dcrat | 65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53

Analysis

max time kernel
120s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Size

1.7MB
MD5

f1c7ba434142190a707f597065fda0fc
SHA1

1c2991037471e1247910ca32f4435309bf7ff7fd
SHA256

65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53
SHA512

9aed1b32c9d40149f41afbf88dd9757f52a52d26889b89d47defca85ea39a25c675d0a31c092657c8cfd8473f1130c8323efa9091c00eec4d733f7e29e1743eb
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv0:OTHUxUoh1IF9gl23

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4688	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4688	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3440-1-0x00000000002F0000-0x00000000004B0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023caf-30.dat	dcrat
behavioral2/files/0x000400000001e767-99.dat	dcrat
behavioral2/files/0x0009000000023cb6-156.dat	dcrat
behavioral2/files/0x000a000000023cbd-179.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1908	powershell.exe
5036	powershell.exe
456	powershell.exe
3500	powershell.exe
2364	powershell.exe
852	powershell.exe
1888	powershell.exe
2996	powershell.exe
4584	powershell.exe
1652	powershell.exe
3612	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 8 IoCs

pid	Process
3228	sysmon.exe
2708	sysmon.exe
3596	sysmon.exe
2112	sysmon.exe
3056	sysmon.exe
4980	sysmon.exe
4316	sysmon.exe
4372	sysmon.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXD65F.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXC40F.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXCCC3.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Media Player\TextInputHost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Crashpad\attachments\69ddcba757bf72	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\9e8d7a4ca61bd9	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\RCXDB74.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXC625.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXDE06.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Crashpad\attachments\smss.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXC420.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXC626.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\RCXDB75.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Media Player\TextInputHost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXD660.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXD950.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Media Player\22eafd247d37c3	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\56085415360792	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXCCC2.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Crashpad\attachments\smss.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXD8E2.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Portable Devices\System.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXDE07.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\121e5b5079f7c0	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Reference Assemblies\5b884080fd4f94	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Web\4K\5b884080fd4f94	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\apppatch\it-IT\66fc9ff0ee96c2	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\apppatch\it-IT\RCXD1C8.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\apppatch\it-IT\sihost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\en-US\RCXCF46.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\apppatch\it-IT\RCXD1C7.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\Web\4K\RCXCAAD.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\Web\4K\RCXCAAE.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\en-US\RCXCF45.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\en-US\unsecapp.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\en-US\29c1c3cc0f7685	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\apppatch\it-IT\sihost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\Web\4K\fontdrvhost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\Web\4K\fontdrvhost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\en-US\unsecapp.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1252	schtasks.exe
4140	schtasks.exe
2364	schtasks.exe
1540	schtasks.exe
3456	schtasks.exe
2424	schtasks.exe
852	schtasks.exe
1980	schtasks.exe
1792	schtasks.exe
3664	schtasks.exe
4604	schtasks.exe
1900	schtasks.exe
4804	schtasks.exe
2840	schtasks.exe
2192	schtasks.exe
2316	schtasks.exe
3000	schtasks.exe
3452	schtasks.exe
1456	schtasks.exe
3036	schtasks.exe
4176	schtasks.exe
3424	schtasks.exe
4948	schtasks.exe
2696	schtasks.exe
3688	schtasks.exe
4976	schtasks.exe
4612	schtasks.exe
4524	schtasks.exe
4456	schtasks.exe
4268	schtasks.exe
4816	schtasks.exe
5076	schtasks.exe
4680	schtasks.exe
3992	schtasks.exe
312	schtasks.exe
3008	schtasks.exe
3592	schtasks.exe
400	schtasks.exe
244	schtasks.exe
2260	schtasks.exe
1060	schtasks.exe
2520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1652	powershell.exe
1652	powershell.exe
5036	powershell.exe
5036	powershell.exe
852	powershell.exe
456	powershell.exe
852	powershell.exe
456	powershell.exe
4584	powershell.exe
4584	powershell.exe
2996	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	3228	sysmon.exe
Token: SeDebugPrivilege	2708	sysmon.exe
Token: SeDebugPrivilege	3596	sysmon.exe
Token: SeDebugPrivilege	2112	sysmon.exe
Token: SeDebugPrivilege	3056	sysmon.exe
Token: SeDebugPrivilege	4980	sysmon.exe
Token: SeDebugPrivilege	4316	sysmon.exe
Token: SeDebugPrivilege	4372	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4584	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	133
PID 3440 wrote to memory of 4584	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	133
PID 3440 wrote to memory of 3500	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	134
PID 3440 wrote to memory of 3500	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	134
PID 3440 wrote to memory of 2364	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	135
PID 3440 wrote to memory of 2364	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	135
PID 3440 wrote to memory of 1652	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	136
PID 3440 wrote to memory of 1652	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	136
PID 3440 wrote to memory of 852	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	137
PID 3440 wrote to memory of 852	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	137
PID 3440 wrote to memory of 3612	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	138
PID 3440 wrote to memory of 3612	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	138
PID 3440 wrote to memory of 1908	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	139
PID 3440 wrote to memory of 1908	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	139
PID 3440 wrote to memory of 5036	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	140
PID 3440 wrote to memory of 5036	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	140
PID 3440 wrote to memory of 1888	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	141
PID 3440 wrote to memory of 1888	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	141
PID 3440 wrote to memory of 2996	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	142
PID 3440 wrote to memory of 2996	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	142
PID 3440 wrote to memory of 456	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	143
PID 3440 wrote to memory of 456	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	143
PID 3440 wrote to memory of 4456	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	155
PID 3440 wrote to memory of 4456	3440	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	155
PID 4456 wrote to memory of 2776	4456	cmd.exe	157
PID 4456 wrote to memory of 2776	4456	cmd.exe	157
PID 4456 wrote to memory of 3228	4456	cmd.exe	162
PID 4456 wrote to memory of 3228	4456	cmd.exe	162
PID 3228 wrote to memory of 2332	3228	sysmon.exe	164
PID 3228 wrote to memory of 2332	3228	sysmon.exe	164
PID 3228 wrote to memory of 2244	3228	sysmon.exe	165
PID 3228 wrote to memory of 2244	3228	sysmon.exe	165
PID 2332 wrote to memory of 2708	2332	WScript.exe	166
PID 2332 wrote to memory of 2708	2332	WScript.exe	166
PID 2708 wrote to memory of 2432	2708	sysmon.exe	170
PID 2708 wrote to memory of 2432	2708	sysmon.exe	170
PID 2708 wrote to memory of 3084	2708	sysmon.exe	171
PID 2708 wrote to memory of 3084	2708	sysmon.exe	171
PID 2432 wrote to memory of 3596	2432	WScript.exe	173
PID 2432 wrote to memory of 3596	2432	WScript.exe	173
PID 3596 wrote to memory of 1880	3596	sysmon.exe	175
PID 3596 wrote to memory of 1880	3596	sysmon.exe	175
PID 3596 wrote to memory of 2440	3596	sysmon.exe	176
PID 3596 wrote to memory of 2440	3596	sysmon.exe	176
PID 1880 wrote to memory of 2112	1880	WScript.exe	178
PID 1880 wrote to memory of 2112	1880	WScript.exe	178
PID 2112 wrote to memory of 3756	2112	sysmon.exe	180
PID 2112 wrote to memory of 3756	2112	sysmon.exe	180
PID 2112 wrote to memory of 1628	2112	sysmon.exe	181
PID 2112 wrote to memory of 1628	2112	sysmon.exe	181
PID 3756 wrote to memory of 3056	3756	WScript.exe	182
PID 3756 wrote to memory of 3056	3756	WScript.exe	182
PID 3056 wrote to memory of 3228	3056	sysmon.exe	184
PID 3056 wrote to memory of 3228	3056	sysmon.exe	184
PID 3056 wrote to memory of 4924	3056	sysmon.exe	185
PID 3056 wrote to memory of 4924	3056	sysmon.exe	185
PID 3228 wrote to memory of 4980	3228	WScript.exe	186
PID 3228 wrote to memory of 4980	3228	WScript.exe	186
PID 4980 wrote to memory of 2904	4980	sysmon.exe	188
PID 4980 wrote to memory of 2904	4980	sysmon.exe	188
PID 4980 wrote to memory of 4112	4980	sysmon.exe	189
PID 4980 wrote to memory of 4112	4980	sysmon.exe	189
PID 2904 wrote to memory of 4316	2904	WScript.exe	190
PID 2904 wrote to memory of 4316	2904	WScript.exe	190

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
"C:\Users\Admin\AppData\Local\Temp\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pvZdHunNkp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2776
- - C:\Users\Public\sysmon.exe
    "C:\Users\Public\sysmon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e32b6ebc-f4d3-47a2-8b2d-d5981f100831.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Users\Public\sysmon.exe
        
        C:\Users\Public\sysmon.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a6eed4b-636f-45e3-a84e-f7c078ab3c90.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Users\Public\sysmon.exe
        
        C:\Users\Public\sysmon.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87168a28-9a2d-4f95-9269-256dc5e76644.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Users\Public\sysmon.exe
        
        C:\Users\Public\sysmon.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ff897fc-2ee7-4848-829d-b85178be6091.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Users\Public\sysmon.exe
        
        C:\Users\Public\sysmon.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\177d0377-404f-4e3a-af04-ad8bd3b726ad.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Users\Public\sysmon.exe
        
        C:\Users\Public\sysmon.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c238eb7-b01b-40e4-8d53-2a5d6064d003.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Users\Public\sysmon.exe
        
        C:\Users\Public\sysmon.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d5da43-bb03-4776-b7bd-f9149ee75746.vbs"
        16⤵
        
        PID:4392
        
        C:\Users\Public\sysmon.exe
        
        C:\Users\Public\sysmon.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fe6e130-ea00-4728-859f-e192897efc4d.vbs"
        16⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13b4a9e6-c53d-4919-a4ab-3c4af0c5d7cb.vbs"
        14⤵
        
        PID:4112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6586ce52-6d91-4116-937d-03c4a7397fb3.vbs"
        12⤵
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70481070-61ef-497c-8877-6c5ba38bf6c5.vbs"
        10⤵
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\297f1ebe-ec14-4d8d-8cb2-73086e98c8e3.vbs"
        8⤵
        
        PID:2440
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34adacf5-4828-4129-a032-65c929aceddb.vbs"
        6⤵
        
        PID:3084
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4f84531-5d11-4ae6-8f10-97df7ea1a143.vbs"
      4⤵
      PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\4K\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Web\4K\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\4K\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\apppatch\it-IT\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\apppatch\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\apppatch\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Public\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Portable Devices\System.exe

Filesize
1.7MB

MD5
9f76ce1fd4456964e9209f742fcfa749

SHA1
3c566840fe69783f2d00031d9aebd38d0d12c1da

SHA256
1858c53acc55a8b03e0138f8379bd2f8aa90d6dee18355e0168c8d3279e1ee7b

SHA512
a74fc584a354532c5cafb0b784a3b644b46472d04d94228be1d4c9c85697929c0e73119e22e0733406bc110d0221605dae7037df3b9ac39c44b96b51e5148e35

Download Submit
C:\Recovery\WindowsRE\winlogon.exe

Filesize
1.7MB

MD5
47b1d1110130ceb9c989141b451712c6

SHA1
d14d415a6badea0076785942f49a9a7ec1709b1e

SHA256
b7d7c2c27617443c07014ed7c8fc3f2fb168e0805f0f7855a019000a1bd5f9fb

SHA512
249d9642b26e3c49bb78e44c6bfb1bf0f181c06f1347b44f18e41d75219878d1129fc5e3230857976fe0b0f06a77f8aa751d1a88c5ed05f35ea62865e73d8495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\177d0377-404f-4e3a-af04-ad8bd3b726ad.vbs

Filesize
702B

MD5
6eb8f9e5122b2a839dd9f2a2c8e9b426

SHA1
d1b973a1ca7573e144571a965574b97da8ab4676

SHA256
2379bc3cdbfbf5f9790e9bea1cd65d6e1c85830c242d1d6fea2c6f67c14fc64c

SHA512
7410db85641a680ea6e9669d31f98155c2e6ea1fe22dccd8ceb0c5da23406de8b8189b0b141a86deab37d119913f86571364bf5cdcb33377358698e0e9b7165a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c238eb7-b01b-40e4-8d53-2a5d6064d003.vbs

Filesize
702B

MD5
4d157a5242f30bcfa4bc69096ec43194

SHA1
85d2592c452e27e2ce888ece1539f5c97d8be5f8

SHA256
30aa8dae853b96d4d758b4adf14e0a1fcfaa65ce1e4a8895947236bfc65e6eee

SHA512
ca8915941f92a26e82e8070fe083e75df4e44d6c367d7ee499200dfde6496f6ab40e5145aa23aaf6acfb9757a2ee6d937c67b4ff69bfef20587bc9a5f98e8718

Download Submit
C:\Users\Admin\AppData\Local\Temp\60d5da43-bb03-4776-b7bd-f9149ee75746.vbs

Filesize
702B

MD5
2e7417b5cf4d7527841d731adfadbe2d

SHA1
2fb2297b6f893cdcc957c4e49343652a5c8ddc70

SHA256
d272aa2986b49491d91cc6cb6cf8193178f54566feec45048fd727b7194cdc02

SHA512
470291d18fb139a7dc7e73ad2aeaa2ca7af8493a920c5ab46dbd9dbf02a244cc833326bdee331f4f0847ec18dd62d40633c8c32e113695b85d0d14cbe06aa166

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a6eed4b-636f-45e3-a84e-f7c078ab3c90.vbs

Filesize
702B

MD5
0ce52694409b977dd053e75d53af4fbf

SHA1
4ce0e1f58f806905aac7abd685aace57a3a081b7

SHA256
90c9e1f6a217418218effd386aa76fce0876907b73eb5ff04736a1e6b63b8e09

SHA512
0ecdbbf06231b0b6b5881a76a3754ad89333b861d55edd5fa51bb30c48213b2dba8e9b6ae2f293abff032655ff7e5337710b47a8c87066b80d75899d36536c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ff897fc-2ee7-4848-829d-b85178be6091.vbs

Filesize
702B

MD5
95803311a59516571c560c80e48fe122

SHA1
202f2537a7c695195b05ed866c7597f476bddca2

SHA256
6167aec748247cfce1829ad0611f1aa683f84b7dc4e3bb431bf95a4f712bbd9e

SHA512
836759336eb7cde2b1153a55c53297e52c7f9c1f1afe35607e37c1f11824b22ecfd7fca4dcfc5f9b4c7d01fee370776f0ce17857ec620f19344618594e70be44

Download Submit
C:\Users\Admin\AppData\Local\Temp\87168a28-9a2d-4f95-9269-256dc5e76644.vbs

Filesize
702B

MD5
856194fdee1862ff7b02884c0d6dbc1e

SHA1
fb91f3d0ad5e7371fef78362d6775846364d8622

SHA256
1720447742605a144ff23bc7f2dd2d46b84301c4debf7a636b6c2377db981a18

SHA512
4e88884644bc8f987e8d37f94f47a2b10c8f0debce0555682cc00a56920448359b8e589458a4c303d8db8d4b28ee81e0d24ba34de174ae5d1e46714244e84859

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4afjitv0.le0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4f84531-5d11-4ae6-8f10-97df7ea1a143.vbs

Filesize
478B

MD5
4e5df5e8617819f43dfffb583208ce1d

SHA1
24d2613ab7335723e9cdca8507ea5a273c6faf27

SHA256
b82a0144e1f406ae5e69d5dc11175cc0e5ed574171385cbe6b1bbbc113fbda2e

SHA512
2ced153e3474e95c9cc8a05afe6f89e20f7902cb61aac93aa94b3ee3e012f1daa9ed9ebed21c054b6e93ffc63bf321d2442f9db9a532a2a59a965e812ae77596

Download Submit
C:\Users\Admin\AppData\Local\Temp\e32b6ebc-f4d3-47a2-8b2d-d5981f100831.vbs

Filesize
702B

MD5
8f096f7737acc323706b4ed978f1ff84

SHA1
23999c012d1b425cd19618cc2f23ffe7ecf6ef11

SHA256
677aae2f997abafaac2275cdd9618f90723728f0f0caadf44213c61343f029fa

SHA512
122a302ff42062283aa9771a2edad6428eff2ac7977899e0d26e9ad6713d7d099c8690896d555ce5db3a942d85db364c9f76f0c8cb3ceacea7d9ef5cfbc8657d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvZdHunNkp.bat

Filesize
191B

MD5
9a88714beff1a6d27fed19e5d43fe839

SHA1
4634d4fd4142536424621b25e8eb1794bdff4d92

SHA256
d026b2d1024e3c04b7540161c4d509046e70a167bada1d8794270d6057b4d2c5

SHA512
c57713b115bd14640712e8d43411002d734b449ee2523b54b464403195ee13375dda1907b312f0be51869ecdbc62b770e5561ffb1b293dea8a5b6bb39b43779a

Download Submit
C:\Users\Default\upfc.exe

Filesize
1.7MB

MD5
7043d3047953705857dbd041ecabea23

SHA1
c9bb1e51bcc19c0147a75fc02021b9d77f46641b

SHA256
6269995bc0eb96f05c6549550c1435a0e9ba4bde81da3b4124f78f34b8e81635

SHA512
22fe698f4f28a6db1e09f94687008566de8524ec11f3bf6225edb1e8f0dffde9327eacf4cf985cc36f6bfb3364f05d50ced45788dc41785a0bc96b9220d2d8d4

Download Submit
C:\Windows\Web\4K\fontdrvhost.exe

Filesize
1.7MB

MD5
f1c7ba434142190a707f597065fda0fc

SHA1
1c2991037471e1247910ca32f4435309bf7ff7fd

SHA256
65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53

SHA512
9aed1b32c9d40149f41afbf88dd9757f52a52d26889b89d47defca85ea39a25c675d0a31c092657c8cfd8473f1130c8323efa9091c00eec4d733f7e29e1743eb

Download Submit
memory/3228-354-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/3440-0-0x00007FFEEDD43000-0x00007FFEEDD45000-memory.dmp

Filesize
8KB

Download
memory/3440-182-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-3-0x0000000000DA0000-0x0000000000DBC000-memory.dmp

Filesize
112KB

Download
memory/3440-5-0x000000001B040000-0x000000001B048000-memory.dmp

Filesize
32KB

Download
memory/3440-4-0x000000001B760000-0x000000001B7B0000-memory.dmp

Filesize
320KB

Download
memory/3440-22-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-224-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-19-0x000000001BA00000-0x000000001BA0C000-memory.dmp

Filesize
48KB

Download
memory/3440-23-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-241-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-16-0x000000001BA30000-0x000000001BA3E000-memory.dmp

Filesize
56KB

Download
memory/3440-9-0x000000001B730000-0x000000001B73C000-memory.dmp

Filesize
48KB

Download
memory/3440-12-0x000000001B750000-0x000000001B762000-memory.dmp

Filesize
72KB

Download
memory/3440-2-0x00007FFEEDD40000-0x00007FFEEE801000-memory.dmp

Filesize
10.8MB

Download
memory/3440-8-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/3440-7-0x000000001B710000-0x000000001B726000-memory.dmp

Filesize
88KB

Download
memory/3440-10-0x000000001B740000-0x000000001B748000-memory.dmp

Filesize
32KB

Download
memory/3440-17-0x000000001B9E0000-0x000000001B9E8000-memory.dmp

Filesize
32KB

Download
memory/3440-18-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

Filesize
48KB

Download
memory/3440-170-0x00007FFEEDD43000-0x00007FFEEDD45000-memory.dmp

Filesize
8KB

Download
memory/3440-15-0x000000001BA20000-0x000000001BA2A000-memory.dmp

Filesize
40KB

Download
memory/3440-14-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

Filesize
48KB

Download
memory/3440-13-0x000000001BD00000-0x000000001C228000-memory.dmp

Filesize
5.2MB

Download
memory/3440-6-0x000000001B050000-0x000000001B060000-memory.dmp

Filesize
64KB

Download
memory/3440-1-0x00000000002F0000-0x00000000004B0000-memory.dmp

Filesize
1.8MB

Download
memory/4584-240-0x0000021C23EB0000-0x0000021C23ED2000-memory.dmp

Filesize
136KB

Download