PID 3492 wrote to memory of 516	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	122
PID 3492 wrote to memory of 516	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	122
PID 3492 wrote to memory of 2796	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	123
PID 3492 wrote to memory of 2796	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	123
PID 3492 wrote to memory of 2308	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	124
PID 3492 wrote to memory of 2308	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	124
PID 3492 wrote to memory of 4712	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	125
PID 3492 wrote to memory of 4712	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	125
PID 3492 wrote to memory of 372	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	126
PID 3492 wrote to memory of 372	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	126
PID 3492 wrote to memory of 3380	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	127
PID 3492 wrote to memory of 3380	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	127
PID 3492 wrote to memory of 1500	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	139
PID 3492 wrote to memory of 1500	3492	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	139
PID 1500 wrote to memory of 3712	1500	RuntimeBroker.exe	143
PID 1500 wrote to memory of 3712	1500	RuntimeBroker.exe	143
PID 1500 wrote to memory of 4404	1500	RuntimeBroker.exe	144
PID 1500 wrote to memory of 4404	1500	RuntimeBroker.exe	144
PID 3712 wrote to memory of 1440	3712	WScript.exe	149
PID 3712 wrote to memory of 1440	3712	WScript.exe	149
PID 1440 wrote to memory of 5068	1440	RuntimeBroker.exe	151
PID 1440 wrote to memory of 5068	1440	RuntimeBroker.exe	151
PID 1440 wrote to memory of 3276	1440	RuntimeBroker.exe	152
PID 1440 wrote to memory of 3276	1440	RuntimeBroker.exe	152
PID 5068 wrote to memory of 4400	5068	WScript.exe	156
PID 5068 wrote to memory of 4400	5068	WScript.exe	156
PID 4400 wrote to memory of 4344	4400	RuntimeBroker.exe	158
PID 4400 wrote to memory of 4344	4400	RuntimeBroker.exe	158
PID 4400 wrote to memory of 1756	4400	RuntimeBroker.exe	159
PID 4400 wrote to memory of 1756	4400	RuntimeBroker.exe	159
PID 4344 wrote to memory of 2192	4344	WScript.exe	160
PID 4344 wrote to memory of 2192	4344	WScript.exe	160
PID 2192 wrote to memory of 4776	2192	RuntimeBroker.exe	162
PID 2192 wrote to memory of 4776	2192	RuntimeBroker.exe	162
PID 2192 wrote to memory of 4372	2192	RuntimeBroker.exe	163
PID 2192 wrote to memory of 4372	2192	RuntimeBroker.exe	163
PID 4776 wrote to memory of 2156	4776	WScript.exe	164
PID 4776 wrote to memory of 2156	4776	WScript.exe	164
PID 2156 wrote to memory of 1320	2156	RuntimeBroker.exe	166
PID 2156 wrote to memory of 1320	2156	RuntimeBroker.exe	166
PID 2156 wrote to memory of 2540	2156	RuntimeBroker.exe	167
PID 2156 wrote to memory of 2540	2156	RuntimeBroker.exe	167
PID 1320 wrote to memory of 4728	1320	WScript.exe	169
PID 1320 wrote to memory of 4728	1320	WScript.exe	169
PID 4728 wrote to memory of 1540	4728	RuntimeBroker.exe	171
PID 4728 wrote to memory of 1540	4728	RuntimeBroker.exe	171
PID 4728 wrote to memory of 4584	4728	RuntimeBroker.exe	172
PID 4728 wrote to memory of 4584	4728	RuntimeBroker.exe	172
PID 1540 wrote to memory of 1088	1540	WScript.exe	174
PID 1540 wrote to memory of 1088	1540	WScript.exe	174
PID 1088 wrote to memory of 4712	1088	RuntimeBroker.exe	176
PID 1088 wrote to memory of 4712	1088	RuntimeBroker.exe	176
PID 1088 wrote to memory of 2076	1088	RuntimeBroker.exe	177
PID 1088 wrote to memory of 2076	1088	RuntimeBroker.exe	177

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
"C:\Users\Admin\AppData\Local\Temp\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- C:\Windows\Globalization\RuntimeBroker.exe
  "C:\Windows\Globalization\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aee78339-bc97-4fe0-a8c4-615934e2cd1e.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\Globalization\RuntimeBroker.exe
      C:\Windows\Globalization\RuntimeBroker.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae216bb5-db9c-497b-989a-767d385960eb.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\Globalization\RuntimeBroker.exe
        
        C:\Windows\Globalization\RuntimeBroker.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9d8ee73-b5d2-4d55-8177-1bf03428cfad.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\Globalization\RuntimeBroker.exe
        
        C:\Windows\Globalization\RuntimeBroker.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6c6759a-519e-4f43-9788-4250d08653f6.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\Globalization\RuntimeBroker.exe
        
        C:\Windows\Globalization\RuntimeBroker.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\582322b7-add9-43ed-942f-e5492dc3d0ca.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\Globalization\RuntimeBroker.exe
        
        C:\Windows\Globalization\RuntimeBroker.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98520568-d11a-4cea-9f07-e6f4172bb031.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\Globalization\RuntimeBroker.exe
        
        C:\Windows\Globalization\RuntimeBroker.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97925ff0-ae67-4e64-badb-bc28f255a011.vbs"
        15⤵
        
        PID:4712
        
        C:\Windows\Globalization\RuntimeBroker.exe
        
        C:\Windows\Globalization\RuntimeBroker.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b9c736a-253d-481c-91bb-980553bb4a22.vbs"
        17⤵
        
        PID:3112
        
        C:\Windows\Globalization\RuntimeBroker.exe
        
        C:\Windows\Globalization\RuntimeBroker.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f1f779c-9b86-43ce-896c-d7153dde3d77.vbs"
        19⤵
        
        PID:4512
        
        C:\Windows\Globalization\RuntimeBroker.exe
        
        C:\Windows\Globalization\RuntimeBroker.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2108f5ef-9e98-4dc6-9ca7-2dbf69b10c82.vbs"
        21⤵
        
        PID:4076
        
        C:\Windows\Globalization\RuntimeBroker.exe
        
        C:\Windows\Globalization\RuntimeBroker.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2638aa7f-a0c7-4ec1-bec1-3bada1c7d8e1.vbs"
        23⤵
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b146dece-79f7-4bf7-80f3-dc597b22d475.vbs"
        23⤵
        
        PID:3332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a874a977-b5e0-4ad0-b406-b1ad4146d325.vbs"
        21⤵
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\242b705d-3a54-4492-b417-4785a353a1fd.vbs"
        19⤵
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\672fcad6-a2cc-4e96-b8ec-408ae39777da.vbs"
        17⤵
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb7e1ee3-8bdd-438f-af71-6be3da566512.vbs"
        15⤵
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff6dd5da-8ac7-435b-b145-2a9b161af885.vbs"
        13⤵
        
        PID:4584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2c422ea-0d39-451d-852e-4995af6d81a2.vbs"
        11⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27b7eb0a-3716-47f4-a4a8-08a88b1fe607.vbs"
        9⤵
        
        PID:4372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b74e7f6-8505-40e1-9274-323062b8124f.vbs"
        7⤵
        
        PID:1756
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc5073c0-ac68-47e7-bc4d-dca5bc2aa505.vbs"
        5⤵
        
        PID:3276
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3533e02c-4be8-44f8-b3cd-a4e13d82a968.vbs"
    3⤵
    PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Globalization\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Downloads\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\SppExtComObj.exe

Filesize
1.7MB

MD5
77224c31695734421ba46801f6c6e3ad

SHA1
56df6bf9e58d74ef2982e0ce3ae671c29da56b73

SHA256
404abfaa63e382f797374063b49000d0fea4cbd5266b8dfdb18e3929ff1f555a

SHA512
2b351b0304b6c063bd6caccad14c9dedf719844cf59b9e9dcb806f302e45311b86fa88a5191d0cec950c1805470f809d6ab5ce07800e83e3bd44b68b534d0c82

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe

Filesize
1.7MB

MD5
14cbb389cba26b3fbe5421a2cba156f5

SHA1
a2d3a80503074fbb01490c60c51ead8ca75fdbe4

SHA256
22e6ff9c7064d2169763c8f5d109ad6e467829723136df0611c1d3a634a5a241

SHA512
886584a0a1479d3dc6f66a9c047b1643312f3b4769ebb232cf15071529ee23e3e367b241051bb733cdff92b3db9a8ce12946ab19158467f3e7a87344a48fa94a

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe

Filesize
1.7MB

MD5
b2b9f784a9e98c98a8ddd644eb168fa6

SHA1
9e8c68675777a2718322ae626a5187d95e9d5210

SHA256
2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c

SHA512
d17d6ab45e162319bd30511019f7befa54e8aa245497d7bbc868043f851fbddbc5fb4aeb20f93aadc3e690c4a6b301ff763055513e5eed6e78f087610360f681

Download Submit
C:\Program Files (x86)\Windows NT\smss.exe

Filesize
1.7MB

MD5
d3c41c0a8238b23ad9366fe5568c8a0c

SHA1
55a2ccf9a688c03245fe6585fc31a81d23f05a84

SHA256
ce63915f6eb202ee9b9c63010738982832c52c95ec4418ea53bf4be56804d279

SHA512
120119d91d1d2f22d769e81a73632f9071c4f4b91aaec7496bd096712ee4162302f30cebe368d91c18bfd9a73cf8e480f19925cd8cb09f5200fd538959fa83ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\2108f5ef-9e98-4dc6-9ca7-2dbf69b10c82.vbs

Filesize
718B

MD5
4bc089ed4da5f9bd9308ef034d085aee

SHA1
c5ff18c05ae2a57e8b76f650492d6c6ccd01adae

SHA256
dda91417e0b905fae8b57a491506d47cc787e652b2a11d84174494bbc361f842

SHA512
3d16f6f831b99b1e50dde3f0fb271ad7f0dbebf690154e17ba528618c695e2229b72a5f685d62edf5bfb94438862b524a9adee269a3d3b96f7457a3b972fcc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2638aa7f-a0c7-4ec1-bec1-3bada1c7d8e1.vbs

Filesize
718B

MD5
b53f57cedd33b52ef48288d2a06cf80d

SHA1
971071447427ed45ea265ce5e349b2dd33011217

SHA256
85173665120d80f1561657d53c2cfe9ad4ef23d470f39c7ea672b429567b0919

SHA512
62cb00339c1fb2a2780f64a9c08067b21fe3e97ffd95670971567e4b5ddef462cd10610e95e016cd1610609f8b91f9f19d977ec38ed344b0b58126c5c5a387eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b9c736a-253d-481c-91bb-980553bb4a22.vbs

Filesize
718B

MD5
9bb9987921da55872db89ea5efddc280

SHA1
c36928fc5842322bf7aaa12b47b748c1d3a14f17

SHA256
1bbfbce80342611f16cba72fdeb97ecd21e039aca95ba3e234fb6d573faf5073

SHA512
5c75811872a5f7ab7d51d6b2b29410a52b0830f9f1a31f35cc9249bde436d81baaaadf690c8b7b0e45b7f6be8734cbb7c73e4d8914ac6a7ee6999110681da2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3533e02c-4be8-44f8-b3cd-a4e13d82a968.vbs

Filesize
494B

MD5
248ffbcc4611ddaa318e8d2b2a890a05

SHA1
621504193c976ae1cef37559b289cbaedf899225

SHA256
e4453d50f76075a7324d46e1f58f22faa24452da65d12342175b9d5faee99975

SHA512
5c9489ec30874c15cd6dc351568ff1bdcc66a996203953ba9726edf6022cf99f14ef56eef9fd3456c9e6f3c0d71589fbfdd1888895dfd8650485561b96eb2b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\582322b7-add9-43ed-942f-e5492dc3d0ca.vbs

Filesize
718B

MD5
715fd64625c14017dd64a2ef69c18f59

SHA1
47c5d99270f7ae8e16d1b0215ff1d91a854079fd

SHA256
82aa108505e5361fc6de2a577e45a437b093be0a5b1dcd64379ec1c15a1d1516

SHA512
c368e2c032f5a6cd2f7a29fcd0a6e24073e65a0da7caf53a9e6af86ac430f281ead760475a868a96b09f1435e39bf33d35f8109c5e875d59b1a03d7011b074d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f1f779c-9b86-43ce-896c-d7153dde3d77.vbs

Filesize
718B

MD5
a13a674996220b21c4e685f38837f350

SHA1
18818f118f44bc18c913341112b17da922d16648

SHA256
2ab4c7f656c48de5342236481c9077fcc94c614e2c17afae9fad3070ac60921c

SHA512
d50390a35c1cca823e8ee8229b617b350f12a19ad46373f7b1de811a717b206d56845f1b275fa88fb2123ff9e28287dfc80ad7705b8220e32cd56ff18e2a30d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\97925ff0-ae67-4e64-badb-bc28f255a011.vbs

Filesize
718B

MD5
f26821d0e66d4f5f2b63559887c70028

SHA1
f5b6902d6d3525c81dd5692cbaa8af1fc7c05968

SHA256
d370bdc29febebd115082fdc17d851364bd2c3991d065989190f9e7698c2360c

SHA512
b46aa64015399e3afdda3b35f5d2b06d9dd4037ce04d0e93d43b47001954d63b4a7063f21981efa8683b6b1cbe855c0fabab6401009c06c8abae88c8b5e9cf18

Download Submit
C:\Users\Admin\AppData\Local\Temp\98520568-d11a-4cea-9f07-e6f4172bb031.vbs

Filesize
718B

MD5
ddfbb2364a516201c0f761c2a69c7259

SHA1
9895328dc2973adbb471fa37e4e81f0fc2b3b4ef

SHA256
d6d9812523b96c074363a8572cdda153aa65fabee3a288cca21c8954d9ba9d6a

SHA512
9b8144a0ba2d31847d19c34b33eb33c985810af80db775c33ac183f00fbdaf4a55c91f1d9df77391d37070e58a510699625ce2c37f9c83779f21ce637b65328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lrtzjeao.3oh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae216bb5-db9c-497b-989a-767d385960eb.vbs

Filesize
718B

MD5
9919424482e10537cd07f7a6e427ca6d

SHA1
16e356072217c7609d14deb966b4b8552fa9a342

SHA256
c2df62babdc11d9ab2f937718157bd2d107b22e1809194c9dfe14da7469bf5e6

SHA512
b500aff48cb29057e1bfc16eebd27d953a6f13fb50d36a1daa6b9559ad3690a9861520090ab650fd5c8a146b991ce8c67fde5055f4c6cec06e02ee189f83c5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aee78339-bc97-4fe0-a8c4-615934e2cd1e.vbs

Filesize
718B

MD5
6a5333c80707f88524ebd37e08a86a7e

SHA1
f1485d9637404e340586e33a14563a6cf009a438

SHA256
f797df9fd952fff39fc955239e4c2dfc9055181e629abcef933d37578828f105

SHA512
b5ffc180a519e62a4fa23c9a13c4c0b6d69eb5b39fe149fb2500ab79bd0b7813d198ab581cff925bfd6fba424a02d4c0b8dc968997519dc99ea944672b31e6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9d8ee73-b5d2-4d55-8177-1bf03428cfad.vbs

Filesize
718B

MD5
ceb10bab98c5f52e8de3cfb79c3dc748

SHA1
bc9ade636350b1bfa82022549b3ea2c2584a1e7a

SHA256
c3b4b31203311de47a5f2127162a04a36826d37903230edb1910f6505b37e1c1

SHA512
2a1f76615dde136f57055b0bb79fafc7014b9951d3e0126d432af85f2cfdc3bd5e58ff4ad81b487414496c12882d6c1b88204d642330c9f8ee7845d07b4211bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c6759a-519e-4f43-9788-4250d08653f6.vbs

Filesize
718B

MD5
3d84c92884d83888d1daa5d1b7dcee61

SHA1
5417d7458f6402675b6de9202baa63340de1e4b8

SHA256
dd88aaabdc8d51a8eadad17a9e2ae01e8e91e273ba557da3ea470a79ade4c7ca

SHA512
989cb3679a7e4728c8c285bc5a0333c4ff36cd68ffefcffe87658e191138ddcd0c9fe72e2be79cf4067abd9c331874ea7fe4769c39aad37fea6839aa0286382c

Download Submit
C:\Users\Default\Downloads\SearchApp.exe

Filesize
1.7MB

MD5
1e09d4b95c967286121ff10664c3aee0

SHA1
621930a89bf09629c64644cc14b9168592d668de

SHA256
51100db507c0690d91cc3982965a3af3efef6629a5de6b9919047fc6c7efae71

SHA512
5a220565026d4b6aca51f62018b527a1652abe15d2f0b3bc1c907f6f3bca8807413f05df233ca1d5526ed1dd555d994bb63ebd80081e901908d120650de554ac

Download Submit
C:\Windows\Globalization\RuntimeBroker.exe

Filesize
1.7MB

MD5
3c01424a294ac656ac57351723b8115b

SHA1
fa6bcb9f27eee243dc5ab0780020b466a160a72e

SHA256
75f5539b4f82aaddc7e4ce7bb5d36443486c9a2fdf13c3ea10fee3a40902f75e

SHA512
fbd7c8ee18de72e98086e4a4e23be0f9d8170080d6985a70275e1ccaa9832fe265c11decce5ade9bf36ebd56537596d64eadca97e828eba30335a2184bc2844c

Download Submit
C:\Windows\ja-JP\wininit.exe

Filesize
1.7MB

MD5
fdc5d186de83b06bf4c1e314c980ab84

SHA1
25baedd30d7e41f58d0919a361e58325bccaed94

SHA256
268a74e13a11c721899c55989290bc4e2b4f9ad78c09860460173a60e0c30ef8

SHA512
014db66403e46ae25ea94718b60281add0821cb81ad195ade106bb36dd1ed9fe71fc190172628b6ab147f24458274409120d9f5882bd631d57412b5388936d4c

Download Submit
memory/1088-413-0x000000001D860000-0x000000001D962000-memory.dmp

Filesize
1.0MB

Download
memory/1500-309-0x0000000000F20000-0x00000000010E0000-memory.dmp

Filesize
1.8MB

Download
memory/2084-437-0x000000001CF20000-0x000000001D022000-memory.dmp

Filesize
1.0MB

Download
memory/2156-379-0x000000001C7F0000-0x000000001C802000-memory.dmp

Filesize
72KB

Download
memory/2796-206-0x0000022F7CC80000-0x0000022F7CCA2000-memory.dmp

Filesize
136KB

Download
memory/3492-10-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

Filesize
32KB

Download
memory/3492-8-0x000000001C240000-0x000000001C250000-memory.dmp

Filesize
64KB

Download
memory/3492-0-0x00007FFCBD1D3000-0x00007FFCBD1D5000-memory.dmp

Filesize
8KB

Download
memory/3492-147-0x00007FFCBD1D3000-0x00007FFCBD1D5000-memory.dmp

Filesize
8KB

Download
memory/3492-23-0x00007FFCBD1D0000-0x00007FFCBDC91000-memory.dmp

Filesize
10.8MB

Download
memory/3492-22-0x00007FFCBD1D0000-0x00007FFCBDC91000-memory.dmp

Filesize
10.8MB

Download
memory/3492-19-0x000000001C420000-0x000000001C42C000-memory.dmp

Filesize
48KB

Download
memory/3492-17-0x000000001C400000-0x000000001C408000-memory.dmp

Filesize
32KB

Download
memory/3492-18-0x000000001C410000-0x000000001C41C000-memory.dmp

Filesize
48KB

Download
memory/3492-16-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/3492-15-0x000000001C570000-0x000000001C57A000-memory.dmp

Filesize
40KB

Download
memory/3492-14-0x000000001C2F0000-0x000000001C2FC000-memory.dmp

Filesize
48KB

Download
memory/3492-1-0x0000000000E10000-0x0000000000FD0000-memory.dmp

Filesize
1.8MB

Download
memory/3492-13-0x000000001C820000-0x000000001CD48000-memory.dmp

Filesize
5.2MB

Download
memory/3492-7-0x000000001C220000-0x000000001C236000-memory.dmp

Filesize
88KB

Download
memory/3492-9-0x000000001C250000-0x000000001C25C000-memory.dmp

Filesize
48KB

Download
memory/3492-12-0x000000001C2C0000-0x000000001C2D2000-memory.dmp

Filesize
72KB

Download
memory/3492-5-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/3492-310-0x00007FFCBD1D0000-0x00007FFCBDC91000-memory.dmp

Filesize
10.8MB

Download
memory/3492-297-0x00007FFCBD1D0000-0x00007FFCBDC91000-memory.dmp

Filesize
10.8MB

Download
memory/3492-6-0x000000001C210000-0x000000001C220000-memory.dmp

Filesize
64KB

Download
memory/3492-2-0x00007FFCBD1D0000-0x00007FFCBDC91000-memory.dmp

Filesize
10.8MB

Download
memory/3492-4-0x000000001C260000-0x000000001C2B0000-memory.dmp

Filesize
320KB

Download
memory/3492-3-0x0000000003160000-0x000000000317C000-memory.dmp

Filesize
112KB

Download
memory/3772-425-0x000000001E120000-0x000000001E222000-memory.dmp

Filesize
1.0MB

Download
memory/4688-450-0x000000001DAD0000-0x000000001DBD2000-memory.dmp

Filesize
1.0MB

Download
memory/4688-449-0x000000001DAD0000-0x000000001DBD2000-memory.dmp

Filesize
1.0MB

Download
memory/4728-391-0x000000001D540000-0x000000001D552000-memory.dmp

Filesize
72KB

Download