dcrat | 5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
Size

1.7MB
MD5

c50c35e409f7f805813e4ce6f1cc9d79
SHA1

57e8abebac7257fb14fb22ef794a3204540ef623
SHA256

5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164
SHA512

6aeeeaa5b491f3221db6b7afca69416ac46658d61c72e478c1ad817068e5ddb4617632b41c0aacf2b3d889300c56c0b762343fe6a4c1df668d5760d144a4bfdf
SSDEEP

49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvT:uTHUxUoh1IF9gl2K

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2804	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	2804	schtasks.exe	82

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1008-1-0x0000000000E30000-0x0000000000FF0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cc3-30.dat	dcrat
behavioral2/files/0x0010000000023ce3-119.dat	dcrat
behavioral2/files/0x000a000000023cc7-144.dat	dcrat
behavioral2/files/0x0007000000023ce5-155.dat	dcrat
behavioral2/memory/1360-330-0x0000000000590000-0x0000000000750000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4392	powershell.exe
1456	powershell.exe
4584	powershell.exe
4448	powershell.exe
4400	powershell.exe
2972	powershell.exe
4976	powershell.exe
2364	powershell.exe
1876	powershell.exe
1532	powershell.exe
780	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 7 IoCs

pid	Process
1360	RuntimeBroker.exe
3364	RuntimeBroker.exe
3076	RuntimeBroker.exe
1668	RuntimeBroker.exe
4340	RuntimeBroker.exe
692	RuntimeBroker.exe
656	RuntimeBroker.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\9e8d7a4ca61bd9	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\System.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files\Crashpad\RCXBA03.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files\Crashpad\RuntimeBroker.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Program Files\Crashpad\RuntimeBroker.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files\Crashpad\RCXBA02.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\System.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\27d1bcfc3c54e0	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXA999.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB045.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXB2C8.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXA988.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB0C3.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXB346.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\spoolsv.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Windows\AppReadiness\5b884080fd4f94	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Windows\Prefetch\RCXAE30.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\RCXB76F.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\SppExtComObj.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Windows\AppReadiness\fontdrvhost.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Windows\AppReadiness\RCXA773.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\RCXB7ED.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Windows\Prefetch\f3b6ecef712a24	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Windows\schemas\CodeIntegrity\e1ef82546f0b02	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Windows\AppReadiness\RCXA774.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Windows\AppReadiness\fontdrvhost.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Windows\Prefetch\RCXAE31.tmp	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File opened for modification	C:\Windows\Prefetch\spoolsv.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
File created	C:\Windows\schemas\CodeIntegrity\SppExtComObj.exe	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5028	schtasks.exe
3524	schtasks.exe
3924	schtasks.exe
3084	schtasks.exe
2196	schtasks.exe
316	schtasks.exe
1944	schtasks.exe
5064	schtasks.exe
1636	schtasks.exe
468	schtasks.exe
1096	schtasks.exe
436	schtasks.exe
3344	schtasks.exe
3148	schtasks.exe
4568	schtasks.exe
2988	schtasks.exe
4988	schtasks.exe
3968	schtasks.exe
4972	schtasks.exe
1816	schtasks.exe
4848	schtasks.exe
1224	schtasks.exe
5004	schtasks.exe
1192	schtasks.exe
3956	schtasks.exe
4404	schtasks.exe
2016	schtasks.exe
4800	schtasks.exe
3528	schtasks.exe
4968	schtasks.exe
2388	schtasks.exe
2752	schtasks.exe
3596	schtasks.exe
1204	schtasks.exe
5072	schtasks.exe
4092	schtasks.exe
3480	schtasks.exe
5036	schtasks.exe
224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
4400	powershell.exe
4400	powershell.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
4392	powershell.exe
4392	powershell.exe
4976	powershell.exe
4976	powershell.exe
2364	powershell.exe
2364	powershell.exe
4448	powershell.exe
4448	powershell.exe
780	powershell.exe
780	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1360	RuntimeBroker.exe
Token: SeDebugPrivilege	3364	RuntimeBroker.exe
Token: SeDebugPrivilege	3076	RuntimeBroker.exe
Token: SeDebugPrivilege	1668	RuntimeBroker.exe
Token: SeDebugPrivilege	4340	RuntimeBroker.exe
Token: SeDebugPrivilege	692	RuntimeBroker.exe
Token: SeDebugPrivilege	656	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1532	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	125
PID 1008 wrote to memory of 1532	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	125
PID 1008 wrote to memory of 4392	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	126
PID 1008 wrote to memory of 4392	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	126
PID 1008 wrote to memory of 4400	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	127
PID 1008 wrote to memory of 4400	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	127
PID 1008 wrote to memory of 4448	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	128
PID 1008 wrote to memory of 4448	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	128
PID 1008 wrote to memory of 2972	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	129
PID 1008 wrote to memory of 2972	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	129
PID 1008 wrote to memory of 780	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	130
PID 1008 wrote to memory of 780	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	130
PID 1008 wrote to memory of 1876	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	131
PID 1008 wrote to memory of 1876	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	131
PID 1008 wrote to memory of 2364	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	132
PID 1008 wrote to memory of 2364	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	132
PID 1008 wrote to memory of 4584	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	133
PID 1008 wrote to memory of 4584	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	133
PID 1008 wrote to memory of 1456	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	134
PID 1008 wrote to memory of 1456	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	134
PID 1008 wrote to memory of 4976	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	135
PID 1008 wrote to memory of 4976	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	135
PID 1008 wrote to memory of 2860	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	147
PID 1008 wrote to memory of 2860	1008	5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe	147
PID 2860 wrote to memory of 2848	2860	cmd.exe	149
PID 2860 wrote to memory of 2848	2860	cmd.exe	149
PID 2860 wrote to memory of 1360	2860	cmd.exe	153
PID 2860 wrote to memory of 1360	2860	cmd.exe	153
PID 1360 wrote to memory of 3248	1360	RuntimeBroker.exe	154
PID 1360 wrote to memory of 3248	1360	RuntimeBroker.exe	154
PID 1360 wrote to memory of 1444	1360	RuntimeBroker.exe	155
PID 1360 wrote to memory of 1444	1360	RuntimeBroker.exe	155
PID 3248 wrote to memory of 3364	3248	WScript.exe	158
PID 3248 wrote to memory of 3364	3248	WScript.exe	158
PID 3364 wrote to memory of 3924	3364	RuntimeBroker.exe	159
PID 3364 wrote to memory of 3924	3364	RuntimeBroker.exe	159
PID 3364 wrote to memory of 2600	3364	RuntimeBroker.exe	160
PID 3364 wrote to memory of 2600	3364	RuntimeBroker.exe	160
PID 3924 wrote to memory of 3076	3924	WScript.exe	161
PID 3924 wrote to memory of 3076	3924	WScript.exe	161
PID 3076 wrote to memory of 4524	3076	RuntimeBroker.exe	162
PID 3076 wrote to memory of 4524	3076	RuntimeBroker.exe	162
PID 3076 wrote to memory of 3592	3076	RuntimeBroker.exe	163
PID 3076 wrote to memory of 3592	3076	RuntimeBroker.exe	163
PID 4524 wrote to memory of 1668	4524	WScript.exe	164
PID 4524 wrote to memory of 1668	4524	WScript.exe	164
PID 1668 wrote to memory of 1472	1668	RuntimeBroker.exe	165
PID 1668 wrote to memory of 1472	1668	RuntimeBroker.exe	165
PID 1668 wrote to memory of 2836	1668	RuntimeBroker.exe	166
PID 1668 wrote to memory of 2836	1668	RuntimeBroker.exe	166
PID 1472 wrote to memory of 4340	1472	WScript.exe	167
PID 1472 wrote to memory of 4340	1472	WScript.exe	167
PID 4340 wrote to memory of 3392	4340	RuntimeBroker.exe	168
PID 4340 wrote to memory of 3392	4340	RuntimeBroker.exe	168
PID 4340 wrote to memory of 2696	4340	RuntimeBroker.exe	169
PID 4340 wrote to memory of 2696	4340	RuntimeBroker.exe	169
PID 3392 wrote to memory of 692	3392	WScript.exe	170
PID 3392 wrote to memory of 692	3392	WScript.exe	170
PID 692 wrote to memory of 1360	692	RuntimeBroker.exe	171
PID 692 wrote to memory of 1360	692	RuntimeBroker.exe	171
PID 692 wrote to memory of 3640	692	RuntimeBroker.exe	172
PID 692 wrote to memory of 3640	692	RuntimeBroker.exe	172
PID 1360 wrote to memory of 656	1360	WScript.exe	173
PID 1360 wrote to memory of 656	1360	WScript.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe
"C:\Users\Admin\AppData\Local\Temp\5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p0ejfseoSl.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2848
- - C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
    "C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be03604a-767a-4f6a-a8fd-f67a7b17f99b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f1bbcf2-301f-4ee8-90ce-c27536a98421.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93f75b6d-77de-4c72-9fcc-78cd83d3430c.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9a76936-3f93-4656-a9fd-3d8f060291ea.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91ebc3de-ebea-4a2a-ac06-4cc0466bd40f.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b588892-da67-460e-a29d-dc317bb5df58.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68624aaf-b28f-41d7-ae7d-200040f558dd.vbs"
        16⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c81a1746-4553-403d-94e1-85c1ed44c59a.vbs"
        16⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f76ccd7-a6d0-47b8-b1f2-e051470f4c71.vbs"
        14⤵
        
        PID:3640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2652a19e-e055-481f-80f4-bfaa843e5cb6.vbs"
        12⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cae7fe03-79a7-4bbf-ae9d-8c67e22871bb.vbs"
        10⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45931d44-fbf3-4370-8df4-1ce4c098ca7b.vbs"
        8⤵
        
        PID:3592
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cea2842d-b1a0-4a10-8fd1-e0da01ee8ed9.vbs"
        6⤵
        
        PID:2600
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f93ef417-5df2-4043-b8e7-0355868cdff0.vbs"
      4⤵
      PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Music\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\schemas\CodeIntegrity\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\schemas\CodeIntegrity\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\CodeIntegrity\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe

Filesize
1.7MB

MD5
c50c35e409f7f805813e4ce6f1cc9d79

SHA1
57e8abebac7257fb14fb22ef794a3204540ef623

SHA256
5adfa270bb6f18bcfa609cec371928fa062bad30be9c5094f7dca9bf94274164

SHA512
6aeeeaa5b491f3221db6b7afca69416ac46658d61c72e478c1ad817068e5ddb4617632b41c0aacf2b3d889300c56c0b762343fe6a4c1df668d5760d144a4bfdf

Download Submit
C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe

Filesize
1.7MB

MD5
d2a21886595f7ca6a4ead8ddf0229407

SHA1
30fc6f5ebfa95ad0d29f52aa7c5ef74baa8c5a13

SHA256
a79d76e901dd684c31f1916b94813ca9a7cf9b59b2c44bdc3c46e2d40a6992eb

SHA512
40f9ea077629abc2f3e0589fe46429c56ea159101cffa0420d843954e48bb6b556be731f4f81c41ed6db027fb77650e06948cba64b3603a235103d030657ea7e

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\System.exe

Filesize
1.7MB

MD5
e0b8f5971491213b12e4d882258dc5d6

SHA1
42c3d466461607314f31cb912df4e2da4ae71b6e

SHA256
653e22ac4983ee14ef185d244b80c1b74e13d89021cc077839568cb1325a736c

SHA512
2006c2258e94805e34feafa2c7afcc08cb9f8b2127f85cc79a13bd3f119a9a7da3537bd13187cb1d4e6eed7daf016eb3371f1a793f74dedac731645eb03d1516

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.7MB

MD5
644d36a54fae38d1e72fee6b7007df54

SHA1
811fa71bb935f79fd96e2aa2fd6eceb9bbebc74e

SHA256
7bb02a354e26bed7147552c3710d699f175ffaf6b8dfe4eadbcaaff614973bb0

SHA512
ed3900b37824ca3a9f4795808d085fde05dc714adbcc79d5a08a22dfe6a2473b82641a52b4801d6716a3e529a7dae16236df5baf8b81b89f7b0f8f24207acbe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\68624aaf-b28f-41d7-ae7d-200040f558dd.vbs

Filesize
740B

MD5
2d63e0998c98810838847075ff67a6e1

SHA1
057997db8fb0dfd5c5771095d6beee64b2b54fbf

SHA256
9bf05f96e09de2c280067ddb310e83a0c142ab4cfea0e650c6a79225d962c25c

SHA512
24538f41787eb8eca5544e8c7cb80d1bc3201e161b13d3ff0b1c6250ff13f44d02004e4aac0cb7206210f1d8062da5df28572849dca75456a9634f23ae1f7b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f1bbcf2-301f-4ee8-90ce-c27536a98421.vbs

Filesize
741B

MD5
84deac9db9fcd2801d36f0d88c74d8da

SHA1
678999fad245e4e008ec65983585b0c0220c87db

SHA256
cb2e8410853e8aa9382ee0da3d3629b626955120d6d63f7df924de07e4ecf330

SHA512
1bb3a40c0eac074dd2a5b5bb8f1980b290a4cd8c992de69af16f7c15ba83e9d01e9855b6a651e26253cd91f0525e49a88364e37dce6a494029a9196c123fe02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\91ebc3de-ebea-4a2a-ac06-4cc0466bd40f.vbs

Filesize
741B

MD5
6e77ee4e5022062559239ff9c93659a7

SHA1
74340ccc35619e6cb9a2d963680ec3384a1e0d25

SHA256
e8cdba5f0bd57e6cb4b19f731c5ca97785a4a7a3c6e38ec7236227936c66e3da

SHA512
365b4ab814fe94dd2f0600bb7ae921ff186950b98a3b6315e4a0ae1f80d266c28f5ae423085dd484650cb6e2285fbfbe6d2b05483bdd2a8bae6624a6d002ee34

Download Submit
C:\Users\Admin\AppData\Local\Temp\93f75b6d-77de-4c72-9fcc-78cd83d3430c.vbs

Filesize
741B

MD5
06a24fdd1a79efa752de37d95e8fa9e2

SHA1
ce18e54db5478e7de925cf1f980781eca1c4af08

SHA256
f0514963951d65b13c200b6be730ccb620b6f9d660bf87c95fb1cfc2e5690af7

SHA512
f681cf5fe3f89266f7d53709d3d3b2453f4d3d0baf52426ca6b3d3bf44e2c4bfd3c29cda81ca59db04be108ec06f3f05ba4a590554168e0323f15d772949384b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b588892-da67-460e-a29d-dc317bb5df58.vbs

Filesize
740B

MD5
8ecfdc4ed86bda74959a201465c4e282

SHA1
1a19f6bbb8b32395f08eda00d0e00fa4e06b46fb

SHA256
54c78a54bf83f6c57d965475b38988a88bca71225a7e28565799cff0db1bfe4f

SHA512
96e14854351fffa15dc35615de64c4d56616637351fa8cd057b25cba86956e88ee3ec798149fb18ca577c14eeddf0d6f98a37f00fe2083fd7fb6a58ab1480066

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvsiz1z0.2cm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\be03604a-767a-4f6a-a8fd-f67a7b17f99b.vbs

Filesize
741B

MD5
c13b69ff77c53641968c25c65815219a

SHA1
007e21e9086aa8bb2f6dca2fb488969042887e0f

SHA256
70130561e448c815efe9049d7b8e356e62fa98042eec5adc2e1a92f1254a31a2

SHA512
1d7f8b4cf532800dcb0ef540cba7dfd2b78162423e41cd0548ec66f49039e076100ba107a533edd21811952c19f7b790b58f1a0d3475ec85e8f70dc007579287

Download Submit
C:\Users\Admin\AppData\Local\Temp\f93ef417-5df2-4043-b8e7-0355868cdff0.vbs

Filesize
517B

MD5
34fe7165594c9c8f48904a551345d009

SHA1
3b7fb6aa8ab653360aa08f3077e308e657b1c565

SHA256
40ba48c6105e8baf0c1d62076c025470cec56de894c69eb67969f14ca7dae8c6

SHA512
0d1b1b13672a529e45c62163a0648bc6a8d0435146386327b9ba3d120c630f2294926dddda9af7a487e6057e0ccb7d30ea9f0cff99a46a396202cfcdfc91ad13

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9a76936-3f93-4656-a9fd-3d8f060291ea.vbs

Filesize
741B

MD5
56d8015f4da0e690f8b6533cb55f46b4

SHA1
1722af1022604e73c16a867f15840e446925c0b7

SHA256
55bd4e409b304a847f73e3e6954591ac4d9f8845b8524a6c232641ef073e75c0

SHA512
7cf5939fc223c2efff3c27bb89f5e6047e18d85144f9f6a4fab36c3036057bb055b66c3f658365c1c061d3a58218e7c275cfd436abda4ba106614a977785187d

Download Submit
C:\Users\Admin\AppData\Local\Temp\p0ejfseoSl.bat

Filesize
230B

MD5
e9b927b8df2fb13ba7cb2140714bd66d

SHA1
25ba4b194e9bc11859f6bc62a7dbeacaa6952a74

SHA256
e9566707af2b029b4a419e3714f8e91200e15906472b231e77dc6beadb228407

SHA512
6b592c888f861c9063f74c9c0dd6f9636de3007b974e878ff3ab22fcc0ebe22e79c1d0263a2cea693bcc8c8f09a4669ee9c0cca5e34b226ce3a77faaab8a686e

Download Submit
memory/1008-22-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1008-15-0x000000001BD10000-0x000000001BD1A000-memory.dmp

Filesize
40KB

Download
memory/1008-7-0x0000000003130000-0x0000000003146000-memory.dmp

Filesize
88KB

Download
memory/1008-8-0x0000000003150000-0x0000000003160000-memory.dmp

Filesize
64KB

Download
memory/1008-6-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/1008-158-0x00007FF974D63000-0x00007FF974D65000-memory.dmp

Filesize
8KB

Download
memory/1008-182-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1008-12-0x00000000031F0000-0x0000000003202000-memory.dmp

Filesize
72KB

Download
memory/1008-23-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1008-222-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1008-232-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1008-10-0x00000000031E0000-0x00000000031E8000-memory.dmp

Filesize
32KB

Download
memory/1008-5-0x0000000003110000-0x0000000003118000-memory.dmp

Filesize
32KB

Download
memory/1008-4-0x0000000003190000-0x00000000031E0000-memory.dmp

Filesize
320KB

Download
memory/1008-3-0x00000000030F0000-0x000000000310C000-memory.dmp

Filesize
112KB

Download
memory/1008-2-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/1008-0-0x00007FF974D63000-0x00007FF974D65000-memory.dmp

Filesize
8KB

Download
memory/1008-13-0x000000001C900000-0x000000001CE28000-memory.dmp

Filesize
5.2MB

Download
memory/1008-14-0x0000000003200000-0x000000000320C000-memory.dmp

Filesize
48KB

Download
memory/1008-9-0x0000000003170000-0x000000000317C000-memory.dmp

Filesize
48KB

Download
memory/1008-16-0x000000001BD20000-0x000000001BD2E000-memory.dmp

Filesize
56KB

Download
memory/1008-1-0x0000000000E30000-0x0000000000FF0000-memory.dmp

Filesize
1.8MB

Download
memory/1008-17-0x000000001BD30000-0x000000001BD38000-memory.dmp

Filesize
32KB

Download
memory/1008-19-0x000000001BD90000-0x000000001BD9C000-memory.dmp

Filesize
48KB

Download
memory/1008-18-0x000000001BD40000-0x000000001BD4C000-memory.dmp

Filesize
48KB

Download
memory/1360-331-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download
memory/1360-330-0x0000000000590000-0x0000000000750000-memory.dmp

Filesize
1.8MB

Download
memory/4400-216-0x000002092A200000-0x000002092A222000-memory.dmp

Filesize
136KB

Download