dcrat | 5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8

Analysis

max time kernel
120s
max time network
113s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
Size

1.7MB
MD5

64a7d53536484c80f3816ac58f6561f0
SHA1

65ed3b9c78a1412f99fd3b760bba46cb33e109e0
SHA256

5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8
SHA512

722e81ebd97480de4a29fc1a5322076a160d3a332b59a7aaaf99797f7d9d558e6a5fd45aa0146c9504d8c4dcc725d33429b25fccd2289a316896297e1e4ce3ce
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2708	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2484-1-0x0000000001250000-0x0000000001410000-memory.dmp	dcrat
behavioral1/files/0x0005000000019263-27.dat	dcrat
behavioral1/files/0x000700000001a4bb-74.dat	dcrat
behavioral1/files/0x00060000000193c1-144.dat	dcrat
behavioral1/files/0x000800000001941a-178.dat	dcrat
behavioral1/files/0x0006000000019612-226.dat	dcrat
behavioral1/memory/2236-298-0x0000000000C30000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/572-311-0x0000000000DD0000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/2608-346-0x0000000000250000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/3008-358-0x0000000000090000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/1716-370-0x0000000000890000-0x0000000000A50000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
892	powershell.exe
2972	powershell.exe
1880	powershell.exe
1372	powershell.exe
1380	powershell.exe
1792	powershell.exe
2024	powershell.exe
1264	powershell.exe
2920	powershell.exe
2352	powershell.exe
1764	powershell.exe
2724	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe

Executes dropped EXE 7 IoCs

pid	Process
2236	smss.exe
572	smss.exe
2740	smss.exe
3024	smss.exe
2608	smss.exe
3008	smss.exe
1716	smss.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\5940a34987c991	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\dllhost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\b75386f1303e64	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Uninstall Information\dllhost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXA029.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXA730.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\System.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\winlogon.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXA935.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Uninstall Information\winlogon.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\taskhost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXA29B.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXA936.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Uninstall Information\cc11b995f2a76d	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXA028.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXA22D.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXA731.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\de-DE\RCXAB39.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXB01E.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\PolicyDefinitions\smss.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\fr-FR\RCXB4A5.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\PolicyDefinitions\69ddcba757bf72	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\fr-FR\taskhost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\RCXA4EE.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\fr-FR\taskhost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\Registration\CRMLog\7a0fd90576e088	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\winlogon.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\fr-FR\RCXB4A4.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\de-DE\RCXAB3A.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\Registration\CRMLog\explorer.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\cc11b995f2a76d	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\de-DE\dllhost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\Registration\CRMLog\explorer.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\fr-FR\b75386f1303e64	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\RCXA4DD.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\de-DE\dllhost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXAFB0.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXBB1F.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\winlogon.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\de-DE\5940a34987c991	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\PolicyDefinitions\smss.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXBB20.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2068	schtasks.exe
2724	schtasks.exe
2628	schtasks.exe
2360	schtasks.exe
832	schtasks.exe
1628	schtasks.exe
1408	schtasks.exe
1636	schtasks.exe
1744	schtasks.exe
2884	schtasks.exe
3044	schtasks.exe
2660	schtasks.exe
1912	schtasks.exe
1852	schtasks.exe
1848	schtasks.exe
1384	schtasks.exe
2284	schtasks.exe
2568	schtasks.exe
3028	schtasks.exe
2992	schtasks.exe
2880	schtasks.exe
924	schtasks.exe
3016	schtasks.exe
2828	schtasks.exe
2716	schtasks.exe
2596	schtasks.exe
2344	schtasks.exe
764	schtasks.exe
1312	schtasks.exe
1360	schtasks.exe
1540	schtasks.exe
2800	schtasks.exe
1264	schtasks.exe
572	schtasks.exe
860	schtasks.exe
1492	schtasks.exe
1876	schtasks.exe
2776	schtasks.exe
264	schtasks.exe
2700	schtasks.exe
2084	schtasks.exe
1720	schtasks.exe
2712	schtasks.exe
2584	schtasks.exe
1056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1380	powershell.exe
2920	powershell.exe
2024	powershell.exe
2352	powershell.exe
892	powershell.exe
1764	powershell.exe
1880	powershell.exe
2972	powershell.exe
1372	powershell.exe
2724	powershell.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1792	powershell.exe
1264	powershell.exe
2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
2236	smss.exe
2236	smss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2236	smss.exe
Token: SeDebugPrivilege	572	smss.exe
Token: SeDebugPrivilege	2740	smss.exe
Token: SeDebugPrivilege	3024	smss.exe
Token: SeDebugPrivilege	2608	smss.exe
Token: SeDebugPrivilege	3008	smss.exe
Token: SeDebugPrivilege	1716	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2920	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	76
PID 2484 wrote to memory of 2920	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	76
PID 2484 wrote to memory of 2920	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	76
PID 2484 wrote to memory of 1380	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	77
PID 2484 wrote to memory of 1380	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	77
PID 2484 wrote to memory of 1380	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	77
PID 2484 wrote to memory of 2352	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	79
PID 2484 wrote to memory of 2352	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	79
PID 2484 wrote to memory of 2352	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	79
PID 2484 wrote to memory of 2024	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	80
PID 2484 wrote to memory of 2024	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	80
PID 2484 wrote to memory of 2024	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	80
PID 2484 wrote to memory of 1792	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	81
PID 2484 wrote to memory of 1792	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	81
PID 2484 wrote to memory of 1792	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	81
PID 2484 wrote to memory of 1372	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	82
PID 2484 wrote to memory of 1372	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	82
PID 2484 wrote to memory of 1372	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	82
PID 2484 wrote to memory of 1880	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	83
PID 2484 wrote to memory of 1880	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	83
PID 2484 wrote to memory of 1880	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	83
PID 2484 wrote to memory of 2972	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	84
PID 2484 wrote to memory of 2972	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	84
PID 2484 wrote to memory of 2972	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	84
PID 2484 wrote to memory of 2724	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	85
PID 2484 wrote to memory of 2724	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	85
PID 2484 wrote to memory of 2724	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	85
PID 2484 wrote to memory of 1764	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	86
PID 2484 wrote to memory of 1764	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	86
PID 2484 wrote to memory of 1764	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	86
PID 2484 wrote to memory of 892	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	95
PID 2484 wrote to memory of 892	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	95
PID 2484 wrote to memory of 892	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	95
PID 2484 wrote to memory of 1264	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	96
PID 2484 wrote to memory of 1264	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	96
PID 2484 wrote to memory of 1264	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	96
PID 2484 wrote to memory of 2236	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	100
PID 2484 wrote to memory of 2236	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	100
PID 2484 wrote to memory of 2236	2484	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	100
PID 2236 wrote to memory of 2512	2236	smss.exe	102
PID 2236 wrote to memory of 2512	2236	smss.exe	102
PID 2236 wrote to memory of 2512	2236	smss.exe	102
PID 2236 wrote to memory of 1640	2236	smss.exe	103
PID 2236 wrote to memory of 1640	2236	smss.exe	103
PID 2236 wrote to memory of 1640	2236	smss.exe	103
PID 2512 wrote to memory of 572	2512	WScript.exe	104
PID 2512 wrote to memory of 572	2512	WScript.exe	104
PID 2512 wrote to memory of 572	2512	WScript.exe	104
PID 572 wrote to memory of 2460	572	smss.exe	105
PID 572 wrote to memory of 2460	572	smss.exe	105
PID 572 wrote to memory of 2460	572	smss.exe	105
PID 572 wrote to memory of 1712	572	smss.exe	106
PID 572 wrote to memory of 1712	572	smss.exe	106
PID 572 wrote to memory of 1712	572	smss.exe	106
PID 2460 wrote to memory of 2740	2460	WScript.exe	107
PID 2460 wrote to memory of 2740	2460	WScript.exe	107
PID 2460 wrote to memory of 2740	2460	WScript.exe	107
PID 2740 wrote to memory of 772	2740	smss.exe	108
PID 2740 wrote to memory of 772	2740	smss.exe	108
PID 2740 wrote to memory of 772	2740	smss.exe	108
PID 2740 wrote to memory of 1032	2740	smss.exe	109
PID 2740 wrote to memory of 1032	2740	smss.exe	109
PID 2740 wrote to memory of 1032	2740	smss.exe	109
PID 772 wrote to memory of 3024	772	WScript.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
"C:\Users\Admin\AppData\Local\Temp\5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\PolicyDefinitions\smss.exe
  "C:\Windows\PolicyDefinitions\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14f3b0a4-360e-4818-87c3-ff0cee0b77d2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\PolicyDefinitions\smss.exe
      C:\Windows\PolicyDefinitions\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7fc6b81-371a-4aa6-a9c5-9a990647f14d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\PolicyDefinitions\smss.exe
        
        C:\Windows\PolicyDefinitions\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bed4f296-4f88-419b-9ddd-ebe70ad97cb7.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\PolicyDefinitions\smss.exe
        
        C:\Windows\PolicyDefinitions\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90b2b436-897f-40fc-90fa-ae83bf1f6cc7.vbs"
        9⤵
        
        PID:2180
        
        C:\Windows\PolicyDefinitions\smss.exe
        
        C:\Windows\PolicyDefinitions\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c8d1bc0-7d9d-449f-9f7b-6da6a01a80b2.vbs"
        11⤵
        
        PID:1440
        
        C:\Windows\PolicyDefinitions\smss.exe
        
        C:\Windows\PolicyDefinitions\smss.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\766f1f61-eef4-4145-9a06-ee426b45deca.vbs"
        13⤵
        
        PID:2136
        
        C:\Windows\PolicyDefinitions\smss.exe
        
        C:\Windows\PolicyDefinitions\smss.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a612a3da-d994-413a-8097-be1109072d6b.vbs"
        15⤵
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67667f0a-28c1-415c-9d12-f3e31b4d16df.vbs"
        15⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfe2eb03-7260-41ee-9831-ddb13ff1561d.vbs"
        13⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64345916-5804-45c3-98e2-b3958c0a7843.vbs"
        11⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95edd4db-4fae-466f-bf42-87a01f00b83c.vbs"
        9⤵
        
        PID:624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a22fe02-1789-4cfe-a5c9-c6215f6dca04.vbs"
        7⤵
        
        PID:1032
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11350de7-6112-45f5-9e62-5be81c890cee.vbs"
        5⤵
        
        PID:1712
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\331ccfb0-664a-4f5d-bc0f-e5d95e94bf5b.vbs"
    3⤵
    PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N5" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N5" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Uninstall Information\dllhost.exe

Filesize
1.7MB

MD5
64a7d53536484c80f3816ac58f6561f0

SHA1
65ed3b9c78a1412f99fd3b760bba46cb33e109e0

SHA256
5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8

SHA512
722e81ebd97480de4a29fc1a5322076a160d3a332b59a7aaaf99797f7d9d558e6a5fd45aa0146c9504d8c4dcc725d33429b25fccd2289a316896297e1e4ce3ce

Download Submit
C:\Program Files (x86)\Uninstall Information\winlogon.exe

Filesize
1.7MB

MD5
3943dcd927d3c2c2bac5cc9345940c99

SHA1
e89128c68887ea2fdb69c7e4cbf02ece01e5bb8e

SHA256
a58105a3f981bcff31dbb4a19c1bf0875bde6a8a7ed1ea08c60aed8b58532729

SHA512
6f3fe4f32f7403516211601a2791b5d37cfbe38baa3bc5037be359b49e62845b4ac6afd6a94fb65486722febc57dfdda44fc99499b2afb83d790f94261ec16d5

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\RCXBF97.tmp

Filesize
1.7MB

MD5
b17e475b4dac49243265b192c62d0c5f

SHA1
4972f985f2a0c5aafe8c91918c5822bff9a80983

SHA256
fbfd627d1374c0f776f241f0d066fa8666f95cb69e0bffba1def7824fa41538e

SHA512
dfa543c1913c018bb8a3c13253a84f5269c8ded827539aa542a2011c3ed5da0ca36e5ce83ab391f304ead0d0f7678df6470677fead0e5849e7b793bf4a615025

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe

Filesize
1.7MB

MD5
19f2430f8c6ac1a9e524c77ab26086a9

SHA1
8e47f81966d35bc266ae80e960ada2e120060626

SHA256
6977611bae908c81d67abeeef0c5f7e13ea31e66628ffd6e889ddc5f89b6458d

SHA512
ab4ebc530b404ae7dc460f612b78642beb3ee267c1dba782ed1bae94219be421ad3ec4d6eac72e2e8046b11e638d9e8460bd3ffc481a35f64eec7fdd5126a478

Download Submit
C:\Users\Admin\AppData\Local\Temp\14f3b0a4-360e-4818-87c3-ff0cee0b77d2.vbs

Filesize
713B

MD5
2af18fcab759f57f33549b789fda93ed

SHA1
b4f2ec89e0265f7fd9a5e5c7cd5422cf925c58e6

SHA256
1f270c6a13f845a03111360c19984968eaed90272adc013e504e7e56103a3ece

SHA512
4622eac2e1c3b9f73091969f4dafe0618f1101c43f574900592cef5b7a71b3269e7660484afffa913da06ea9950114d5d0701c2844a12e51c1bafdd193aac522

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c8d1bc0-7d9d-449f-9f7b-6da6a01a80b2.vbs

Filesize
713B

MD5
7192252884e639ece0e3a979e43e2b70

SHA1
5c927c0b3eaa256a9f2a7736c27613343ab4a9ca

SHA256
1a127823ebba0ebeeba96f1ae5ee638da5b17822a7c222cc199324bb2f27a021

SHA512
2c9eb7899dec0aaddab57db7676fd3697bf2e2875813f74b29d204d6ed3c8490624d48ed36479165428c802c0adff421020f5776beaa3dbd06631350ce6e6523

Download Submit
C:\Users\Admin\AppData\Local\Temp\331ccfb0-664a-4f5d-bc0f-e5d95e94bf5b.vbs

Filesize
489B

MD5
0cec62422e8fe5afad428e933124798c

SHA1
e38b80ec31f4d1f61275e60943e89d6ce21cf404

SHA256
b021d0191c216c9f9717cb1874940a0b2a3bc56141312ca0bcd76f5df5728bce

SHA512
ec4aa97fc8e48d2d8d7442641f214908402439a952fb6816f896d4af8fe1e7b204a9d219a91705494697574f6b74972ba5e1dc6e1086b9029b9c020f5eb9b1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\766f1f61-eef4-4145-9a06-ee426b45deca.vbs

Filesize
713B

MD5
94ae5f7cbe4c73fbde0d5d97bbec5e63

SHA1
189ce0f635e2feecc8d23f694b11c5a2ce6cb764

SHA256
7b54c72413ae49a07c7c516f1423b230988be5b2dfcefde0b0124df219625285

SHA512
94f4161ed9b6b030e6214d5a2514599343beeddbe6ef36ebbc2ac0a61b54323d53e4c847cbce1fa0f4acbef8a62b645e0aeb5ebc4d57bbaf9089341760697d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\90b2b436-897f-40fc-90fa-ae83bf1f6cc7.vbs

Filesize
713B

MD5
8a5c6de43203aef628f97d4e2e192bc6

SHA1
6a1f755096754cb9c756d557c123f255e6f7c16c

SHA256
ed120c91623057ec3c83f6ddada301d208a45567fc147f5d72149ffdad1db11c

SHA512
aee69fa406a26de11e044b0eb0cd68e94fa5e3235d8f366d033eb23a282971ac588ab3835ac3edadaa37f2b85a21dee70c0b90dd81c2c37f62b9b380be43269a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a612a3da-d994-413a-8097-be1109072d6b.vbs

Filesize
713B

MD5
676d76764f5517eb386729e4f453c29d

SHA1
57adee5fa64265cc6c720acb5884cb4b764a0911

SHA256
ee92a856b430fffe626a6ade79eccf6b4b39f9e68dfaa177fc9bcd18777f60a4

SHA512
f39a5266f50c19b0b519e33aa70df1c076a595c04a953b65f10068b57d9287b1b94a27c4873f8351908e637608bd4a25684a785f0f1abceb67f20327a4102596

Download Submit
C:\Users\Admin\AppData\Local\Temp\bed4f296-4f88-419b-9ddd-ebe70ad97cb7.vbs

Filesize
713B

MD5
335ca1635e7bc5484c2db11649d849ed

SHA1
4245847345f9558987e4cf3a3057f201c4f1ccba

SHA256
1d6de9788fed6799140900bd9eaefb9b60e318334fe3f39e325c70039d09f920

SHA512
450ff5da953736adf4d99a47c09293ec7eb7d88f88f2e1a4dbb46018b66be902f22233fdcfbeafb3e7d1d0484dd552cd173e3a6c66be5e4ab58e9c48b415b636

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7fc6b81-371a-4aa6-a9c5-9a990647f14d.vbs

Filesize
712B

MD5
a02da0af10644841554339db2fbf2125

SHA1
54dfcada52ac1ac702c48777b3c6494e76c896d3

SHA256
eb11c2cd1be1c1fe2d1de6b401948ca7c356debd80e2021ea0a954a8a3b110a5

SHA512
2aad8586641758d9f6aebec611ec8edc3a18bb711267e4380857081e607469aa8b9015a1723b6167a264eda0153ab08ea1880d032ef9572916b91a42bd43a66a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
76eac2c89e33fb227a41126412da4e9a

SHA1
6581ec778251153d3071d02dad91c75d1924bad7

SHA256
a8b503b84e36d6427fb68efd274047ab4399b43ce8d14bd31b6b901e94d4e0e3

SHA512
535c937e14b5fba2c589ed556771ace5cdc40270d9ab3d1204e4fa8c3439526a5b99caffb8503255f461478d792d5fd5b3b570aabb9423f53ff89a8c0c4e9aee

Download Submit
C:\Windows\PolicyDefinitions\smss.exe

Filesize
1.7MB

MD5
7deccf5b5417d38557ea012b9aaab4c4

SHA1
ca10c26c56fb58ed1b6063ed846b2a19d46fabe0

SHA256
4b507e0cc5c80b614c9cc3a46a3ee9adb48e1a26bb07b584d69537e1e904b989

SHA512
8c2ad6bd33da4c748df8d4cbdc48c42fe108e6c0e28f338bbf3443b1a4db3b9048bdc94e36715c22eb4778831ca971339f84bc5b783bdece6cf4f94233e4fe40

Download Submit
memory/572-311-0x0000000000DD0000-0x0000000000F90000-memory.dmp

Filesize
1.8MB

Download
memory/1380-280-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1380-245-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/1716-370-0x0000000000890000-0x0000000000A50000-memory.dmp

Filesize
1.8MB

Download
memory/2236-300-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2236-298-0x0000000000C30000-0x0000000000DF0000-memory.dmp

Filesize
1.8MB

Download
memory/2484-12-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2484-9-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2484-205-0x000007FEF5503000-0x000007FEF5504000-memory.dmp

Filesize
4KB

Download
memory/2484-224-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-17-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2484-14-0x0000000000A50000-0x0000000000A5E000-memory.dmp

Filesize
56KB

Download
memory/2484-15-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/2484-16-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/2484-292-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-299-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-13-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/2484-0-0x000007FEF5503000-0x000007FEF5504000-memory.dmp

Filesize
4KB

Download
memory/2484-11-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2484-18-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-8-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2484-6-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download
memory/2484-1-0x0000000001250000-0x0000000001410000-memory.dmp

Filesize
1.8MB

Download
memory/2484-7-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2484-5-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2484-2-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2484-4-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2484-3-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2608-346-0x0000000000250000-0x0000000000410000-memory.dmp

Filesize
1.8MB

Download
memory/2740-323-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/3008-358-0x0000000000090000-0x0000000000250000-memory.dmp

Filesize
1.8MB

Download