dcrat | be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2

Analysis

max time kernel
120s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
Size

1.7MB
MD5

5571c1c959664fea2858b3aeb11f3748
SHA1

e457759fa2e6dba172fa8fba428ebe7462c7fcb3
SHA256

be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2
SHA512

2cd7c9f59b5875258036167fa8a0c0104f64df510d95c4e87bf013056601a9db3c643b22e564c38e72868b6925b11e51aa8832078e7002e56b8e279331ac9be8
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvY:+THUxUoh1IF9gl2b

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	1728	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1728	schtasks.exe	82

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3024-1-0x00000000004C0000-0x0000000000680000-memory.dmp	dcrat
behavioral2/files/0x000e000000023bc2-30.dat	dcrat
behavioral2/files/0x000e000000023b96-104.dat	dcrat
behavioral2/files/0x0011000000023bc2-126.dat	dcrat
behavioral2/files/0x0009000000023c05-160.dat	dcrat
behavioral2/files/0x000a000000023c1e-171.dat	dcrat
behavioral2/files/0x000d000000023c4e-307.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4588	powershell.exe
1176	powershell.exe
744	powershell.exe
3676	powershell.exe
5064	powershell.exe
4188	powershell.exe
2328	powershell.exe
1372	powershell.exe
2836	powershell.exe
5048	powershell.exe
4012	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 8 IoCs

pid	Process
4564	lsass.exe
3184	lsass.exe
3720	lsass.exe
2248	lsass.exe
436	lsass.exe
1476	lsass.exe
3488	lsass.exe
4512	lsass.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\e6c9b481da804f	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\22eafd247d37c3	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXAE08.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files (x86)\Adobe\TextInputHost.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXAD8A.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Program Files (x86)\Adobe\TextInputHost.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Program Files\Windows Photo Viewer\c5b4cb5e9653cc	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX97CE.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX9C08.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXA867.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Program Files (x86)\Adobe\22eafd247d37c3	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Program Files\Windows Photo Viewer\services.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX97BE.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX9C07.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXA866.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\services.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Sun\Java\SppExtComObj.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXAAF8.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXAB08.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Windows\Provisioning\RCXB00D.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Windows\Sun\Java\SppExtComObj.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Windows\Downloaded Program Files\38384e6a620884	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Windows\Sun\Java\RCX9E8A.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Windows\Sun\Java\RCX9E8B.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Windows\Downloaded Program Files\SearchApp.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Windows\Sun\Java\e1ef82546f0b02	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Windows\Downloaded Program Files\SearchApp.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Windows\Provisioning\StartMenuExperienceHost.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Windows\Provisioning\StartMenuExperienceHost.exe	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File created	C:\Windows\Provisioning\55b276f4edf653	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
File opened for modification	C:\Windows\Provisioning\RCXB08B.tmp	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2036	schtasks.exe
4692	schtasks.exe
1276	schtasks.exe
1316	schtasks.exe
3092	schtasks.exe
4268	schtasks.exe
3124	schtasks.exe
4752	schtasks.exe
2084	schtasks.exe
4896	schtasks.exe
2128	schtasks.exe
3060	schtasks.exe
112	schtasks.exe
4624	schtasks.exe
4944	schtasks.exe
4028	schtasks.exe
4504	schtasks.exe
3180	schtasks.exe
3176	schtasks.exe
4872	schtasks.exe
3196	schtasks.exe
3360	schtasks.exe
220	schtasks.exe
3220	schtasks.exe
2920	schtasks.exe
1920	schtasks.exe
1052	schtasks.exe
3516	schtasks.exe
776	schtasks.exe
4512	schtasks.exe
1280	schtasks.exe
392	schtasks.exe
3188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
5064	powershell.exe
5064	powershell.exe
2836	powershell.exe
2836	powershell.exe
4012	powershell.exe
4012	powershell.exe
1372	powershell.exe
1372	powershell.exe
744	powershell.exe
744	powershell.exe
2328	powershell.exe
2328	powershell.exe
4588	powershell.exe
4588	powershell.exe
5048	powershell.exe
5048	powershell.exe
3676	powershell.exe
3676	powershell.exe
1176	powershell.exe
1176	powershell.exe
4188	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	4564	lsass.exe
Token: SeDebugPrivilege	3184	lsass.exe
Token: SeDebugPrivilege	3720	lsass.exe
Token: SeDebugPrivilege	2248	lsass.exe
Token: SeDebugPrivilege	436	lsass.exe
Token: SeDebugPrivilege	1476	lsass.exe
Token: SeDebugPrivilege	3488	lsass.exe
Token: SeDebugPrivilege	4512	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 4188	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	118
PID 3024 wrote to memory of 4188	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	118
PID 3024 wrote to memory of 4012	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	119
PID 3024 wrote to memory of 4012	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	119
PID 3024 wrote to memory of 5064	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	120
PID 3024 wrote to memory of 5064	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	120
PID 3024 wrote to memory of 5048	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	121
PID 3024 wrote to memory of 5048	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	121
PID 3024 wrote to memory of 2836	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	122
PID 3024 wrote to memory of 2836	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	122
PID 3024 wrote to memory of 1372	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	123
PID 3024 wrote to memory of 1372	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	123
PID 3024 wrote to memory of 3676	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	124
PID 3024 wrote to memory of 3676	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	124
PID 3024 wrote to memory of 2328	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	125
PID 3024 wrote to memory of 2328	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	125
PID 3024 wrote to memory of 744	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	126
PID 3024 wrote to memory of 744	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	126
PID 3024 wrote to memory of 1176	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	127
PID 3024 wrote to memory of 1176	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	127
PID 3024 wrote to memory of 4588	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	128
PID 3024 wrote to memory of 4588	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	128
PID 3024 wrote to memory of 3124	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	140
PID 3024 wrote to memory of 3124	3024	be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe	140
PID 3124 wrote to memory of 4208	3124	cmd.exe	142
PID 3124 wrote to memory of 4208	3124	cmd.exe	142
PID 3124 wrote to memory of 4564	3124	cmd.exe	145
PID 3124 wrote to memory of 4564	3124	cmd.exe	145
PID 4564 wrote to memory of 2448	4564	lsass.exe	146
PID 4564 wrote to memory of 2448	4564	lsass.exe	146
PID 4564 wrote to memory of 3668	4564	lsass.exe	147
PID 4564 wrote to memory of 3668	4564	lsass.exe	147
PID 2448 wrote to memory of 3184	2448	WScript.exe	150
PID 2448 wrote to memory of 3184	2448	WScript.exe	150
PID 3184 wrote to memory of 4240	3184	lsass.exe	151
PID 3184 wrote to memory of 4240	3184	lsass.exe	151
PID 3184 wrote to memory of 3120	3184	lsass.exe	152
PID 3184 wrote to memory of 3120	3184	lsass.exe	152
PID 4240 wrote to memory of 3720	4240	WScript.exe	155
PID 4240 wrote to memory of 3720	4240	WScript.exe	155
PID 3720 wrote to memory of 4932	3720	lsass.exe	156
PID 3720 wrote to memory of 4932	3720	lsass.exe	156
PID 3720 wrote to memory of 1888	3720	lsass.exe	157
PID 3720 wrote to memory of 1888	3720	lsass.exe	157
PID 4932 wrote to memory of 2248	4932	WScript.exe	158
PID 4932 wrote to memory of 2248	4932	WScript.exe	158
PID 2248 wrote to memory of 4944	2248	lsass.exe	159
PID 2248 wrote to memory of 4944	2248	lsass.exe	159
PID 2248 wrote to memory of 4920	2248	lsass.exe	160
PID 2248 wrote to memory of 4920	2248	lsass.exe	160
PID 4944 wrote to memory of 436	4944	WScript.exe	161
PID 4944 wrote to memory of 436	4944	WScript.exe	161
PID 436 wrote to memory of 2592	436	lsass.exe	162
PID 436 wrote to memory of 2592	436	lsass.exe	162
PID 436 wrote to memory of 5068	436	lsass.exe	163
PID 436 wrote to memory of 5068	436	lsass.exe	163
PID 2592 wrote to memory of 1476	2592	WScript.exe	164
PID 2592 wrote to memory of 1476	2592	WScript.exe	164
PID 1476 wrote to memory of 2292	1476	lsass.exe	165
PID 1476 wrote to memory of 2292	1476	lsass.exe	165
PID 1476 wrote to memory of 4236	1476	lsass.exe	166
PID 1476 wrote to memory of 4236	1476	lsass.exe	166
PID 2292 wrote to memory of 3488	2292	WScript.exe	167
PID 2292 wrote to memory of 3488	2292	WScript.exe	167

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe
"C:\Users\Admin\AppData\Local\Temp\be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1vwDPskygt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4208
- - C:\Users\Admin\Contacts\lsass.exe
    "C:\Users\Admin\Contacts\lsass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24f4ee05-eba1-43bd-8b8a-d3ef40ecd43d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Users\Admin\Contacts\lsass.exe
        
        C:\Users\Admin\Contacts\lsass.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45edbe16-22a8-454c-9d0b-31ee274d12d2.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Users\Admin\Contacts\lsass.exe
        
        C:\Users\Admin\Contacts\lsass.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd55b4e3-a3f9-4180-b2b2-13a996a51f8b.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Users\Admin\Contacts\lsass.exe
        
        C:\Users\Admin\Contacts\lsass.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bbeb3e6-55c5-4637-96d0-a4c339dec237.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Users\Admin\Contacts\lsass.exe
        
        C:\Users\Admin\Contacts\lsass.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40d5ca53-8899-49f4-a28f-9fe8a74f9c87.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Users\Admin\Contacts\lsass.exe
        
        C:\Users\Admin\Contacts\lsass.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2af600a5-e20f-47c3-9f90-a363f44b8483.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Users\Admin\Contacts\lsass.exe
        
        C:\Users\Admin\Contacts\lsass.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eab1896-19e4-4481-a70c-b3a5939849b8.vbs"
        16⤵
        
        PID:400
        
        C:\Users\Admin\Contacts\lsass.exe
        
        C:\Users\Admin\Contacts\lsass.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a9207ae-bcdc-4ffd-9702-8749d4be3d58.vbs"
        18⤵
        
        PID:4680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9efb8f1d-a601-4c41-9de3-4e592e4e6b2d.vbs"
        18⤵
        
        PID:4980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32e1c0fa-2eec-464c-b423-9d3ba7d7819b.vbs"
        16⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4f5b9a6-4ee2-4dd0-81b2-2def38076550.vbs"
        14⤵
        
        PID:4236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da493d59-99de-4796-a119-2e155f52715c.vbs"
        12⤵
        
        PID:5068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3acd405-7bde-4e56-9499-fde748abceb9.vbs"
        10⤵
        
        PID:4920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9a7b068-2dbd-4ec9-a2ff-52f2bfc100b9.vbs"
        8⤵
        
        PID:1888
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\141dc8e3-699c-4504-914e-87b2ba822f0c.vbs"
        6⤵
        
        PID:3120
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ed48519-c35b-4615-9270-2932af01a01a.vbs"
      4⤵
      PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Sun\Java\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\Sun\Java\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Provisioning\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\services.exe

Filesize
1.7MB

MD5
2023be13280b8363859188e3c4dab26d

SHA1
cbde6325ee62cca91a8942ce4693cd68dd8e415f

SHA256
da8d190dd40d10d12a5913f07885ff961c5d59d31f26671b53d25fbe3a77d97b

SHA512
65cc68e8317d04fcf4c33194ce73a13c8be048659df05d61304019c217d90aee7848cf64841d40c7608d41c5c284eebf3f13f1f1a74e7b7827a492e54e51c8ad

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.7MB

MD5
ff599ad22984b3fdb20e84e0309e61f1

SHA1
5a725b7be808c7a54f0877e23ca24c093236be74

SHA256
29813e46211430f3b2d7942d72518d83e93b6b31b5b2a63bb7554acfdb1db6ea

SHA512
bd2f89b03861c359c056be5c32c9ca4fae394867d4186cfaa1622057283cd6b1d5d644588f0be865d4a4018a70e35f919e681d40b0c8ad1aed418f3630d2207a

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.7MB

MD5
5571c1c959664fea2858b3aeb11f3748

SHA1
e457759fa2e6dba172fa8fba428ebe7462c7fcb3

SHA256
be98b63dc5c3ebadbf9e301ab0ae9258c8d70724f410ad18968a9056b88f7cf2

SHA512
2cd7c9f59b5875258036167fa8a0c0104f64df510d95c4e87bf013056601a9db3c643b22e564c38e72868b6925b11e51aa8832078e7002e56b8e279331ac9be8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a9207ae-bcdc-4ffd-9702-8749d4be3d58.vbs

Filesize
709B

MD5
834d922457d15d6711ecc784a65ce2d5

SHA1
9139531fdedf626becef243e00477f97a8730a46

SHA256
67c9a44df59edd0902c8b35dfc8a5515a6830f315e257ea27a0c6e08ab7d468b

SHA512
4ab1ab142c5dd2090bb862fd0cb01a839dcf3d1792a5c7780d62edc8dec3067174e8ac0113994b877aa00fa6b0787022fea16fe6726f0a5e1f3dfaaf481c4385

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vwDPskygt.bat

Filesize
198B

MD5
c3ce082ecc1bd78ec2b526a2024f826f

SHA1
921949f5d5c2d58f3121d03cee8f9a9580426bf0

SHA256
0c0d044fbca534cfdfde10f21123858f847dda9ce67cf2c9dc3aa7e494ed7375

SHA512
a82f3143224a815b633a6bb849e9318a2d307941ddbca56ffb133bd66bf022dfd5283ab19a7dac0161d497c709680b0836f18d2b321faff238e6d52d3373bd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\24f4ee05-eba1-43bd-8b8a-d3ef40ecd43d.vbs

Filesize
709B

MD5
f7c942a9def650eb43c7bf52e2012772

SHA1
2a9312cb3240af49980b5cd464fb97e8cbc2e170

SHA256
2ac3bd9c61feec8f62a64c45ec0a88c137a24e5473f9af90aaa62dc1b1180500

SHA512
a17e1a32d389123dd902d601e24f475b32157424520334ff976a3c9143e78c15d282047362d5aa6b8dac1a65d0679667210a60e4d4702c7fad8060263b31d316

Download Submit
C:\Users\Admin\AppData\Local\Temp\2af600a5-e20f-47c3-9f90-a363f44b8483.vbs

Filesize
709B

MD5
41f7a2ea28d8710391c894aebfe21500

SHA1
d1d05c6740d5315321309c084f14e8c6717f5713

SHA256
6e61fc531a57c7fbc032dc829954c718b3cb01e2ec45c9b3d03b43a3e721f18c

SHA512
646438d34d1448713efc131d993abeb63700388a9e9a40a994fd6e83a775b4fe752c0922fa3c7dc550745db05a12e76fc59a856ad8d8e7ab8a4317ec0e5096d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\40d5ca53-8899-49f4-a28f-9fe8a74f9c87.vbs

Filesize
708B

MD5
13e915841b2dec35cdadc88e1493837d

SHA1
8edaaa9a21996d96f530925064e782cb1ea2f8da

SHA256
758c0958a4119af0cdc4d96f3969f93b393272ce9eae992f71040125e32ddb12

SHA512
a1051e304f473ff689d0520b4cbd0c68d6730182a9a4c3e72809dff56885d66601f907a13142f4fd64a3453452f9579dfef6b9c7529f01acf9424d9a31867602

Download Submit
C:\Users\Admin\AppData\Local\Temp\45edbe16-22a8-454c-9d0b-31ee274d12d2.vbs

Filesize
709B

MD5
6055bc538e6e53d2a2fb7d5d25497917

SHA1
3dce129a7fbd67891c9eae685ace9e97fce45246

SHA256
cd7dec1950240a18e50b4d87e3cf33772baf1f191550467365204aa182d2b9b6

SHA512
6306c40c2dd9efaf2563e582b53592aa12ad153ca739287870c69d37d30098fa876d2dc111eafc65f7a71bd4b12e074b074f247ab489278b8d26389bc40940d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bbeb3e6-55c5-4637-96d0-a4c339dec237.vbs

Filesize
709B

MD5
54b0cc497613175cd8c076fd603d2783

SHA1
109099156ba2aa3d2d20a0cebf2c4d79af10acfa

SHA256
bc2a596c5e52b0d273c89512c02427c9bcdbfd26a3f16a2fec16f088fced77f0

SHA512
dc7205f69cbdcbc02c895b27d0fd50f5d664c7bdbe96419e4f6d870f5db9a156727e5f18339b98a93d491f7fc20f0b23950ae632b1456457c8d427e273744a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eab1896-19e4-4481-a70c-b3a5939849b8.vbs

Filesize
709B

MD5
bd9781fd47385dc85a7ab3bc24a0bfac

SHA1
a03c8889b6934b60cfeec3ec07944cca681b4808

SHA256
2812bcb07ead2e3ec23f30b94e6903d1f37c01afa9569421410c1ddf4713103e

SHA512
3876216407304fd892cf1ff31fcf368404dc8705e3d22af80ee8da017ff69ee149a77660c4ec671a66c3e6a9cd1e9ab41f4800ef1722514f44c7d1346ef105c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ed48519-c35b-4615-9270-2932af01a01a.vbs

Filesize
485B

MD5
27e777ee718bebbbe080444cab794cf1

SHA1
62ebe046f39c2334b251124aa6ebaf6bd6c75c93

SHA256
4d5d9c8167c9d5d5ad36090e90acbd80cb26706b8d77a1855e834f39aa6340b5

SHA512
a1639833bcee0cb492e62eccad223b20016a500b731d843ac98bb25e3397b11b1ae086251d3cb4e18de8c16b4dc0d1ad1d9226b3e412eb96914b11b59d47bb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pojqc5my.e2z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd55b4e3-a3f9-4180-b2b2-13a996a51f8b.vbs

Filesize
709B

MD5
4f35f2f0878a57e9a89234f60e95f079

SHA1
96b9e4f285d40479bd7f14c2d08bcf1c4bc3fdbc

SHA256
8311b046d47a453ac549401cdaade4da6bc4aaf5b72c1649d5cacf5562465be5

SHA512
ea2b6c463a0f4ac64abe3c0ab257ea472db235e05e658ba2aa5712e24c6aca8ad75660cab78b0abdf1f413b81e763f3aaabb0b34378170da32e2c6fb8434d510

Download Submit
C:\Users\Admin\Contacts\lsass.exe

Filesize
1.7MB

MD5
6d5faed87aba710c68377628f3cd1ad0

SHA1
95e477a9a047e2bf841e7ff88d484fbdc33c9182

SHA256
7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8

SHA512
c4c5877da078e10e38391ab0d233815b41306ba9f7660a5a7bb3d5a5b9d82733a33411b29408a177798c35047ad8aa784c02bb32aa641d1d5fb633800b8a03de

Download Submit
C:\Users\Default\Pictures\RuntimeBroker.exe

Filesize
1.7MB

MD5
f6e4a4ba972c57c5820b3cf1f13fc847

SHA1
7b61634925df3e9f94e2d1f5ffdade99b630370d

SHA256
a5a90aca5af87d30ffeee50339523518b10d718827a319ec3cef3a41d3615d4c

SHA512
549eaf854707ec0eb94169b8a9133d5707f6cc34a2bacc14fb763f042c749a1f8892cc80773e1c226a8d71c454ecbc89141655124d4df411290892c929954197

Download Submit
C:\Windows\Provisioning\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
eb37a0b7d13fe547e451c55e1eac8431

SHA1
eea4b6a61bb2d16e91108c831a35ebf4cad8d15e

SHA256
eed6178ae89748ba1f008117d733d9e1a8d66e96326405f3c25aad98d7a255c2

SHA512
158fc1b1af871263bd0c394bc1a988f9137effc0b3992a0b6c8787fb08a9a3ab15bd1aa6b5015c2cf99f7ecf679bbc6e701158c55a5a3324f4ef57d34ea54b14

Download Submit
memory/1476-366-0x000000001CB40000-0x000000001CB52000-memory.dmp

Filesize
72KB

Download
memory/3024-6-0x000000001B210000-0x000000001B220000-memory.dmp

Filesize
64KB

Download
memory/3024-151-0x00007FFB52293000-0x00007FFB52295000-memory.dmp

Filesize
8KB

Download
memory/3024-12-0x000000001B920000-0x000000001B932000-memory.dmp

Filesize
72KB

Download
memory/3024-10-0x000000001B910000-0x000000001B918000-memory.dmp

Filesize
32KB

Download
memory/3024-19-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/3024-13-0x000000001BEE0000-0x000000001C408000-memory.dmp

Filesize
5.2MB

Download
memory/3024-200-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/3024-15-0x000000001BAB0000-0x000000001BABA000-memory.dmp

Filesize
40KB

Download
memory/3024-16-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/3024-17-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/3024-18-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/3024-14-0x000000001B950000-0x000000001B95C000-memory.dmp

Filesize
48KB

Download
memory/3024-1-0x00000000004C0000-0x0000000000680000-memory.dmp

Filesize
1.8MB

Download
memory/3024-20-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/3024-174-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/3024-9-0x000000001B2B0000-0x000000001B2BC000-memory.dmp

Filesize
48KB

Download
memory/3024-8-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/3024-7-0x000000001B290000-0x000000001B2A6000-memory.dmp

Filesize
88KB

Download
memory/3024-2-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/3024-23-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

Filesize
10.8MB

Download
memory/3024-5-0x000000001B200000-0x000000001B208000-memory.dmp

Filesize
32KB

Download
memory/3024-4-0x000000001B960000-0x000000001B9B0000-memory.dmp

Filesize
320KB

Download
memory/3024-0-0x00007FFB52293000-0x00007FFB52295000-memory.dmp

Filesize
8KB

Download
memory/3024-3-0x0000000002800000-0x000000000281C000-memory.dmp

Filesize
112KB

Download
memory/3720-332-0x000000001BDF0000-0x000000001BE02000-memory.dmp

Filesize
72KB

Download
memory/5064-190-0x000001636E000000-0x000001636E022000-memory.dmp

Filesize
136KB

Download