dcrat | 3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbd

Analysis

max time kernel
119s
max time network
116s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
Size

1.7MB
MD5

7a2f8094d8034feeebb4b6eaa3fde100
SHA1

07938320b644032d9955e95234f0abed26ea675c
SHA256

3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbd
SHA512

cb967bd15df2ed22bd2e74a00a603e3fe98b043cce3587aaef0054d5f44fb34718a361fb0c758b3c93071fb8992515f6aff75603cf2535488712c41a5750c06a
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2572	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1792-1-0x0000000000BB0000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/files/0x0006000000019926-29.dat	dcrat
behavioral1/files/0x0006000000019cba-50.dat	dcrat
behavioral1/files/0x0009000000018b68-61.dat	dcrat
behavioral1/memory/1540-211-0x00000000010E0000-0x00000000012A0000-memory.dmp	dcrat
behavioral1/memory/2384-264-0x0000000000130000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/880-277-0x0000000000D10000-0x0000000000ED0000-memory.dmp	dcrat
behavioral1/memory/2940-301-0x00000000002E0000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2828-313-0x0000000000D80000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/1672-325-0x0000000000DE0000-0x0000000000FA0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2616	powershell.exe
2544	powershell.exe
2616	powershell.exe
2836	powershell.exe
2284	powershell.exe
2884	powershell.exe
2920	powershell.exe
2120	powershell.exe
2004	powershell.exe
1272	powershell.exe
2212	powershell.exe
2996	powershell.exe
2172	powershell.exe
2228	powershell.exe
2472	powershell.exe
2000	powershell.exe
2184	powershell.exe
2892	powershell.exe
2928	powershell.exe
2208	powershell.exe
2580	powershell.exe
3036	powershell.exe
2104	powershell.exe
1732	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe

Executes dropped EXE 9 IoCs

pid	Process
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1540	powershell.exe
560	powershell.exe
2384	powershell.exe
880	powershell.exe
2328	powershell.exe
2940	powershell.exe
2828	powershell.exe
1672	powershell.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\e978f868350d50	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\088424020bedd6	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Windows Portable Devices\088424020bedd6	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\MSBuild\conhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\conhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\powershell.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Google\Chrome\WmiPrvSE.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\conhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\WmiPrvSE.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\MSBuild\conhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\powershell.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\Google\Chrome\WmiPrvSE.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\conhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\WmiPrvSE.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\24dbde2999530e	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Windows Portable Devices\conhost.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files (x86)\MSBuild\088424020bedd6	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Program Files\Google\Chrome\24dbde2999530e	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\System.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\System.exe	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
File created	C:\Windows\Performance\WinSAT\DataStore\27d1bcfc3c54e0	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2396	schtasks.exe
2700	schtasks.exe
1572	schtasks.exe
1948	schtasks.exe
2424	schtasks.exe
628	schtasks.exe
1696	schtasks.exe
3068	schtasks.exe
1968	schtasks.exe
1468	schtasks.exe
2044	schtasks.exe
2812	schtasks.exe
2784	schtasks.exe
1856	schtasks.exe
1980	schtasks.exe
2564	schtasks.exe
1844	schtasks.exe
2720	schtasks.exe
1012	schtasks.exe
1272	schtasks.exe
2592	schtasks.exe
2940	schtasks.exe
2088	schtasks.exe
2420	schtasks.exe
344	schtasks.exe
2744	schtasks.exe
2960	schtasks.exe
2412	schtasks.exe
2548	schtasks.exe
1332	schtasks.exe
1320	schtasks.exe
2788	schtasks.exe
912	schtasks.exe
2336	schtasks.exe
2876	schtasks.exe
1148	schtasks.exe
1816	schtasks.exe
3052	schtasks.exe
2952	schtasks.exe
2688	schtasks.exe
1992	schtasks.exe
1480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
3036	powershell.exe
2928	powershell.exe
2284	powershell.exe
2616	powershell.exe
2836	powershell.exe
2208	powershell.exe
2892	powershell.exe
2228	powershell.exe
2212	powershell.exe
2172	powershell.exe
2996	powershell.exe
2104	powershell.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
Token: SeDebugPrivilege	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2212	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	40
PID 1792 wrote to memory of 2212	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	40
PID 1792 wrote to memory of 2212	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	40
PID 1792 wrote to memory of 2616	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	41
PID 1792 wrote to memory of 2616	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	41
PID 1792 wrote to memory of 2616	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	41
PID 1792 wrote to memory of 2836	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	42
PID 1792 wrote to memory of 2836	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	42
PID 1792 wrote to memory of 2836	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	42
PID 1792 wrote to memory of 2892	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	43
PID 1792 wrote to memory of 2892	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	43
PID 1792 wrote to memory of 2892	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	43
PID 1792 wrote to memory of 2928	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	44
PID 1792 wrote to memory of 2928	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	44
PID 1792 wrote to memory of 2928	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	44
PID 1792 wrote to memory of 2996	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	45
PID 1792 wrote to memory of 2996	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	45
PID 1792 wrote to memory of 2996	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	45
PID 1792 wrote to memory of 3036	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	46
PID 1792 wrote to memory of 3036	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	46
PID 1792 wrote to memory of 3036	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	46
PID 1792 wrote to memory of 2172	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	47
PID 1792 wrote to memory of 2172	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	47
PID 1792 wrote to memory of 2172	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	47
PID 1792 wrote to memory of 2228	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	48
PID 1792 wrote to memory of 2228	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	48
PID 1792 wrote to memory of 2228	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	48
PID 1792 wrote to memory of 2104	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	49
PID 1792 wrote to memory of 2104	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	49
PID 1792 wrote to memory of 2104	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	49
PID 1792 wrote to memory of 2208	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	51
PID 1792 wrote to memory of 2208	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	51
PID 1792 wrote to memory of 2208	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	51
PID 1792 wrote to memory of 2284	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	52
PID 1792 wrote to memory of 2284	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	52
PID 1792 wrote to memory of 2284	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	52
PID 1792 wrote to memory of 2204	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	64
PID 1792 wrote to memory of 2204	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	64
PID 1792 wrote to memory of 2204	1792	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	64
PID 2204 wrote to memory of 1732	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	98
PID 2204 wrote to memory of 1732	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	98
PID 2204 wrote to memory of 1732	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	98
PID 2204 wrote to memory of 2920	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	99
PID 2204 wrote to memory of 2920	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	99
PID 2204 wrote to memory of 2920	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	99
PID 2204 wrote to memory of 2120	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	100
PID 2204 wrote to memory of 2120	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	100
PID 2204 wrote to memory of 2120	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	100
PID 2204 wrote to memory of 2884	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	102
PID 2204 wrote to memory of 2884	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	102
PID 2204 wrote to memory of 2884	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	102
PID 2204 wrote to memory of 2616	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	103
PID 2204 wrote to memory of 2616	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	103
PID 2204 wrote to memory of 2616	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	103
PID 2204 wrote to memory of 2004	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	104
PID 2204 wrote to memory of 2004	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	104
PID 2204 wrote to memory of 2004	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	104
PID 2204 wrote to memory of 1272	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	105
PID 2204 wrote to memory of 1272	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	105
PID 2204 wrote to memory of 1272	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	105
PID 2204 wrote to memory of 2580	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	106
PID 2204 wrote to memory of 2580	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	106
PID 2204 wrote to memory of 2580	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	106
PID 2204 wrote to memory of 2472	2204	3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
"C:\Users\Admin\AppData\Local\Temp\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Users\Admin\AppData\Local\Temp\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe
  "C:\Users\Admin\AppData\Local\Temp\3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbdN.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\MSOCache\All Users\powershell.exe
    "C:\MSOCache\All Users\powershell.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\568d983e-9ec7-4b5a-93d7-592789497bed.vbs"
      4⤵
      PID:2768
    - - C:\MSOCache\All Users\powershell.exe
        
        "C:\MSOCache\All Users\powershell.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10be8d47-50a5-4ca7-a5df-5c8dab55cebf.vbs"
        6⤵
        
        PID:688
        
        C:\MSOCache\All Users\powershell.exe
        
        "C:\MSOCache\All Users\powershell.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fb6a611-77f3-4ba8-b92a-fa4928b5fbdc.vbs"
        8⤵
        
        PID:2760
        
        C:\MSOCache\All Users\powershell.exe
        
        "C:\MSOCache\All Users\powershell.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b26bda1-f576-43f2-bec4-84f02ca39f4d.vbs"
        10⤵
        
        PID:2208
        
        C:\MSOCache\All Users\powershell.exe
        
        "C:\MSOCache\All Users\powershell.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01bd3269-962e-438a-b7de-9bef57a87da4.vbs"
        12⤵
        
        PID:2784
        
        C:\MSOCache\All Users\powershell.exe
        
        "C:\MSOCache\All Users\powershell.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3af189b3-14a9-41c5-8ca3-14a100d9c092.vbs"
        14⤵
        
        PID:1332
        
        C:\MSOCache\All Users\powershell.exe
        
        "C:\MSOCache\All Users\powershell.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccf0274f-73ba-49f4-8b74-46bed3b245f1.vbs"
        16⤵
        
        PID:768
        
        C:\MSOCache\All Users\powershell.exe
        
        "C:\MSOCache\All Users\powershell.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f7bf830-c3d6-4cfb-962d-14870d2dd634.vbs"
        18⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b9597b8-c165-4074-8b5e-b6855d5427ba.vbs"
        18⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4814ab4e-e3c0-4b39-864a-128c1f8ff126.vbs"
        16⤵
        
        PID:688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c59b347d-e01b-4918-bb1e-a9b60aab2acb.vbs"
        14⤵
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4f1e8d3-dba3-4da3-9a5f-cf9a9a7a45a3.vbs"
        12⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ad0ff1b-9a84-4438-bbbd-d4b424db1c38.vbs"
        10⤵
        
        PID:1152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00f1759e-ffb6-46d3-8881-5a02ea312784.vbs"
        8⤵
        
        PID:2036
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32a6a3f0-8f3f-4f61-be52-9dcf52dc70a2.vbs"
        6⤵
        
        PID:2704
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c90c3b39-87c6-42e7-bace-20ce06920599.vbs"
      4⤵
      PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Videos\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\services.exe

Filesize
1.7MB

MD5
237c841b1eac6ee71b50e35d1e381e64

SHA1
92e7cb433465f0a71641a138cb36e96d64c0c078

SHA256
9bef4e8548abce91cf91acf27dfd2b2eb3a9973701557d2d3f2676b3f88f9e8e

SHA512
8703f3ca433606e42681e65f67d1edce0ae375be7ca438891e87c6a36b816e10858295614488c07da97b6f6497661876267bc927a29b01ddd18e4c992ca8754d

Download Submit
C:\Users\Admin\AppData\Local\Temp\01bd3269-962e-438a-b7de-9bef57a87da4.vbs

Filesize
712B

MD5
5e51021afa79f391f85a116f7acf8b92

SHA1
d8967d4de137e9994b08f1c1b341f69bc944d094

SHA256
f6c69ddbea85e854e451d798b23f157544f0854fdf11bf3139ab0987360b4c0c

SHA512
331b745a8706b2ec3c5c3864592110d70171a183235300ff5ae8bb81a94671b68aa6470da29f2f8c58f4f590538a73307e312571ab8603460ad4e2cc102f4af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10be8d47-50a5-4ca7-a5df-5c8dab55cebf.vbs

Filesize
711B

MD5
63a1d4132e78e684a4c4663d30e6efea

SHA1
cd4db6a16667df4b7588d32c6f89d8fdbbdce283

SHA256
0f075d538571436aff2af62ea28b6e1f8d2d99cc6eb3cd4c496ff465bf84d4a7

SHA512
132308531d28132d76465ede6631584fb0c5ca1e3e2542056b4bb6991d39f5c1a9e304d987ef0f25df11df832073c39ce824ac2e9111195f0df1512573d6ec1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3af189b3-14a9-41c5-8ca3-14a100d9c092.vbs

Filesize
712B

MD5
88f28ec2341332d2a3dc8a17e44d5613

SHA1
303e269adeecde80dbc56db3be58e21b965dc87e

SHA256
cb2677ce2cdc4e53eb9ef5bbd920b21818012c24bafb7c4b97d1a9be0b083454

SHA512
ab45654715f7998e2a0b2b6a95e00ed57baea4d70a1fcfd6e32e38d50f9d52c8ac058797d4eaeeccbdd70a69ce51df7589868d152fe4de63a2071de72882b04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\568d983e-9ec7-4b5a-93d7-592789497bed.vbs

Filesize
712B

MD5
3c644bd91fdea4346ffdb5e0645c9ebf

SHA1
e932aa0d8c151a30134933aa8cad6e1d4bdfea7b

SHA256
150f5ec3287140709ce063760a40a4a756b3c2f8efa80ce519531e3e70a2f32e

SHA512
45f3603da0557b54f091859b041c771fa18acbc708e22bc3993a14d8ffb74a5db167a3fdba0a76d74da0bb2100853e856676aafe00e146d3f362b216fc60214c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f7bf830-c3d6-4cfb-962d-14870d2dd634.vbs

Filesize
712B

MD5
7df857de749d4e285580c4838c90ac98

SHA1
a9c46605864808ca246431361c1b0ff487bbd617

SHA256
ea1ac9cf0feafa2fd68b3a850bb5166569c220beeb9862fd08b9a7e459e27774

SHA512
176cb0c7a6c352efad875521693216eef299438870b57038fa893455cd1157c8ea9a536fdd792d6bc74563328bd325c6fcfdbd7532855cd5738691440f94055a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fb6a611-77f3-4ba8-b92a-fa4928b5fbdc.vbs

Filesize
712B

MD5
3d776456506d7dd923a5ce30bfad0685

SHA1
aea7b8fb0d1661a918d7a2ee21e567f2133bfbb3

SHA256
3d9066d411fc2a10bfd00b80d9e468a4927173b1cd52542b97a42dc3fbd35a39

SHA512
4ef10ea10229caad4619d4ac9b809f9805d52748d9c835635fc37425ecf262a767437b1825da00b42fb8f43d6450f3c1f17ed5af56501e853a0b3a6a271bb67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b26bda1-f576-43f2-bec4-84f02ca39f4d.vbs

Filesize
711B

MD5
b4e7af81a0217e51d44c9c603fb5d763

SHA1
d8cf3f502eda1222168a562baa5214cde5579ec0

SHA256
0a4b57d3d2f564e9db7c94898b8e225505d2212cd5ad05d3d0c020159f454aa0

SHA512
0fc376cd2d90311e30f316270988a29d7663b0e3078b27dc5224a7ebb567a8eafa1871b6064dd6bc672f49ce9daff196126ee4f30b5704b04259bb4bad56e55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX45D7.tmp

Filesize
1.7MB

MD5
7a2f8094d8034feeebb4b6eaa3fde100

SHA1
07938320b644032d9955e95234f0abed26ea675c

SHA256
3a11dc0b3c5c9f086247d448795f0e1065467c66b8d9b00b4c07361d2cf2bbbd

SHA512
cb967bd15df2ed22bd2e74a00a603e3fe98b043cce3587aaef0054d5f44fb34718a361fb0c758b3c93071fb8992515f6aff75603cf2535488712c41a5750c06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c90c3b39-87c6-42e7-bace-20ce06920599.vbs

Filesize
488B

MD5
818795a4a4e444f679ca84462c0d525a

SHA1
698368e0619b31970449909e2dee6297e0de6524

SHA256
30a22e55ef0aa86536f311abdf31a67c4349452a75b2a70e4727864096a9f609

SHA512
dbfaff7c805ee476c52ea322a4bfcb63bc6fb4e164d2a1af7658b8f72b99b8c80c9efdbd99ab200c1b298f1217bbfdeb93d33de3fe3157fba4f1f07e41b69f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccf0274f-73ba-49f4-8b74-46bed3b245f1.vbs

Filesize
712B

MD5
d8c26efe5eb0cd032607e7d030c4666a

SHA1
0088f05c84e836beef78ceffa4ddbef08d372bbf

SHA256
36556c79c71b4c2d4e778a4f6d4751799b1c7a03a11eca41a92f56179e081e19

SHA512
2b062999cc31942e6fe7f4fdb475d51bf03e0b13d10fee75d976a7c6db7b7ca30c3ea63436f257a73afda1f809f848baaad348e55c8cbccc6414a7a4f7241e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d001853075cdd1859a4a58801b89d02

SHA1
dca1c8e2d67828f849cc8ea70a989ee21b137863

SHA256
a765198cbc8c5c6925ebda58d146a42f3329ca18e18c2688070eaa43d188739b

SHA512
31dbb5f35efb3de5405ba0fa4b9586ed0d3dc87a5569d35f2d78fe0311b29be974ef1afd7c77f56d9e506d944e99582d56de8e706d22fee339b54f540aab4bfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wininit.exe

Filesize
1.7MB

MD5
4faea0e9f908fc01575a5ae74d457f72

SHA1
3b9a3fc4eaef1a2cd99e4c8e266b1de7c797e199

SHA256
b6c761cc7d00d55e2bf5d09608ed482e37fa2f66df7a21fd2a16e41833d82495

SHA512
f87bb21d01480d070b0e8c0496034d9ea0db750e4fa6c66705b138eedf4ec319cc74a50fd448657188a65f2c43093d7f0ec3a2283beff230f3152f60b4e02873

Download Submit
memory/880-278-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download
memory/880-277-0x0000000000D10000-0x0000000000ED0000-memory.dmp

Filesize
1.8MB

Download
memory/1540-211-0x00000000010E0000-0x00000000012A0000-memory.dmp

Filesize
1.8MB

Download
memory/1672-325-0x0000000000DE0000-0x0000000000FA0000-memory.dmp

Filesize
1.8MB

Download
memory/1732-186-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1732-181-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1792-12-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/1792-6-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/1792-15-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/1792-66-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/1792-9-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/1792-14-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/1792-13-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/1792-8-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/1792-19-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/1792-11-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/1792-7-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/1792-4-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1792-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/1792-0-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

Filesize
4KB

Download
memory/1792-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/1792-17-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/1792-16-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/1792-2-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/1792-1-0x0000000000BB0000-0x0000000000D70000-memory.dmp

Filesize
1.8MB

Download
memory/2384-265-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/2384-264-0x0000000000130000-0x00000000002F0000-memory.dmp

Filesize
1.8MB

Download
memory/2828-313-0x0000000000D80000-0x0000000000F40000-memory.dmp

Filesize
1.8MB

Download
memory/2836-87-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2940-301-0x00000000002E0000-0x00000000004A0000-memory.dmp

Filesize
1.8MB

Download
memory/3036-88-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download