dcrat | 6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
Size

1.7MB
MD5

7ea3070589cbe24ec44cbaf50dea5966
SHA1

0755183f623545ab3ff86e9c89ee96de7acdcace
SHA256

6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c
SHA512

f8645dae0f93ed9a864bb94c1b300f41a5b97af7211ff23f17cbdc791a5f3f731478a9780b9c3eaa53189997aa7e4a686068bf46138046ed4f4347b8303bb615
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2968	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2968	schtasks.exe	29

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2280-1-0x0000000000800000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/files/0x0005000000019547-29.dat	dcrat
behavioral1/files/0x0005000000019d62-64.dat	dcrat
behavioral1/files/0x000c000000016d3f-99.dat	dcrat
behavioral1/files/0x000a000000019547-133.dat	dcrat
behavioral1/memory/236-251-0x0000000000DB0000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/2356-313-0x0000000000100000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/1728-326-0x0000000000E70000-0x0000000001030000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1568	powershell.exe
2800	powershell.exe
2416	powershell.exe
840	powershell.exe
1064	powershell.exe
2112	powershell.exe
2264	powershell.exe
2368	powershell.exe
980	powershell.exe
2588	powershell.exe
1620	powershell.exe
1116	powershell.exe
2520	powershell.exe
2608	powershell.exe
2656	powershell.exe
2000	powershell.exe
2912	powershell.exe
1904	powershell.exe
2088	powershell.exe
2560	powershell.exe
592	powershell.exe
816	powershell.exe
1280	powershell.exe
2344	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe

Executes dropped EXE 4 IoCs

pid	Process
1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
236	winlogon.exe
2356	winlogon.exe
1728	winlogon.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCX3D8F.tmp	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\wininit.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Internet Explorer\fr-FR\088424020bedd6	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\conhost.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\27d1bcfc3c54e0	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCX4274.tmp	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCX4BFE.tmp	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files (x86)\Uninstall Information\wininit.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX44F4.tmp	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\wininit.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\wininit.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files (x86)\Uninstall Information\56085415360792	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCX5238.tmp	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Google\winlogon.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Google\winlogon.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\886983d96e3d3e	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Windows Mail\fr-FR\56085415360792	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\wininit.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Internet Explorer\fr-FR\conhost.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\56085415360792	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Windows Mail\fr-FR\wininit.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCX3D9F.tmp	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCX4263.tmp	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Google\cc11b995f2a76d	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File created	C:\Program Files\Windows Mail\fr-FR\1610b97d3ab4a7	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX4515.tmp	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCX4BED.tmp	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCX5258.tmp	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
2752	schtasks.exe
2236	schtasks.exe
1920	schtasks.exe
1096	schtasks.exe
3040	schtasks.exe
1252	schtasks.exe
2892	schtasks.exe
3004	schtasks.exe
652	schtasks.exe
2216	schtasks.exe
964	schtasks.exe
2064	schtasks.exe
2852	schtasks.exe
2780	schtasks.exe
1120	schtasks.exe
1272	schtasks.exe
456	schtasks.exe
1704	schtasks.exe
2484	schtasks.exe
1928	schtasks.exe
1492	schtasks.exe
3052	schtasks.exe
2644	schtasks.exe
2056	schtasks.exe
584	schtasks.exe
2144	schtasks.exe
2288	schtasks.exe
2096	schtasks.exe
1672	schtasks.exe
3012	schtasks.exe
2936	schtasks.exe
2032	schtasks.exe
2588	schtasks.exe
2568	schtasks.exe
2192	schtasks.exe
1728	schtasks.exe
2832	schtasks.exe
2732	schtasks.exe
2668	schtasks.exe
3036	schtasks.exe
544	schtasks.exe
1968	schtasks.exe
2692	schtasks.exe
3024	schtasks.exe
1664	schtasks.exe
308	schtasks.exe
1520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2520	powershell.exe
2264	powershell.exe
2368	powershell.exe
2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
2088	powershell.exe
2608	powershell.exe
1568	powershell.exe
2344	powershell.exe
1064	powershell.exe
2112	powershell.exe
1904	powershell.exe
1280	powershell.exe
1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	236	winlogon.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2356	winlogon.exe
Token: SeDebugPrivilege	1728	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2608	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	57
PID 2280 wrote to memory of 2608	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	57
PID 2280 wrote to memory of 2608	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	57
PID 2280 wrote to memory of 2520	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	58
PID 2280 wrote to memory of 2520	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	58
PID 2280 wrote to memory of 2520	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	58
PID 2280 wrote to memory of 1280	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	59
PID 2280 wrote to memory of 1280	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	59
PID 2280 wrote to memory of 1280	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	59
PID 2280 wrote to memory of 2264	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	60
PID 2280 wrote to memory of 2264	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	60
PID 2280 wrote to memory of 2264	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	60
PID 2280 wrote to memory of 1064	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	61
PID 2280 wrote to memory of 1064	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	61
PID 2280 wrote to memory of 1064	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	61
PID 2280 wrote to memory of 1904	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	63
PID 2280 wrote to memory of 1904	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	63
PID 2280 wrote to memory of 1904	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	63
PID 2280 wrote to memory of 2088	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	66
PID 2280 wrote to memory of 2088	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	66
PID 2280 wrote to memory of 2088	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	66
PID 2280 wrote to memory of 2112	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	67
PID 2280 wrote to memory of 2112	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	67
PID 2280 wrote to memory of 2112	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	67
PID 2280 wrote to memory of 2344	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	68
PID 2280 wrote to memory of 2344	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	68
PID 2280 wrote to memory of 2344	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	68
PID 2280 wrote to memory of 2368	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	69
PID 2280 wrote to memory of 2368	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	69
PID 2280 wrote to memory of 2368	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	69
PID 2280 wrote to memory of 2656	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	70
PID 2280 wrote to memory of 2656	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	70
PID 2280 wrote to memory of 2656	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	70
PID 2280 wrote to memory of 1568	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	71
PID 2280 wrote to memory of 1568	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	71
PID 2280 wrote to memory of 1568	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	71
PID 2280 wrote to memory of 1644	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	81
PID 2280 wrote to memory of 1644	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	81
PID 2280 wrote to memory of 1644	2280	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	81
PID 1644 wrote to memory of 2000	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	103
PID 1644 wrote to memory of 2000	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	103
PID 1644 wrote to memory of 2000	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	103
PID 1644 wrote to memory of 2800	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	104
PID 1644 wrote to memory of 2800	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	104
PID 1644 wrote to memory of 2800	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	104
PID 1644 wrote to memory of 2560	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	105
PID 1644 wrote to memory of 2560	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	105
PID 1644 wrote to memory of 2560	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	105
PID 1644 wrote to memory of 2912	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	106
PID 1644 wrote to memory of 2912	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	106
PID 1644 wrote to memory of 2912	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	106
PID 1644 wrote to memory of 980	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	107
PID 1644 wrote to memory of 980	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	107
PID 1644 wrote to memory of 980	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	107
PID 1644 wrote to memory of 816	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	108
PID 1644 wrote to memory of 816	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	108
PID 1644 wrote to memory of 816	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	108
PID 1644 wrote to memory of 2588	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	109
PID 1644 wrote to memory of 2588	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	109
PID 1644 wrote to memory of 2588	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	109
PID 1644 wrote to memory of 592	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	111
PID 1644 wrote to memory of 592	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	111
PID 1644 wrote to memory of 592	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	111
PID 1644 wrote to memory of 840	1644	6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
"C:\Users\Admin\AppData\Local\Temp\6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Users\Admin\AppData\Local\Temp\6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe
  "C:\Users\Admin\AppData\Local\Temp\6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Program Files\Google\winlogon.exe
    "C:\Program Files\Google\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:236
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c2d7cad-365a-4ec1-bdfe-54397f01dbdf.vbs"
      4⤵
      PID:1908
    - - C:\Program Files\Google\winlogon.exe
        
        "C:\Program Files\Google\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f997a7a-26e2-458b-b627-e9505e3f8c9e.vbs"
        6⤵
        
        PID:308
        
        C:\Program Files\Google\winlogon.exe
        
        "C:\Program Files\Google\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc4e505b-11cd-4869-a1cb-c946337ff78a.vbs"
        8⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f71f477-1836-4c32-9147-b57f5161ac8d.vbs"
        8⤵
        
        PID:1624
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48b2d86e-53a8-42b2-a85d-af0af1484aad.vbs"
        6⤵
        
        PID:1932
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ee43752-b1fe-49c9-b1e7-ce3cfac6925e.vbs"
      4⤵
      PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Recent\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe

Filesize
1.7MB

MD5
7ea3070589cbe24ec44cbaf50dea5966

SHA1
0755183f623545ab3ff86e9c89ee96de7acdcace

SHA256
6eab9cdead3e8e10165ac61055e8d6cb1f874f0545ec501f96331fb8ebc7770c

SHA512
f8645dae0f93ed9a864bb94c1b300f41a5b97af7211ff23f17cbdc791a5f3f731478a9780b9c3eaa53189997aa7e4a686068bf46138046ed4f4347b8303bb615

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe

Filesize
1.7MB

MD5
98890a7cbf419586c56893012b46991f

SHA1
9706b5adde474b1deb23e45e29dd4e4030f19822

SHA256
85c14b3ad75c238d1eae6ffe5a9473bf8ed14715b83075d4960fef25e8a57dc0

SHA512
b84359f49ca250016804a2c24a6819c97b94bd768a4e34bb502ffef63f88959ac8f7680f693afcd474997b6442ac4aa0bc62ca14d38e393b6ac1f7b89726c456

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ee43752-b1fe-49c9-b1e7-ce3cfac6925e.vbs

Filesize
488B

MD5
c69b5f17dc151e19c75c415a543c852c

SHA1
29451324ffca62f83c740f990b30d371bbaeaa34

SHA256
0da99545996a93a9eff6f69f26cd38199e954d4b582c23351ed01b8f385adb4d

SHA512
aa6737d01b47b5d8260484ae690fc56547b50fdaf03e0bb483242676e761d06ac02352376c658da53c161f67281647835d97176154cdc5508aedf29973fb81da

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f997a7a-26e2-458b-b627-e9505e3f8c9e.vbs

Filesize
712B

MD5
f70ad3101bc8ccdfb2dcc1c51a51cd6d

SHA1
7b07254c76ec3837a652c02afc47df544d435863

SHA256
48df5200ea5b069a5e85debf7aeaf217572964a59b0b7bb9d8d039e83697f974

SHA512
49c56ca0e2dc1f41d667ecf17706a7550b17cdabc812c075f174e037df75ae77cfc8b742714a8436962706d2f331bc560563df18864e7dd1f27f9ce4775c20e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c2d7cad-365a-4ec1-bdfe-54397f01dbdf.vbs

Filesize
711B

MD5
5c8185bf46da85a0042d9708c26c901b

SHA1
c7b59ff4dec71057a57256f20929650855e9368f

SHA256
0d320dc9279b64fa5b1dc4b57846a1d15476873d375ad4eb6e38f1787ef47648

SHA512
5aa754b955538c196b0dbd3a975c6388b93981d013e3870451658b66cf375c9edd0ab1f6828665b27f534d2721efc18e92f56865f39205e38a6985e934f13af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc4e505b-11cd-4869-a1cb-c946337ff78a.vbs

Filesize
712B

MD5
b953ccd5dc06db8e55dd369036c8e987

SHA1
2b900d6838fed814ab7856be04b57d5366165fde

SHA256
396722341ab77097b0510d86efb2fb59539c31336e2c8a2d97297897d0578db8

SHA512
9ca7a28ec514ac7d46c30aae4d94d6508010ac53091b7d75e5ac199095d2143da28ea1a83e7ff594393dfb1e71a35bdd0b4de7eece94fb298e5a513f9cd889e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e4204a7183a74d56a7f48b2ab2ba853f

SHA1
45b86d9589c138466e1d918b78d0a9c376b062ba

SHA256
3c08aa0db35e233bfda76a49fc320c8b38fa8586d41bfdf947ea1aff75bd2415

SHA512
354e9fc38332fe64e37fc8ca1ffebbe316d8d60d28eb3bf547d070104ae22bddc9c4406cc968c1585b8c9ec024aee5b6eb83c9ae39a056e12719ae9abc594d99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7af11cea7aabc587f52f5da822260b6d

SHA1
8512a6553a68b61ec02f01a8002c16a3a3248cba

SHA256
24a5251813c9a11d3261d0b798c41d9062da37fe27fde75f2151d65416efd402

SHA512
ae50322bac70bd9a3f2fe254f64c0102c411fe78e4af25c493ee8fa8023f5eb5240279038d1c7a8a45093205133040e2fffcff545dc49d0aa2fae05e5f184e6e

Download Submit
C:\Users\Public\Favorites\WmiPrvSE.exe

Filesize
1.7MB

MD5
39fc17526c725292f2eff08916cad5b2

SHA1
1373fa4dca1a19a527c60ca6ceddf680e96dc1af

SHA256
196341491c2b8706722e31f1f22f58f0ad6f7b9667a8f063f8c6fff78c83c2d5

SHA512
c0fbd2d743da3678951c7161530f70dd467096594387bafe9119490babeebfa918a47c6368b8ebd048a0f0e5f739be806291229414edad747fbd639e8cd433ed

Download Submit
C:\Users\Public\Music\Sample Music\Idle.exe

Filesize
1.7MB

MD5
3a49462c1c4d063c9a6fd693768ec835

SHA1
874dac244adc16c5cd0b1a16710f6142c5cb36a6

SHA256
ca80228e47723e5acc9b9382148cfe6cad8d0951fbe7904e63e99f733b634656

SHA512
ad1d1e8b2912a87c0a0f0f80fc2645209b6a4bd8f572199ce60d415eabddc3e7f252f257ef5351e84b4373eb47b7555446247da764a5ab0b99c5bdeb5e82bc4b

Download Submit
memory/236-251-0x0000000000DB0000-0x0000000000F70000-memory.dmp

Filesize
1.8MB

Download
memory/236-261-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/1568-196-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/1728-326-0x0000000000E70000-0x0000000001030000-memory.dmp

Filesize
1.8MB

Download
memory/1728-327-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/2264-180-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2280-96-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

Filesize
4KB

Download
memory/2280-11-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2280-22-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-20-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-17-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2280-0-0x000007FEF65A3000-0x000007FEF65A4000-memory.dmp

Filesize
4KB

Download
memory/2280-16-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2280-114-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-15-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2280-149-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-13-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/2280-14-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/2280-195-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-12-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2280-202-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-21-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-1-0x0000000000800000-0x00000000009C0000-memory.dmp

Filesize
1.8MB

Download
memory/2280-9-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2280-2-0x000007FEF65A0000-0x000007FEF6F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-8-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2280-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2280-7-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2280-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2280-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/2280-4-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2356-314-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2356-313-0x0000000000100000-0x00000000002C0000-memory.dmp

Filesize
1.8MB

Download
memory/2800-244-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2800-243-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download