dcrat | 3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9

Analysis

max time kernel
147s
max time network
149s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16/12/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinPerfcommon.exe
Size

1.9MB
MD5

6b9554367a439d39a00a0dff9a08b123
SHA1

e1d22cde90c297c10f4fcba5b3980e5d551eb0b3
SHA256

3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9
SHA512

72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720
SSDEEP

49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\spoolsv.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\taskhostw.exe\", \"C:\\Windows\\security\\templates\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\spoolsv.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\taskhostw.exe\", \"C:\\Windows\\security\\templates\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinPerfcommon.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\spoolsv.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\spoolsv.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\taskhostw.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\spoolsv.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\taskhostw.exe\", \"C:\\Windows\\security\\templates\\csrss.exe\""	WinPerfcommon.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	4528	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	4528	schtasks.exe	93

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2288	powershell.exe
2748	powershell.exe
5040	powershell.exe
4288	powershell.exe
3848	powershell.exe
1576	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	WinPerfcommon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	taskhostw.exe

Executes dropped EXE 17 IoCs

pid	Process
1864	msedge.exe
3816	taskhostw.exe
4924	taskhostw.exe
5040	taskhostw.exe
4124	taskhostw.exe
4784	taskhostw.exe
2612	taskhostw.exe
3904	taskhostw.exe
2848	taskhostw.exe
1816	taskhostw.exe
4000	taskhostw.exe
4840	taskhostw.exe
4708	taskhostw.exe
4744	taskhostw.exe
1272	msedge.exe
3224	taskhostw.exe
4860	taskhostw.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\spoolsv.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\spoolsv.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\taskhostw.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\security\\templates\\csrss.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinPerfcommon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinPerfcommon.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\taskhostw.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\security\\templates\\csrss.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinPerfcommon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinPerfcommon.exe\""	WinPerfcommon.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC67F79384DD1F4A7BBD2C46DFBF659ED7.TMP	csc.exe
File created	\??\c:\Windows\System32\vaqski.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\ea9f0e6c9e2dcd	WinPerfcommon.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe	WinPerfcommon.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\f3b6ecef712a24	WinPerfcommon.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCD5F91C4A3917407EAD36BFC5EC7191E.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe	WinPerfcommon.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\security\templates\csrss.exe	WinPerfcommon.exe
File created	C:\Windows\security\templates\886983d96e3d3e	WinPerfcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3804	PING.EXE
2480	PING.EXE
2712	PING.EXE
4612	PING.EXE
3116	PING.EXE
1420	PING.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	WinPerfcommon.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	taskhostw.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
3116	PING.EXE
1420	PING.EXE
3804	PING.EXE
2480	PING.EXE
2712	PING.EXE
4612	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4920	schtasks.exe
4208	schtasks.exe
4716	schtasks.exe
1012	schtasks.exe
2932	schtasks.exe
808	schtasks.exe
1232	schtasks.exe
2400	schtasks.exe
660	schtasks.exe
500	schtasks.exe
2372	schtasks.exe
4964	schtasks.exe
2016	schtasks.exe
4584	schtasks.exe
928	schtasks.exe
4840	schtasks.exe
3140	schtasks.exe
4992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe
2124	WinPerfcommon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	WinPerfcommon.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeIncreaseQuotaPrivilege	4288	powershell.exe
Token: SeSecurityPrivilege	4288	powershell.exe
Token: SeTakeOwnershipPrivilege	4288	powershell.exe
Token: SeLoadDriverPrivilege	4288	powershell.exe
Token: SeSystemProfilePrivilege	4288	powershell.exe
Token: SeSystemtimePrivilege	4288	powershell.exe
Token: SeProfSingleProcessPrivilege	4288	powershell.exe
Token: SeIncBasePriorityPrivilege	4288	powershell.exe
Token: SeCreatePagefilePrivilege	4288	powershell.exe
Token: SeBackupPrivilege	4288	powershell.exe
Token: SeRestorePrivilege	4288	powershell.exe
Token: SeShutdownPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeSystemEnvironmentPrivilege	4288	powershell.exe
Token: SeRemoteShutdownPrivilege	4288	powershell.exe
Token: SeUndockPrivilege	4288	powershell.exe
Token: SeManageVolumePrivilege	4288	powershell.exe
Token: 33	4288	powershell.exe
Token: 34	4288	powershell.exe
Token: 35	4288	powershell.exe
Token: 36	4288	powershell.exe
Token: SeIncreaseQuotaPrivilege	1576	powershell.exe
Token: SeSecurityPrivilege	1576	powershell.exe
Token: SeTakeOwnershipPrivilege	1576	powershell.exe
Token: SeLoadDriverPrivilege	1576	powershell.exe
Token: SeSystemProfilePrivilege	1576	powershell.exe
Token: SeSystemtimePrivilege	1576	powershell.exe
Token: SeProfSingleProcessPrivilege	1576	powershell.exe
Token: SeIncBasePriorityPrivilege	1576	powershell.exe
Token: SeCreatePagefilePrivilege	1576	powershell.exe
Token: SeBackupPrivilege	1576	powershell.exe
Token: SeRestorePrivilege	1576	powershell.exe
Token: SeShutdownPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeSystemEnvironmentPrivilege	1576	powershell.exe
Token: SeRemoteShutdownPrivilege	1576	powershell.exe
Token: SeUndockPrivilege	1576	powershell.exe
Token: SeManageVolumePrivilege	1576	powershell.exe
Token: 33	1576	powershell.exe
Token: 34	1576	powershell.exe
Token: 35	1576	powershell.exe
Token: 36	1576	powershell.exe
Token: SeIncreaseQuotaPrivilege	3848	powershell.exe
Token: SeSecurityPrivilege	3848	powershell.exe
Token: SeTakeOwnershipPrivilege	3848	powershell.exe
Token: SeLoadDriverPrivilege	3848	powershell.exe
Token: SeSystemProfilePrivilege	3848	powershell.exe
Token: SeSystemtimePrivilege	3848	powershell.exe
Token: SeProfSingleProcessPrivilege	3848	powershell.exe
Token: SeIncBasePriorityPrivilege	3848	powershell.exe
Token: SeCreatePagefilePrivilege	3848	powershell.exe
Token: SeBackupPrivilege	3848	powershell.exe
Token: SeRestorePrivilege	3848	powershell.exe
Token: SeShutdownPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeSystemEnvironmentPrivilege	3848	powershell.exe
Token: SeRemoteShutdownPrivilege	3848	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 800	2124	WinPerfcommon.exe	97
PID 2124 wrote to memory of 800	2124	WinPerfcommon.exe	97
PID 800 wrote to memory of 3872	800	csc.exe	99
PID 800 wrote to memory of 3872	800	csc.exe	99
PID 2124 wrote to memory of 1052	2124	WinPerfcommon.exe	134
PID 2124 wrote to memory of 1052	2124	WinPerfcommon.exe	134
PID 1052 wrote to memory of 4032	1052	csc.exe	102
PID 1052 wrote to memory of 4032	1052	csc.exe	102
PID 2124 wrote to memory of 2748	2124	WinPerfcommon.exe	118
PID 2124 wrote to memory of 2748	2124	WinPerfcommon.exe	118
PID 2124 wrote to memory of 2288	2124	WinPerfcommon.exe	119
PID 2124 wrote to memory of 2288	2124	WinPerfcommon.exe	119
PID 2124 wrote to memory of 1576	2124	WinPerfcommon.exe	120
PID 2124 wrote to memory of 1576	2124	WinPerfcommon.exe	120
PID 2124 wrote to memory of 3848	2124	WinPerfcommon.exe	121
PID 2124 wrote to memory of 3848	2124	WinPerfcommon.exe	121
PID 2124 wrote to memory of 4288	2124	WinPerfcommon.exe	122
PID 2124 wrote to memory of 4288	2124	WinPerfcommon.exe	122
PID 2124 wrote to memory of 5040	2124	WinPerfcommon.exe	123
PID 2124 wrote to memory of 5040	2124	WinPerfcommon.exe	123
PID 2124 wrote to memory of 1740	2124	WinPerfcommon.exe	130
PID 2124 wrote to memory of 1740	2124	WinPerfcommon.exe	130
PID 1740 wrote to memory of 3720	1740	cmd.exe	132
PID 1740 wrote to memory of 3720	1740	cmd.exe	132
PID 1740 wrote to memory of 2464	1740	cmd.exe	133
PID 1740 wrote to memory of 2464	1740	cmd.exe	133
PID 1740 wrote to memory of 3816	1740	cmd.exe	136
PID 1740 wrote to memory of 3816	1740	cmd.exe	136
PID 3816 wrote to memory of 472	3816	taskhostw.exe	137
PID 3816 wrote to memory of 472	3816	taskhostw.exe	137
PID 472 wrote to memory of 2932	472	cmd.exe	139
PID 472 wrote to memory of 2932	472	cmd.exe	139
PID 472 wrote to memory of 2480	472	cmd.exe	140
PID 472 wrote to memory of 2480	472	cmd.exe	140
PID 472 wrote to memory of 4924	472	cmd.exe	141
PID 472 wrote to memory of 4924	472	cmd.exe	141
PID 4924 wrote to memory of 1280	4924	taskhostw.exe	142
PID 4924 wrote to memory of 1280	4924	taskhostw.exe	142
PID 1280 wrote to memory of 1232	1280	cmd.exe	144
PID 1280 wrote to memory of 1232	1280	cmd.exe	144
PID 1280 wrote to memory of 3304	1280	cmd.exe	145
PID 1280 wrote to memory of 3304	1280	cmd.exe	145
PID 1280 wrote to memory of 5040	1280	cmd.exe	147
PID 1280 wrote to memory of 5040	1280	cmd.exe	147
PID 5040 wrote to memory of 3500	5040	taskhostw.exe	148
PID 5040 wrote to memory of 3500	5040	taskhostw.exe	148
PID 3500 wrote to memory of 2296	3500	cmd.exe	150
PID 3500 wrote to memory of 2296	3500	cmd.exe	150
PID 3500 wrote to memory of 2712	3500	cmd.exe	151
PID 3500 wrote to memory of 2712	3500	cmd.exe	151
PID 3500 wrote to memory of 4124	3500	cmd.exe	152
PID 3500 wrote to memory of 4124	3500	cmd.exe	152
PID 4124 wrote to memory of 1752	4124	taskhostw.exe	153
PID 4124 wrote to memory of 1752	4124	taskhostw.exe	153
PID 1752 wrote to memory of 2480	1752	cmd.exe	155
PID 1752 wrote to memory of 2480	1752	cmd.exe	155
PID 1752 wrote to memory of 4612	1752	cmd.exe	156
PID 1752 wrote to memory of 4612	1752	cmd.exe	156
PID 1752 wrote to memory of 4784	1752	cmd.exe	157
PID 1752 wrote to memory of 4784	1752	cmd.exe	157
PID 4784 wrote to memory of 4316	4784	taskhostw.exe	158
PID 4784 wrote to memory of 4316	4784	taskhostw.exe	158
PID 4316 wrote to memory of 3788	4316	cmd.exe	160
PID 4316 wrote to memory of 3788	4316	cmd.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe
"C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ok1dn1b\1ok1dn1b.cmdline"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30FE.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCD5F91C4A3917407EAD36BFC5EC7191E.TMP"
    3⤵
    PID:3872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xtmygwyz\xtmygwyz.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31B9.tmp" "c:\Windows\System32\CSC67F79384DD1F4A7BBD2C46DFBF659ED7.TMP"
    3⤵
    PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\templates\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vi2IVPBbsr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3720
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2464
- - C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
    "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NxeDi3jWef.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:472
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2932
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2480
    - - C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PQJTgaiE1V.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3304
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V20VgTPM9z.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2712
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TnBNCiQVx4.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4612
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SZLFiwQel9.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4160
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yjLtiCBkS.bat"
        14⤵
        
        PID:508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2696
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KU0xjXjpGp.bat"
        16⤵
        
        PID:4008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4860
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cE5h37GJz6.bat"
        18⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4568
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5CZTOTC2vN.bat"
        20⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3116
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KU0xjXjpGp.bat"
        22⤵
        
        PID:3400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4372
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SZLFiwQel9.bat"
        24⤵
        
        PID:4044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:5056
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KU0xjXjpGp.bat"
        26⤵
        
        PID:1168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1800
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yhfppzmMH9.bat"
        28⤵
        
        PID:1220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2908
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mm6E03wqrH.bat"
        30⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1420
        
        C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fhkx1dF1Mw.bat"
        32⤵
        
        PID:2480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\security\templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\security\templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinPerfcommon" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4200,i,690293423614796501,17475910179943560176,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:8
1⤵
- Executes dropped EXE
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=3024,i,690293423614796501,17475910179943560176,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:8
1⤵
- Executes dropped EXE
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4KB

MD5
f8e2299ff5bc91335fdd281749aa0655

SHA1
f39290f72ffa93955e7012eedd034ee96d9404f9

SHA256
18d3a72810826802ac5d68f30aa07e5628b49a9c6afe79ca58f99d5889efcb72

SHA512
e674b36b5c70f6e3cd181399b146a7e4aa80af96eec9d2adc78832a3355594c7019f4768f30cbf53259a497add182893458cba4366c983e4b24f5b3d6f7a7da7

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe

Filesize
1.9MB

MD5
6b9554367a439d39a00a0dff9a08b123

SHA1
e1d22cde90c297c10f4fcba5b3980e5d551eb0b3

SHA256
3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9

SHA512
72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
35d9b3a121c0cc86f39c6110eb5a9d09

SHA1
2ec1403fc072f8cb6617702a4a58f45301f0fbe0

SHA256
53aeaed4e667a55ce4065abb727ea08b15d73ac16e8c948f703958b0f6ff62c5

SHA512
ffd682d4739a8917de57f985a1001dde882a9cecf170e456e35649f3324adf9d19846588dca6682360103de488179499febff4182b99c7f2ffd6eba0afc3c198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yjLtiCBkS.bat

Filesize
241B

MD5
0c8738a597fe38d5fd78d7548ed9fc99

SHA1
e0559beac00a8c7e9902904f9bc706457a60f7fb

SHA256
ba1ce22deb21c3ec3e8ac97ffeffa653d20328e9e30c101a9798983616a5dcd2

SHA512
13d0a941325965d1558534a523cc95b321bef904cc33f25c817182515ae8eb80cbdf3a9158ddcec6269867b59248b98228af7bd6ecde026644564ed670c172d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CZTOTC2vN.bat

Filesize
193B

MD5
7f955deb720321681d459a4514b112f6

SHA1
3a8e8b8e6852ee3625b0ec9b6f5b1a23a249e872

SHA256
6d14bb821d5fdab896f22f25a0c1f1c556b427135977b4be1a669f62e8a2c77e

SHA512
043dbc3d6f63c7a2f7090cb5e7a063f56550748eb9406ce4dfd383311eb7d020f48a1fc1e74981b700100201b70cdb53f9b800cd630aafa569b707775204d384

Download Submit
C:\Users\Admin\AppData\Local\Temp\KU0xjXjpGp.bat

Filesize
241B

MD5
dbef09a14d62c9536a7c2d576fc501fd

SHA1
62447eb4637c22bc3b04863f1d486b6bfeda0b3b

SHA256
baacaf25ec1c9ab38adbd15245a9be87721bdd3404c66e0b0bb8db7fab472c62

SHA512
faa4c2318ace10b9d4b6f5fda2f151f695e9f57e4f4c9c4f4b40776186765ed2584d2fc888217368848419b34d02bab79da6e20692020a9c16f7d95862cbfe85

Download Submit
C:\Users\Admin\AppData\Local\Temp\NxeDi3jWef.bat

Filesize
193B

MD5
70287b72514c314aa63bdfcaf28406a1

SHA1
ef6f5ecffd802bc9ff36496572f795ef7f0ff635

SHA256
251ba6f4b57f1c7f78a24ddb2b5ebf9b530b5566b99df37c64dc277f9718fb04

SHA512
6e3268c4a4c0bf0c0a553015469b2bd88276c4b93fff9418ff0ee2a944a75b85f69f91d293e91c1978c472ba30457a77cbdba123dd79efcb5a6495788d115699

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQJTgaiE1V.bat

Filesize
241B

MD5
268ec632aaed1e56708b9d42783a2d68

SHA1
a27ae5ee55ecb1a9864bc1740ac7b51efebbe206

SHA256
35af3e8195acc0be674ccdc216a3945990baf387580d758c83175dc24d9c6321

SHA512
11e3c336e1f5a6cb84038c3bebcf92dc1846c5de256af4c6a1a7ce629628e96da75f5e3cb5bfad1c9f352d901d174ae8ab570ad45ac4dc50e0aaa3dedd7fc092

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES30FE.tmp

Filesize
1KB

MD5
2f8af303a2b46d6113f38355f6bdd5da

SHA1
e23d96185f20dafa4a1c4757260fadc21f9535bf

SHA256
bee984b2306ef1024256dd0cf614501de9af6b9e44528ccf29a727390d1c4723

SHA512
6c0ee9814fa0403fd923d38d52a4a6d9b280856b3cf369ebf20ab154c2a31ce6e097e3b6c5032a9195109aa5c4a14ab0def5bfac0215e02af8d89dafdd54d71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES31B9.tmp

Filesize
1KB

MD5
84a6342945fc9e085b5ab8d8b7e8ff5f

SHA1
d04f0e3f0d7c6692be5a260d6305d24147195da8

SHA256
75ce0e7ba33113d30d0bd8356b4a7f70e98abb75634884fa18f609f6d3443a07

SHA512
f4fe4c9041a48a4d880ef52845cd766cf6411424b0d0677f531ba74f9483cac09fe93effec99c0b78251034ebd386308379c821f0504aea23a22a5c3cfe7a058

Download Submit
C:\Users\Admin\AppData\Local\Temp\SZLFiwQel9.bat

Filesize
241B

MD5
7f4a3b3d519f8b7c7ece00d2fb9af7a0

SHA1
41a0fb9601a38a2f92477f5f37603a3c6d35a80b

SHA256
761844d4255ed884f9becd79d315274eabbbb91fde3af6a47674edfcbb30fa03

SHA512
b8b0867050f97ee40586852d718d675b8af642a455c30e45681f985ea0778e179ae2afb08e2bb6b30b1e27287e944d4168b19716fee044465ac13cbd9190e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TnBNCiQVx4.bat

Filesize
193B

MD5
3cf397277f7e5b8e1845dbc4d57ac19f

SHA1
c66e0b8e0dc8c23b4d11ee20429b4e150a1a682f

SHA256
66c4aa55785bf5e4965bb2aa0c5a749124e33b4116d21ca3f52f750d93362069

SHA512
7cbf0fd9544cd2fe909eead1d7545b502bb8f26910c3bf5fed3c86145c7482b343009221c0e2046c0871e2fa82154ea16fe0b10d2d8ed8f3e8afd1f32cf10d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\V20VgTPM9z.bat

Filesize
193B

MD5
d533ede7f5692e1a554d47588a615ae3

SHA1
04336389f7bb01b864eef286a909fac4eea9ac11

SHA256
f6012a30677d16d787ac543aca13813cd31edcf602d833c0c2e9ad00455a6619

SHA512
a8959a42eeaab24a93498a925116b11c7b433970c9527fdc491687a0b5f8c22647dce1f9a57755531afeeff0dc5a95926eb64bd513567cabf37d62d6ae1245ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hwns5idk.pkt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cE5h37GJz6.bat

Filesize
241B

MD5
500615e5218863fadf590b31df11e1cf

SHA1
919087f5319fd5997d724a6fe162c3a8498ab72c

SHA256
5abad531086fbae52002b866c42dcd233962e4826767c9cbc5790771fd51cd41

SHA512
43e60b6d6839b053471f7228749d2e72ce2f8955d62e97f18173b4b088b7c8ce9c86aa648160a677f9dc9a42a4ab0c5a2bfbd94680a0bce936ba8592bf62ee4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fhkx1dF1Mw.bat

Filesize
193B

MD5
da1e0c0426c5f9a1232baf6dc00f4dff

SHA1
219d7d9f4be49e691cbf0bc314038f412ba8f9e3

SHA256
e5ffea6c702e5347abca70072683ff757eca295f3814ed601b296641488abcf7

SHA512
afd8a2eb23902c8b609e35011507a96c2e78bfbe7c5cf7f7faa17bdcf89725f0ac8c7cd1ecb7cf11f4ffa34bcc1e24601ae3cc48c47fae866dbad3f5ad76bcec

Download Submit
C:\Users\Admin\AppData\Local\Temp\mm6E03wqrH.bat

Filesize
193B

MD5
12d0aa2ba9b898f953891f09436c13ca

SHA1
21cad44103a33dfd03fc0434a3a6e75e50bd603f

SHA256
2b90b60164a3a9b9d8659e09d20e2c6be469c878dd2fcda10e1ede3832e6f367

SHA512
6531dc40daba9f6e4bb2eb37becb8af117d464ebaa868aec7cd66e9f99be1717f7d43bee9684dd78201758ecd74d8f7e6574a4d95f9d0be7179a5d68c3b20000

Download Submit
C:\Users\Admin\AppData\Local\Temp\vi2IVPBbsr.bat

Filesize
241B

MD5
cf2db3c20270b8c6297b0acb74428688

SHA1
7241be0c4eef391c649401c9170ec015a58c09fc

SHA256
0aedd600778f7f1e889f5da004cdc491a3e04771c7e0a98e00495cb4f987b599

SHA512
b637712bbd05d685014878466afcdcd818f68fa77699da485502e8af22c32b10707b7ebbe00a97cf933878121cb8d6b15fba4eae494ade696f48a8eb02d56d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhfppzmMH9.bat

Filesize
241B

MD5
40008ad504d179fec98e9025e78d0ada

SHA1
769f40e34ad56252b67e42fc3ecbd3f3a4c2a3be

SHA256
0259a62d264ae201b3131c0ccfe0d11bed7ee309dc4a14e0c0a0ea4ae5c0b78b

SHA512
81a99aeb4f8a7ab5f0f5257770d960bfac93836d9e9b7b3eba86f40b3307beb0b408fb08e839a62828ee22d5f2050232e8fcd2c52fcd187b3e9ba3af8ced3fad

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCD5F91C4A3917407EAD36BFC5EC7191E.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ok1dn1b\1ok1dn1b.0.cs

Filesize
397B

MD5
fc764b947286fd055033b5fe163cfea2

SHA1
2fd8a987ff3809a56b7890020760b25cdcd5f1a8

SHA256
20a0d5e228e8de13643c41d88d86a6457e37fc704e1b28ae58f6986818ede8dd

SHA512
44acdd9e203c75f248e5ffaef025a2e1bbf03a4f7f08b8f268ea9f7ce82c5189e7065368250b82ab89ed302bbd8d7bec58a669a502d92264c88513d33841c785

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1ok1dn1b\1ok1dn1b.cmdline

Filesize
265B

MD5
3187c488a9c72ea548e4f5c79cc09f50

SHA1
5eded5faef77145617abd2bf451ba64285664d98

SHA256
4a577274ace52b7090142aa3f71eadd910df582f3d36139f628a7bb2b6ae655f

SHA512
6595254943c92fc033a04ec1261659f6c0ecd8039fcd073b39a227fd08cf10ca64890b7fa6bb26800ec781d066f37cddb72ac890abead24bc3facdc418f68ec2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xtmygwyz\xtmygwyz.0.cs

Filesize
367B

MD5
f6b00ccb4943c9cce95cd3ff84a19a9d

SHA1
098bfe4d0c758fde8a2eddf7f4b5ab69d553342e

SHA256
438753c070d95eedf78c771d82b68cef383b0520311fb59f6b55605f0c84a1d7

SHA512
1559e4498b42ad81fa3c0ebdf22a8809207a1a4c771aa3a2e25a4e3ec1b66afefd280c939ae3fa897e2bff6faf18fb0e99a7918316ba3ceebb6e9713a0d3c28f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xtmygwyz\xtmygwyz.cmdline

Filesize
235B

MD5
9a8a07a56ef87288e3b740363ee924f8

SHA1
bbba6d285b6cc491edc4eabfae90b41b7a1e65ce

SHA256
e9f842a79e58678ae5c5cd1de0d2b3b77ee4d561f0be2b49658b75eec0ca0bf6

SHA512
f75e8094d2a0d9f2de644a9885b11fbabc88d73b0fa9170bf4c75b29cdaec017fe6541949e9cb9b23b46c8468e3c2a0f6b83fea73d5d141ff0ba9f2f6cc2316b

Download Submit
\??\c:\Windows\System32\CSC67F79384DD1F4A7BBD2C46DFBF659ED7.TMP

Filesize
1KB

MD5
ae56762cfcfc3f0d9696cb8340d36eb2

SHA1
263f2ef95cfccb390732a5626ca42ee01f700d77

SHA256
4c805c0435ab99917dc1a66838070c123dfd714b570c1299b0134c5e0745e794

SHA512
8b48055dae756af34f6eb2c855f94137f40da39cb2055fb25e432c76b69a1474cc2b4a283ee91ef74e781b5aee8f3b66ac99425cabe99196f57e45d66ccc652a

Download Submit
memory/2124-19-0x0000000002B80000-0x0000000002B8E000-memory.dmp

Filesize
56KB

Download
memory/2124-15-0x0000000001020000-0x000000000102C000-memory.dmp

Filesize
48KB

Download
memory/2124-1-0x0000000000760000-0x0000000000954000-memory.dmp

Filesize
2.0MB

Download
memory/2124-31-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/2124-93-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/2124-30-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/2124-29-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/2124-22-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/2124-21-0x0000000002CF0000-0x0000000002CFC000-memory.dmp

Filesize
48KB

Download
memory/2124-11-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/2124-32-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/2124-17-0x0000000002B70000-0x0000000002B7C000-memory.dmp

Filesize
48KB

Download
memory/2124-0-0x00007FF9069A3000-0x00007FF9069A5000-memory.dmp

Filesize
8KB

Download
memory/2124-13-0x0000000002CD0000-0x0000000002CE8000-memory.dmp

Filesize
96KB

Download
memory/2124-10-0x000000001B570000-0x000000001B5C0000-memory.dmp

Filesize
320KB

Download
memory/2124-9-0x0000000002CB0000-0x0000000002CCC000-memory.dmp

Filesize
112KB

Download
memory/2124-7-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/2124-6-0x0000000001010000-0x000000000101E000-memory.dmp

Filesize
56KB

Download
memory/2124-4-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/2124-3-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/2124-2-0x00007FF9069A0000-0x00007FF907462000-memory.dmp

Filesize
10.8MB

Download
memory/4288-75-0x000001C655CE0000-0x000001C655D02000-memory.dmp

Filesize
136KB

Download