dcrat | 4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
Size

1.2MB
MD5

1513343b7481b2f1bf7d66399dfc2120
SHA1

0db4b18d25118696dac687d45934e9d5ba17ce6f
SHA256

4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4
SHA512

5ad111a3b6121f0b3454fb5ba2034f3c4dbe545191d0a020241f614eee87913b78481b26d208ffa86ce96b70386cf701a774999bebd4f1021455e4b494b0b282
SSDEEP

24576:lxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpdT:APkVXFGDQoP7FRCZRonh4hfewhmpd

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2728	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2728	schtasks.exe	32

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/516-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/516-13-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/516-16-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/516-18-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/516-20-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
772	powershell.exe
2320	powershell.exe
1764	powershell.exe
1556	powershell.exe
1592	powershell.exe
1968	powershell.exe
1600	powershell.exe
908	powershell.exe
2640	powershell.exe
2400	powershell.exe
264	powershell.exe
1104	powershell.exe
572	powershell.exe
2452	powershell.exe
2620	powershell.exe
2584	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1752	smss.exe
2280	smss.exe
2068	smss.exe
1724	smss.exe
2664	smss.exe
560	smss.exe
2744	smss.exe
776	smss.exe

Loads dropped DLL 8 IoCs

pid	Process
516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
1752	smss.exe
2576	WScript.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 516	1688	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	31
PID 1752 set thread context of 2280	1752	smss.exe	111

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCX740D.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX60D9.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\lsm.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCX717C.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\sppsvc.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCX716B.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCX7836.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files (x86)\MSBuild\lsm.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files (x86)\Uninstall Information\1610b97d3ab4a7	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\Windows Media Player\de-DE\spoolsv.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX6176.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX6AE1.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files (x86)\MSBuild\101b941d020240	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCX73FC.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\spoolsv.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCX7835.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX6AD0.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\Java\jre7\bin\sppsvc.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\Java\jre7\bin\0a1fd5f707cd16	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\Windows Media Player\de-DE\f3b6ecef712a24	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\b75386f1303e64	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Help\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\ja-JP\RCX65DE.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\ja-JP\7a0fd90576e088	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\Help\RCX63C8.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\Help\RCX63C9.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\ja-JP\RCX65DD.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\AppPatch\en-US\audiodg.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\Help\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\ja-JP\explorer.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\AppPatch\en-US\audiodg.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\AppPatch\en-US\42af1c969fbb7b	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\ja-JP\explorer.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\AppPatch\en-US\RCX6CE5.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\AppPatch\en-US\RCX6CF5.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\Help\8ed8ba926a9222	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe
2940	schtasks.exe
612	schtasks.exe
992	schtasks.exe
2288	schtasks.exe
1796	schtasks.exe
940	schtasks.exe
1740	schtasks.exe
2576	schtasks.exe
2420	schtasks.exe
2164	schtasks.exe
1672	schtasks.exe
2800	schtasks.exe
1484	schtasks.exe
2484	schtasks.exe
1412	schtasks.exe
1092	schtasks.exe
640	schtasks.exe
2012	schtasks.exe
2972	schtasks.exe
2340	schtasks.exe
2056	schtasks.exe
2348	schtasks.exe
968	schtasks.exe
1148	schtasks.exe
1016	schtasks.exe
1620	schtasks.exe
2720	schtasks.exe
2032	schtasks.exe
1988	schtasks.exe
776	schtasks.exe
900	schtasks.exe
1560	schtasks.exe
1596	schtasks.exe
1328	schtasks.exe
2944	schtasks.exe
1640	schtasks.exe
1908	schtasks.exe
1928	schtasks.exe
1736	schtasks.exe
2612	schtasks.exe
1160	schtasks.exe
272	schtasks.exe
2072	schtasks.exe
2104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
1556	powershell.exe
2584	powershell.exe
908	powershell.exe
2452	powershell.exe
2620	powershell.exe
572	powershell.exe
2640	powershell.exe
1592	powershell.exe
1600	powershell.exe
1764	powershell.exe
2400	powershell.exe
264	powershell.exe
2320	powershell.exe
772	powershell.exe
1968	powershell.exe
1104	powershell.exe
2280	smss.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe
2068	smss.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2280	smss.exe
Token: SeDebugPrivilege	2068	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 516	1688	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	31
PID 1688 wrote to memory of 516	1688	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	31
PID 1688 wrote to memory of 516	1688	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	31
PID 1688 wrote to memory of 516	1688	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	31
PID 1688 wrote to memory of 516	1688	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	31
PID 1688 wrote to memory of 516	1688	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	31
PID 1688 wrote to memory of 516	1688	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	31
PID 1688 wrote to memory of 516	1688	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	31
PID 1688 wrote to memory of 516	1688	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	31
PID 516 wrote to memory of 908	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	78
PID 516 wrote to memory of 908	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	78
PID 516 wrote to memory of 908	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	78
PID 516 wrote to memory of 908	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	78
PID 516 wrote to memory of 1556	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	79
PID 516 wrote to memory of 1556	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	79
PID 516 wrote to memory of 1556	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	79
PID 516 wrote to memory of 1556	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	79
PID 516 wrote to memory of 2640	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	81
PID 516 wrote to memory of 2640	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	81
PID 516 wrote to memory of 2640	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	81
PID 516 wrote to memory of 2640	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	81
PID 516 wrote to memory of 772	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	83
PID 516 wrote to memory of 772	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	83
PID 516 wrote to memory of 772	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	83
PID 516 wrote to memory of 772	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	83
PID 516 wrote to memory of 2400	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	84
PID 516 wrote to memory of 2400	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	84
PID 516 wrote to memory of 2400	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	84
PID 516 wrote to memory of 2400	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	84
PID 516 wrote to memory of 2320	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	85
PID 516 wrote to memory of 2320	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	85
PID 516 wrote to memory of 2320	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	85
PID 516 wrote to memory of 2320	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	85
PID 516 wrote to memory of 264	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	86
PID 516 wrote to memory of 264	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	86
PID 516 wrote to memory of 264	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	86
PID 516 wrote to memory of 264	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	86
PID 516 wrote to memory of 572	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	90
PID 516 wrote to memory of 572	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	90
PID 516 wrote to memory of 572	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	90
PID 516 wrote to memory of 572	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	90
PID 516 wrote to memory of 2452	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	92
PID 516 wrote to memory of 2452	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	92
PID 516 wrote to memory of 2452	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	92
PID 516 wrote to memory of 2452	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	92
PID 516 wrote to memory of 1592	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	95
PID 516 wrote to memory of 1592	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	95
PID 516 wrote to memory of 1592	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	95
PID 516 wrote to memory of 1592	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	95
PID 516 wrote to memory of 1764	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 516 wrote to memory of 1764	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 516 wrote to memory of 1764	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 516 wrote to memory of 1764	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 516 wrote to memory of 1600	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	98
PID 516 wrote to memory of 1600	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	98
PID 516 wrote to memory of 1600	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	98
PID 516 wrote to memory of 1600	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	98
PID 516 wrote to memory of 2620	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	100
PID 516 wrote to memory of 2620	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	100
PID 516 wrote to memory of 2620	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	100
PID 516 wrote to memory of 2620	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	100
PID 516 wrote to memory of 2584	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	104
PID 516 wrote to memory of 2584	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	104
PID 516 wrote to memory of 2584	516	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
"C:\Users\Admin\AppData\Local\Temp\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\lsm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\en-US\audiodg.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\de-DE\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Users\Default User\smss.exe
    "C:\Users\Default User\smss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1752
  - - C:\Users\Default User\smss.exe
      "{path}"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2280
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42ef14e8-2258-477d-8f7d-f8d9ce7b2664.vbs"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2576
      - C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Users\Default User\smss.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Users\Default User\smss.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Users\Default User\smss.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Users\Default User\smss.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Users\Default User\smss.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        
        PID:776
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5038149a-26aa-451f-9302-ebb301053fe2.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N4" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N" /sc ONLOGON /tr "'C:\Windows\Help\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N4" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N4" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N4" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\bin\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\bin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N4" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N4" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
1.2MB

MD5
6e8c4317b5733b744f128d96e6906352

SHA1
599797e1f812c67b06f9846d2a93138af3862439

SHA256
172b2567e821c782e3ec0126c01d98f5202084b66588ed7c1916b2e87624b63c

SHA512
77ce224e158458012fb9453376ee2c94eb568997623956884e3f2f76b841c6eedf977185a47672537bb2b4d5d41649973caaf0cc12df2c20ebaef0cee7256498

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe

Filesize
1.2MB

MD5
1513343b7481b2f1bf7d66399dfc2120

SHA1
0db4b18d25118696dac687d45934e9d5ba17ce6f

SHA256
4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4

SHA512
5ad111a3b6121f0b3454fb5ba2034f3c4dbe545191d0a020241f614eee87913b78481b26d208ffa86ce96b70386cf701a774999bebd4f1021455e4b494b0b282

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe

Filesize
1.2MB

MD5
1cc2974b0ab6f747e2a5a7e3f9fea731

SHA1
bdb78fa36add4340618256dde8180ad4ea5fd60e

SHA256
91fdb195acf80ac3310d4c3a98d55ff9b0631925d663eda9bcdf63378d78822b

SHA512
8fee5ac484fdc8c3a9051b7ef74aa3c00b5963fd024872027942e6ae27e74f7e4dbd86bf824279632ac41bf6fb57b12eab16d54b003eef283e01359bd19538bb

Download Submit
C:\Program Files (x86)\MSBuild\lsm.exe

Filesize
1.2MB

MD5
261260c5cf2edc637c4b1267f2998ff8

SHA1
f41347a05527a2892c65e4d4e9397ccfa201ff21

SHA256
bbc8653ff4346c3a92f8a293eb1cbb30b9fdf586b57e2283e2cba6c7c7b88e85

SHA512
404d094a1812ab327f1fbefdfc9b9d3e21cd69a36cb28ad75593759264b27ba49c1022fe0b174b504d860dbc2a3262126c6bad3bc093cb499a83b03853d77638

Download Submit
C:\Users\Admin\AppData\Local\Temp\42ef14e8-2258-477d-8f7d-f8d9ce7b2664.vbs

Filesize
706B

MD5
82bbee02e9a644496e8186ad108ebda2

SHA1
546cef8b8dc7199bec91503c46e4586f22c27c04

SHA256
fdc72e4576a7f37e45243b34ec8e6ff678c1a9dd59c49b23234fb9a93f99dfbd

SHA512
0b87756049050f0a5877356862d89dec111af5e539de2a707076d7fda64570f59f9a51027b505a319edad1007220e6f8a3c45381cfd5127df73831a98131a2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5038149a-26aa-451f-9302-ebb301053fe2.vbs

Filesize
482B

MD5
88453ea4689de38cd27e08e854d19607

SHA1
a820b529bf8b17451b25665ff46f89c71c668c0c

SHA256
b01e075fc19ebf30a9b3bdefecd4036067b3a42213e3792655df3d6ff7bfc9e7

SHA512
bb6487b5f3590d468aa180f3c6114a828e2a652fb411b239e1d700c1e27f574fa814d2cd2cc774bde54e0ab13ee7930f0187972e71e58aba6e451c5aa22bf2a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
dc9eeb00c0e4ef70ef62118a18011295

SHA1
10aee8f99c58bc8ff051ffe841038472c484dd3b

SHA256
e9cdc43bd2baf377c45ed8807a3c22dd1f594a3b5265c0566dfcaaa3db4c757e

SHA512
7e544b71bafc52b9ace55ec091ba5ba0dc03f8fc1062e9bf6de7a036fe8994ae0e9a7280f66a6ee43c0a6646801b833ce90e574c533e776a87f6a3db7b6cab04

Download Submit
memory/516-27-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/516-31-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/516-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/516-13-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/516-16-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/516-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/516-10-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/516-18-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/516-20-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/516-330-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/516-22-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/516-23-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/516-24-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/516-25-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/516-26-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/516-175-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/516-28-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/516-29-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/516-30-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/516-9-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/516-32-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/516-33-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/516-34-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/516-151-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-2-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-5-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-7-0x0000000005C40000-0x0000000005D6E000-memory.dmp

Filesize
1.2MB

Download
memory/1688-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/1688-4-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/1688-3-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/1688-6-0x0000000005490000-0x0000000005586000-memory.dmp

Filesize
984KB

Download
memory/1688-1-0x00000000011D0000-0x00000000012FC000-memory.dmp

Filesize
1.2MB

Download
memory/1688-21-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1752-328-0x0000000000AD0000-0x0000000000BFC000-memory.dmp

Filesize
1.2MB

Download
memory/1752-329-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2068-356-0x0000000000380000-0x00000000004AC000-memory.dmp

Filesize
1.2MB

Download
memory/2068-357-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/2280-340-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download