dcrat | 894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263

Analysis

max time kernel
117s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
Size

1.7MB
MD5

73714a883d186fc2d6443e3b7cc5983c
SHA1

7cd4a62912e86ef72ebba7d649d6f90b4ebe4709
SHA256

894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263
SHA512

b249387218345b11e10923a107cf9ff01b81a4c1e30dd72e91cf7ac210829cd00445db3a80d2f4280a7b0d03aba2f30eadbcaf3a33de7fb5d282e622d7f2108a
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv0:+THUxUoh1IF9gl2b

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	2952	schtasks.exe	82

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2604-1-0x0000000000530000-0x00000000006F0000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c13-30.dat	dcrat
behavioral2/files/0x000c000000023bcc-107.dat	dcrat
behavioral2/files/0x000b000000023bdd-118.dat	dcrat
behavioral2/files/0x000400000001e754-152.dat	dcrat
behavioral2/files/0x000b000000023c67-183.dat	dcrat
behavioral2/files/0x0009000000023c79-199.dat	dcrat
behavioral2/memory/2496-366-0x00000000004F0000-0x00000000006B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe
2080	powershell.exe
776	powershell.exe
1996	powershell.exe
1228	powershell.exe
4512	powershell.exe
3688	powershell.exe
2960	powershell.exe
2748	powershell.exe
768	powershell.exe
3176	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 5 IoCs

pid	Process
2496	StartMenuExperienceHost.exe
3960	StartMenuExperienceHost.exe
3616	StartMenuExperienceHost.exe
1956	StartMenuExperienceHost.exe
4164	StartMenuExperienceHost.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXDEFD.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Google\dllhost.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\7a0fd90576e088	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Windows Mail\sysmon.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Google\5940a34987c991	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\RCXCBB2.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXDCC8.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\sihost.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files\Crashpad\Idle.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Google\RCXE3F3.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXDCC9.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files\Crashpad\RCXD0A9.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXD7B4.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\886983d96e3d3e	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXD7B3.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\e6c9b481da804f	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Windows Mail\121e5b5079f7c0	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\RCXC6EC.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Google\dllhost.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\66fc9ff0ee96c2	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\ea1d8f6d871115	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXD530.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXD531.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\sihost.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Google\RCXE375.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files\Crashpad\Idle.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\RCXC6ED.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\RCXCBB3.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files\Crashpad\RCXD03B.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXDEDD.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\sysmon.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files\Crashpad\6ccacd8608530f	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\spoolsv.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Windows\Resources\Ease of Access Themes\unsecapp.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Windows\Resources\Ease of Access Themes\29c1c3cc0f7685	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\de-DE\RCXC912.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXCE36.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Windows\de-DE\f3b6ecef712a24	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\de-DE\RCXC901.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\de-DE\spoolsv.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXCE35.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\unsecapp.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1836	schtasks.exe
2496	schtasks.exe
1480	schtasks.exe
3916	schtasks.exe
1884	schtasks.exe
100	schtasks.exe
4780	schtasks.exe
2516	schtasks.exe
512	schtasks.exe
4924	schtasks.exe
3144	schtasks.exe
4496	schtasks.exe
4784	schtasks.exe
2732	schtasks.exe
2544	schtasks.exe
964	schtasks.exe
2864	schtasks.exe
4000	schtasks.exe
320	schtasks.exe
2608	schtasks.exe
1060	schtasks.exe
3044	schtasks.exe
2452	schtasks.exe
4956	schtasks.exe
2948	schtasks.exe
1136	schtasks.exe
3604	schtasks.exe
4368	schtasks.exe
4812	schtasks.exe
2132	schtasks.exe
4584	schtasks.exe
552	schtasks.exe
3000	schtasks.exe
4304	schtasks.exe
4028	schtasks.exe
228	schtasks.exe
3276	schtasks.exe
3300	schtasks.exe
1396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
3176	powershell.exe
3176	powershell.exe
2960	powershell.exe
2960	powershell.exe
776	powershell.exe
776	powershell.exe
2080	powershell.exe
2080	powershell.exe
2748	powershell.exe
2748	powershell.exe
1228	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2496	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3960	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3616	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1956	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4164	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 768	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	124
PID 2604 wrote to memory of 768	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	124
PID 2604 wrote to memory of 776	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	125
PID 2604 wrote to memory of 776	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	125
PID 2604 wrote to memory of 2080	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	126
PID 2604 wrote to memory of 2080	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	126
PID 2604 wrote to memory of 2748	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	127
PID 2604 wrote to memory of 2748	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	127
PID 2604 wrote to memory of 2960	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	128
PID 2604 wrote to memory of 2960	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	128
PID 2604 wrote to memory of 2956	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	129
PID 2604 wrote to memory of 2956	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	129
PID 2604 wrote to memory of 3688	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	130
PID 2604 wrote to memory of 3688	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	130
PID 2604 wrote to memory of 4512	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	131
PID 2604 wrote to memory of 4512	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	131
PID 2604 wrote to memory of 1228	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	132
PID 2604 wrote to memory of 1228	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	132
PID 2604 wrote to memory of 1996	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	133
PID 2604 wrote to memory of 1996	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	133
PID 2604 wrote to memory of 3176	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	134
PID 2604 wrote to memory of 3176	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	134
PID 2604 wrote to memory of 2496	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	146
PID 2604 wrote to memory of 2496	2604	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	146
PID 2496 wrote to memory of 3456	2496	StartMenuExperienceHost.exe	148
PID 2496 wrote to memory of 3456	2496	StartMenuExperienceHost.exe	148
PID 2496 wrote to memory of 1000	2496	StartMenuExperienceHost.exe	149
PID 2496 wrote to memory of 1000	2496	StartMenuExperienceHost.exe	149
PID 3456 wrote to memory of 3960	3456	WScript.exe	155
PID 3456 wrote to memory of 3960	3456	WScript.exe	155
PID 3960 wrote to memory of 2132	3960	StartMenuExperienceHost.exe	156
PID 3960 wrote to memory of 2132	3960	StartMenuExperienceHost.exe	156
PID 3960 wrote to memory of 3684	3960	StartMenuExperienceHost.exe	157
PID 3960 wrote to memory of 3684	3960	StartMenuExperienceHost.exe	157
PID 2132 wrote to memory of 3616	2132	WScript.exe	158
PID 2132 wrote to memory of 3616	2132	WScript.exe	158
PID 3616 wrote to memory of 4800	3616	StartMenuExperienceHost.exe	159
PID 3616 wrote to memory of 4800	3616	StartMenuExperienceHost.exe	159
PID 3616 wrote to memory of 2228	3616	StartMenuExperienceHost.exe	160
PID 3616 wrote to memory of 2228	3616	StartMenuExperienceHost.exe	160
PID 4800 wrote to memory of 1956	4800	WScript.exe	161
PID 4800 wrote to memory of 1956	4800	WScript.exe	161
PID 1956 wrote to memory of 952	1956	StartMenuExperienceHost.exe	162
PID 1956 wrote to memory of 952	1956	StartMenuExperienceHost.exe	162
PID 1956 wrote to memory of 2596	1956	StartMenuExperienceHost.exe	163
PID 1956 wrote to memory of 2596	1956	StartMenuExperienceHost.exe	163
PID 952 wrote to memory of 4164	952	WScript.exe	164
PID 952 wrote to memory of 4164	952	WScript.exe	164
PID 4164 wrote to memory of 5108	4164	StartMenuExperienceHost.exe	165
PID 4164 wrote to memory of 5108	4164	StartMenuExperienceHost.exe	165
PID 4164 wrote to memory of 2860	4164	StartMenuExperienceHost.exe	166
PID 4164 wrote to memory of 2860	4164	StartMenuExperienceHost.exe	166

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
"C:\Users\Admin\AppData\Local\Temp\894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe
  "C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e004b65-2362-4827-9374-162f3276d910.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe
      "C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89ce5b3d-4137-4c4e-ad72-b50af8ac593a.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe
        
        "C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be027ba9-9f39-4985-a8d5-76d85121ba1a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe
        
        "C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\301db0c0-0d0a-4bfa-acf1-1462b2e1e6da.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe
        
        "C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d10c00c9-84de-41a7-99a5-e45214b11c5d.vbs"
        11⤵
        
        PID:5108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8d86f87-378d-48ba-9cca-3c9d8a35ce57.vbs"
        11⤵
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac41ada6-ff6b-49a5-88cc-9801b6ded877.vbs"
        9⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38ee18b2-4caf-4dfa-abca-2df6b2e2aca7.vbs"
        7⤵
        
        PID:2228
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ecbe9e6-407e-4559-8c81-26a597f9f179.vbs"
        5⤵
        
        PID:3684
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\590dd906-704d-4d37-81c3-9404d35c225d.vbs"
    3⤵
    PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Ease of Access Themes\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Crashpad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\dllhost.exe

Filesize
1.7MB

MD5
a9d4d887306b4af78711d9af84e2bfc9

SHA1
9d2440619b5e17d9b57674afb1dd79418c765b25

SHA256
1727e125a1cac1d54f1f6489a52d1c9750879dead6fe6c1c210dd355e6ae9b8f

SHA512
dfb28b946da351b4a9af02e4af59736577981c1713e8ae02cff6b91e833ac633393cb9fcda0e459f37ee5b8bb4934552cedea97647ac6887ea7ea6df13fb1c67

Download Submit
C:\Program Files\Crashpad\Idle.exe

Filesize
1.7MB

MD5
73714a883d186fc2d6443e3b7cc5983c

SHA1
7cd4a62912e86ef72ebba7d649d6f90b4ebe4709

SHA256
894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263

SHA512
b249387218345b11e10923a107cf9ff01b81a4c1e30dd72e91cf7ac210829cd00445db3a80d2f4280a7b0d03aba2f30eadbcaf3a33de7fb5d282e622d7f2108a

Download Submit
C:\Program Files\Crashpad\Idle.exe

Filesize
1.7MB

MD5
3b6909d5c5da1d775a9dabc40f60cab3

SHA1
4cf9a4bceb1e1a185c6ae0048dad26a31a31cbfd

SHA256
cfde88d5cb8799619d7cfa0c37d416789beb876dbaceca9480e243638bd62131

SHA512
166a60f181cc5f99bf57824adc60a45ef6f7236d4beccf6c1ae362ca120f90afc660929c60c3cfa379f2636e9afbc719c08ee03d62a9fee0bf4c0a8245d498f9

Download Submit
C:\Recovery\WindowsRE\Registry.exe

Filesize
1.7MB

MD5
0a7be10ca3a738f0d94e4ae127ce1805

SHA1
69c39e0a42a761db80a2fca3ff1b3adca7b46a64

SHA256
cdbb2e0b9bccb5b1483a70a05f92222b4f388381870911464bda83e07a679343

SHA512
48a29e2ad0a0d027aaf9f2633413836bedfc77e7cfe9f317d0891744f92b7db47e093a3536ed3ad5dd3e95943aff9d6f5940e4bc7a64b3895dcb3ec3852a8075

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.7MB

MD5
36135d7a72569f7db005794c80f8ff4a

SHA1
0400aa5b5a6c90abf899cefea9291607be843cde

SHA256
6381431d7e1d4baab33e5f2d4511436b25a841786d284483350f2a3c90f59306

SHA512
2964f30ec01d15239c2438a8b68afb5fa55c54970e73df25f17c7ffbad46ee1c080fef12a1e37812c9d74b12901f4eebf657266e2fc6a7d30ffe0e7d5737b675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Temp\301db0c0-0d0a-4bfa-acf1-1462b2e1e6da.vbs

Filesize
741B

MD5
ec7d03c271aa2603c7055bed885b6c1b

SHA1
444408d38992b8e3fee4f9513d4282fb6eb6e493

SHA256
bbc3a50552bdeb2ecd8f9f2f8befc2fb04fda88b6c8a9396cf9c0057fb3ef4f5

SHA512
9419e07db59db566d786a9d7fc8aca51a6753959c7b1b1a81ebdc157039c1d5f2a80d8c6f7ffccee08764d8ecc41195938ede852510448502710a4f89acfab49

Download Submit
C:\Users\Admin\AppData\Local\Temp\590dd906-704d-4d37-81c3-9404d35c225d.vbs

Filesize
517B

MD5
4f0a6bd50f145e9efe360dff899d6490

SHA1
94bf57d66da01a3ab2613ef83c97450490e5b849

SHA256
2ebbe4a15814fdcb578a5c32ae95e3018641189119673daf904edb71c0abc3f5

SHA512
392f4e8c76614f2962a099e5dff80129beced7aa9f50ed1b1c93a802990265654d56e1e79efffa7dc65cedc96e06d7ed3e542ae342209677a5d6c8baa225b26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e004b65-2362-4827-9374-162f3276d910.vbs

Filesize
741B

MD5
35a5d8cc50f308f2d987174d4bddd04a

SHA1
99cee71442a1e0df1c989767f7856bb14251be1b

SHA256
4734a28437a7c3865e22067c587a84857c914e660e0d699725108a0ba528ffcb

SHA512
b5d7e5c4203c13e0cd1d11600dfb064daca16af6c765228f47d486541d773c3f146d9e606600622d522d2263a39eabd7b6b018ceb28c0c09e2a1c13a1d88213c

Download Submit
C:\Users\Admin\AppData\Local\Temp\89ce5b3d-4137-4c4e-ad72-b50af8ac593a.vbs

Filesize
741B

MD5
0cfbde22ba9e18b6f1c1ecfe37ef5c20

SHA1
b709556707f708ce77c68c7e8eb95cd052f8ae0b

SHA256
2c8f5c594479f5eee4f68d9d2f640f797e3e9e995f737fa1abbf73944cb5d5cf

SHA512
a616dd1c666d534be246d64af600ffd281ab46631786efa2f11a553300d9589417f6aabc71f70dc8d26ce3357c16b357daf4acabaceab2c7fe92ad5719e18302

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0z34lqnq.xa4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\be027ba9-9f39-4985-a8d5-76d85121ba1a.vbs

Filesize
741B

MD5
8444037fd63068c635c0e7dfdea81d33

SHA1
3ce8847954721887e391619e5453380d321b0120

SHA256
4a706f56ec1b4e44c6383bf1eda137b44a415af09ff8a3c340801c26bfbbfbdf

SHA512
502df0256ae59ea55137f5e9465c0b3cb8272418f7e5f439e7e2c0cf437f7218c726a7f201e4a994cccd44dfc53930dbecd724ec9eb3172063c7e2c33fc92e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d10c00c9-84de-41a7-99a5-e45214b11c5d.vbs

Filesize
741B

MD5
7e0fa68c6114363a94771094723a2ec9

SHA1
4d99aa0a699a96fe5f84af67432ecd62d6d897ff

SHA256
0948dc03bf82e6a9417ef24734799706fbd64293be5ce26fd9c951f0864a9eb1

SHA512
b799b6598dcc1ab3534034be8480843890e74f065a6c61126feb4027ee2d891057f06c72ebcca546f0a4b96023aefeab55d8e3345373394da52a0022da6524d1

Download Submit
C:\Users\Public\Pictures\RCXE102.tmp

Filesize
1.7MB

MD5
3db93a6b9bf63640aee987fcad2bcd2a

SHA1
60322432ce858cc7d25f4d2ba64113b2b362502d

SHA256
1da04073f834d3cf1d46d7bdd656e66459b7d6b77a5b88256954ebe4e7661374

SHA512
00a54f31cedd7b239f62f493e39982842c15ec2040c7c38372dc6f670b7aab69c75854fb219ccd895b29d4497ccd6a5fb3c3c9320b10ef2a84f71c8b5f88917b

Download Submit
memory/1956-425-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/2496-366-0x00000000004F0000-0x00000000006B0000-memory.dmp

Filesize
1.8MB

Download
memory/2604-22-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-7-0x0000000002960000-0x0000000002976000-memory.dmp

Filesize
88KB

Download
memory/2604-167-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-143-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

Filesize
8KB

Download
memory/2604-4-0x000000001B9C0000-0x000000001BA10000-memory.dmp

Filesize
320KB

Download
memory/2604-204-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-10-0x000000001B980000-0x000000001B988000-memory.dmp

Filesize
32KB

Download
memory/2604-5-0x0000000001040000-0x0000000001048000-memory.dmp

Filesize
32KB

Download
memory/2604-365-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-8-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/2604-3-0x0000000000CC0000-0x0000000000CDC000-memory.dmp

Filesize
112KB

Download
memory/2604-2-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-0-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

Filesize
8KB

Download
memory/2604-6-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/2604-23-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-9-0x000000001B970000-0x000000001B97C000-memory.dmp

Filesize
48KB

Download
memory/2604-19-0x000000001BB40000-0x000000001BB4C000-memory.dmp

Filesize
48KB

Download
memory/2604-17-0x000000001BB20000-0x000000001BB28000-memory.dmp

Filesize
32KB

Download
memory/2604-18-0x000000001BB30000-0x000000001BB3C000-memory.dmp

Filesize
48KB

Download
memory/2604-15-0x000000001BC90000-0x000000001BC9A000-memory.dmp

Filesize
40KB

Download
memory/2604-1-0x0000000000530000-0x00000000006F0000-memory.dmp

Filesize
1.8MB

Download
memory/2604-12-0x000000001B990000-0x000000001B9A2000-memory.dmp

Filesize
72KB

Download
memory/2604-16-0x000000001BCA0000-0x000000001BCAE000-memory.dmp

Filesize
56KB

Download
memory/2604-14-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/2604-13-0x000000001BF40000-0x000000001C468000-memory.dmp

Filesize
5.2MB

Download
memory/2748-259-0x0000022C0E420000-0x0000022C0E442000-memory.dmp

Filesize
136KB

Download
memory/3960-402-0x000000001B460000-0x000000001B472000-memory.dmp

Filesize
72KB

Download