dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
132s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Size

1.6MB
MD5

66d07aba299e88d9fd0562bdde9ef487
SHA1

3187acda67ed22501f39f2b436d064faf9464045
SHA256

d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914
SHA512

64ec5f70e2e57279280b2bd2aa6503138b362e2777be368037102acba1875361e8299460e6075e04aa9f754c9597d63c89d27b80f7b054c766675ef0e8aff875
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5628	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5172	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5812	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5608	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5628	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5216	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6096	5252	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	5252	schtasks.exe	88

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/memory/5224-1-0x0000000000500000-0x00000000006A2000-memory.dmp	dcrat
behavioral4/files/0x0007000000024266-26.dat	dcrat
behavioral4/files/0x000a00000002427e-119.dat	dcrat
behavioral4/files/0x000900000002426e-130.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4056	powershell.exe
3756	powershell.exe
3740	powershell.exe
4360	powershell.exe
2252	powershell.exe
4964	powershell.exe
1676	powershell.exe
4268	powershell.exe
800	powershell.exe
1228	powershell.exe
2540	powershell.exe
2696	powershell.exe
3108	powershell.exe
620	powershell.exe
4588	powershell.exe
2696	powershell.exe
5192	powershell.exe
1352	powershell.exe
2748	powershell.exe
760	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	MoUsoCoreWorker.exe

Executes dropped EXE 11 IoCs

pid	Process
4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3288	MoUsoCoreWorker.exe
4056	MoUsoCoreWorker.exe
5512	MoUsoCoreWorker.exe
1572	MoUsoCoreWorker.exe
4804	MoUsoCoreWorker.exe
2244	MoUsoCoreWorker.exe
4840	MoUsoCoreWorker.exe
3708	MoUsoCoreWorker.exe
5548	MoUsoCoreWorker.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4628_119883617\csrss.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXAB2C.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXAB2D.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\6203df4a6bafc7	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\edge_BITS_4628_119883617\886983d96e3d3e	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\edge_BITS_4628_119883617\csrss.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\edge_BITS_4628_995211002\6203df4a6bafc7	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\edge_BITS_4628_119883617\RCXB08F.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\edge_BITS_4628_119883617\RCXB090.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\edge_BITS_4628_995211002\lsass.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\1f93f77a7f4778	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\9e8d7a4ca61bd9	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\Windows Multimedia Platform\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\Windows Multimedia Platform\9a627ef98702ab	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\edge_BITS_4628_995211002\lsass.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\debug\RCXB313.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\debug\dllhost.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\L2Schemas\explorer.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\L2Schemas\7a0fd90576e088	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\appcompat\encapsulation\services.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\appcompat\encapsulation\c5b4cb5e9653cc	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\debug\dllhost.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\debug\5940a34987c991	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RCXAD43.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\appcompat\encapsulation\services.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\L2Schemas\explorer.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RCXAD42.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\debug\RCXB2A5.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	MoUsoCoreWorker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	MoUsoCoreWorker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5628	schtasks.exe
4748	schtasks.exe
4708	schtasks.exe
5812	schtasks.exe
5628	schtasks.exe
2032	schtasks.exe
4760	schtasks.exe
4176	schtasks.exe
512	schtasks.exe
4688	schtasks.exe
4928	schtasks.exe
716	schtasks.exe
860	schtasks.exe
5000	schtasks.exe
3168	schtasks.exe
5216	schtasks.exe
4832	schtasks.exe
3956	schtasks.exe
4740	schtasks.exe
4996	schtasks.exe
4844	schtasks.exe
6096	schtasks.exe
4916	schtasks.exe
5172	schtasks.exe
3380	schtasks.exe
3704	schtasks.exe
4780	schtasks.exe
4864	schtasks.exe
3544	schtasks.exe
3896	schtasks.exe
4796	schtasks.exe
4848	schtasks.exe
2244	schtasks.exe
2304	schtasks.exe
4784	schtasks.exe
4888	schtasks.exe
4980	schtasks.exe
988	schtasks.exe
4516	schtasks.exe
2184	schtasks.exe
5008	schtasks.exe
4964	schtasks.exe
3704	schtasks.exe
4764	schtasks.exe
3792	schtasks.exe
1600	schtasks.exe
4144	schtasks.exe
5608	schtasks.exe
4972	schtasks.exe
4780	schtasks.exe
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
800	powershell.exe
800	powershell.exe
1676	powershell.exe
1676	powershell.exe
760	powershell.exe
760	powershell.exe
4268	powershell.exe
4268	powershell.exe
620	powershell.exe
620	powershell.exe
4056	powershell.exe
4056	powershell.exe
4588	powershell.exe
4588	powershell.exe
2696	powershell.exe
2696	powershell.exe
3740	powershell.exe
3740	powershell.exe
1676	powershell.exe
620	powershell.exe
760	powershell.exe
800	powershell.exe
4268	powershell.exe
4588	powershell.exe
4056	powershell.exe
3740	powershell.exe
2696	powershell.exe
4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
5192	powershell.exe
5192	powershell.exe
2252	powershell.exe
2252	powershell.exe
4360	powershell.exe
4360	powershell.exe
4360	powershell.exe
5192	powershell.exe
2252	powershell.exe
4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
1352	powershell.exe
1352	powershell.exe
3756	powershell.exe
3756	powershell.exe
1228	powershell.exe
1228	powershell.exe
2540	powershell.exe
2540	powershell.exe
2696	powershell.exe
4964	powershell.exe
2696	powershell.exe
4964	powershell.exe
2748	powershell.exe
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Token: SeDebugPrivilege	5192	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3288	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	4056	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	5512	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	1572	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	4804	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	2244	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	4840	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	3708	MoUsoCoreWorker.exe
Token: SeDebugPrivilege	5548	MoUsoCoreWorker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5224 wrote to memory of 1676	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	117
PID 5224 wrote to memory of 1676	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	117
PID 5224 wrote to memory of 760	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	118
PID 5224 wrote to memory of 760	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	118
PID 5224 wrote to memory of 4268	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	119
PID 5224 wrote to memory of 4268	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	119
PID 5224 wrote to memory of 620	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	120
PID 5224 wrote to memory of 620	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	120
PID 5224 wrote to memory of 4588	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	121
PID 5224 wrote to memory of 4588	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	121
PID 5224 wrote to memory of 3740	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	122
PID 5224 wrote to memory of 3740	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	122
PID 5224 wrote to memory of 2696	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	123
PID 5224 wrote to memory of 2696	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	123
PID 5224 wrote to memory of 800	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	124
PID 5224 wrote to memory of 800	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	124
PID 5224 wrote to memory of 4056	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	125
PID 5224 wrote to memory of 4056	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	125
PID 5224 wrote to memory of 2668	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	135
PID 5224 wrote to memory of 2668	5224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	135
PID 2668 wrote to memory of 4876	2668	cmd.exe	137
PID 2668 wrote to memory of 4876	2668	cmd.exe	137
PID 2668 wrote to memory of 4204	2668	cmd.exe	140
PID 2668 wrote to memory of 4204	2668	cmd.exe	140
PID 4204 wrote to memory of 5192	4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	148
PID 4204 wrote to memory of 5192	4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	148
PID 4204 wrote to memory of 4360	4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	149
PID 4204 wrote to memory of 4360	4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	149
PID 4204 wrote to memory of 2252	4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	150
PID 4204 wrote to memory of 2252	4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	150
PID 4204 wrote to memory of 1936	4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	154
PID 4204 wrote to memory of 1936	4204	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	154
PID 1936 wrote to memory of 3244	1936	cmd.exe	156
PID 1936 wrote to memory of 3244	1936	cmd.exe	156
PID 1936 wrote to memory of 4224	1936	cmd.exe	157
PID 1936 wrote to memory of 4224	1936	cmd.exe	157
PID 4224 wrote to memory of 4964	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	179
PID 4224 wrote to memory of 4964	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	179
PID 4224 wrote to memory of 1228	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	180
PID 4224 wrote to memory of 1228	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	180
PID 4224 wrote to memory of 3756	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	181
PID 4224 wrote to memory of 3756	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	181
PID 4224 wrote to memory of 2748	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	182
PID 4224 wrote to memory of 2748	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	182
PID 4224 wrote to memory of 2540	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	183
PID 4224 wrote to memory of 2540	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	183
PID 4224 wrote to memory of 1352	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	184
PID 4224 wrote to memory of 1352	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	184
PID 4224 wrote to memory of 3108	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	187
PID 4224 wrote to memory of 3108	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	187
PID 4224 wrote to memory of 2696	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	189
PID 4224 wrote to memory of 2696	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	189
PID 4224 wrote to memory of 3948	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	195
PID 4224 wrote to memory of 3948	4224	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	195
PID 3948 wrote to memory of 1988	3948	cmd.exe	197
PID 3948 wrote to memory of 1988	3948	cmd.exe	197
PID 3948 wrote to memory of 3288	3948	cmd.exe	201
PID 3948 wrote to memory of 3288	3948	cmd.exe	201
PID 3288 wrote to memory of 2604	3288	MoUsoCoreWorker.exe	206
PID 3288 wrote to memory of 2604	3288	MoUsoCoreWorker.exe	206
PID 3288 wrote to memory of 5048	3288	MoUsoCoreWorker.exe	207
PID 3288 wrote to memory of 5048	3288	MoUsoCoreWorker.exe	207
PID 2604 wrote to memory of 4056	2604	WScript.exe	209
PID 2604 wrote to memory of 4056	2604	WScript.exe	209

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
"C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\encapsulation\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4628_119883617\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJNRBzAAII.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4876
- - C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
    "C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9iMPvVJ4No.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\TrustedInstaller.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4628_995211002\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9a6RA8xzCC.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1988
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acbc2e6d-5eb3-4ab5-bf00-e2775502dcfe.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1aa85bc-cfee-4cea-ada4-8e333e9c1358.vbs"
        10⤵
        
        PID:1932
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc476937-1266-4bcb-a76f-1c7f3086d95e.vbs"
        12⤵
        
        PID:4940
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2608f6a4-f938-4f2e-9447-2a00f0e6bbf5.vbs"
        14⤵
        
        PID:1772
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac90159a-b24f-4786-ac24-5b4eda7037b8.vbs"
        16⤵
        
        PID:5480
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe62fce6-d0c4-4861-83bc-f818aceff7e1.vbs"
        18⤵
        
        PID:4780
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2285f37e-8444-4d28-a3c8-b67f6454e623.vbs"
        20⤵
        
        PID:5520
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e733860-fe6d-403a-9cdc-de33c9a0acbe.vbs"
        22⤵
        
        PID:3760
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ba34988-431c-4305-803e-7416be01e0bd.vbs"
        24⤵
        
        PID:3500
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        25⤵
        
        PID:5256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd5d55e1-b523-4d5c-afb2-18e90d689c3d.vbs"
        26⤵
        
        PID:3684
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        27⤵
        
        PID:3716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f294c85a-7f6c-412e-b418-954ea8ef2dcf.vbs"
        28⤵
        
        PID:3296
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe"
        29⤵
        
        PID:4532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b30d6045-7b8b-4654-a918-76af83845730.vbs"
        30⤵
        
        PID:3284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b392295-2a4c-4d3b-9308-3965d29dc26f.vbs"
        30⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4818815d-7992-40be-9eff-90f619946c5c.vbs"
        28⤵
        
        PID:5396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\414f6133-e674-4187-a21e-db3378a648bc.vbs"
        26⤵
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\961ab5cb-049c-483a-82a4-cdb02d8a5a10.vbs"
        24⤵
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f41ad2aa-3f1e-4e79-862e-92846ba45633.vbs"
        22⤵
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a04809f3-625c-4617-9c8a-4869f331b0ce.vbs"
        20⤵
        
        PID:5976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\171d7c8b-607d-47c3-ba17-142aa4e620e9.vbs"
        18⤵
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09c7bc28-0df8-4784-a34f-c56a3098c93d.vbs"
        16⤵
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3088e944-73a8-46a4-8312-21c5edf6e898.vbs"
        14⤵
        
        PID:5772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b905f42b-c351-4814-894c-3c481724de6b.vbs"
        12⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d6a09db-41f1-445f-96e9-6bccd624c3b8.vbs"
        10⤵
        
        PID:3556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88757ef0-5b57-4e31-8957-4cec884dde1e.vbs"
        8⤵
        
        PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\appcompat\encapsulation\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\appcompat\encapsulation\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4628_119883617\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4628_119883617\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4628_119883617\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914d" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914d" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Users\Public\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Public\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\Users\Public\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4628_995211002\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4628_995211002\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4628_995211002\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe

Filesize
1.6MB

MD5
0fd66a538f4522c0caf15cef774dfd1a

SHA1
b99412787d9a6480f286da5d6c4b70ee3717ffd0

SHA256
9649bcf76b5001709ffde7376bf396de4e8fa454bc2a1f46e4e207b6c20cc606

SHA512
e30a2abdd2db1775bd65033ae9b3d514bdaed48e2bbae677621e8fa77699af382ffe5949636b7b9d8c18ffb752bda814edaacb0af5bb59dd9afd8108b57ef41d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MoUsoCoreWorker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8e7675df15697eee65b731b90f33a5f

SHA1
8fe1308e032c5cb61b8ea50672fd650889cecdcd

SHA256
656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932

SHA512
fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a5d93882341ce023d4569907c3bb0def

SHA1
db0998ab671abb543a7ac78596c0b95743a9a2c8

SHA256
c3ea7d8d4ac21adbe8c93e10729367b0b7c3477e7758596609c8e25e45baaa78

SHA512
7bf5716c96d93da7d37bbedb9623c9ae2860ac7b1a0e9310cbee0962556705f8876aebdabb9820f1f1ed37e504e002f24507a23db302d0e180bb45092520cc7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47dc8ed1f00b2cf40d90efa529ee35cc

SHA1
851d6a181ebb44256367c73042ed4f774bce9bdd

SHA256
2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

SHA512
3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fb615e25fa5c5d81a46365d6446ed714

SHA1
a57ba54012b1fb1920cfcf276424556d6dc547fc

SHA256
61387deb1626bfef8716a58b204fe05f3df45181550ac38a081c97409c8973fc

SHA512
75961d4e10c7387ca20add4c96b2c4ebb897de417a18b6c6ac9008baa7c0d38823db4797d42e423225c09314ebfe8b000aa9f659f2e992ac8eba8a071407414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b4b6d4cc52b5a3a71149b1f33d94d5de

SHA1
97d3dbdd24919eab70e3b14c68797cefc07e90dd

SHA256
da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe

SHA512
fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2ea91e7d1b473f8290ae52d13e105194

SHA1
5e565d99a7733250427e70f5f6e1951a081deed6

SHA256
712db2b991a3c11ccd71b36cfe99fad0b5b1eb1026b12d28c35a43334128671a

SHA512
0d6e2f0f8963986cb27a5cb853c5a87af5d2b65142ff082b4a12681b467d4a72efbcaea71307513523915aa4f27e7b238c67f4ab563f69525938f38253599424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
120B

MD5
ab4f01dfbd7040ec0a5801b3339e97c1

SHA1
8e9de88441ff2acaf6800c53d5a1be04fa3c4069

SHA256
5240f77e697e9de0b4bcba1c44ff3d9474e8844ff42581586d33e1d203242e76

SHA512
50d270ee10ed74960869004ae305bc57dd8a7765bfc6ba0576449569ac884917040a3d330173642579f183eff7056f033510a236a44c85d5c8e9c5f54b9415e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3e242d3c4b39d344f66c494424020c61

SHA1
194e596f33d54482e7880e91dc05e0d247a46399

SHA256
f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

SHA512
27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f90966b115ceedea40a1459b884ea4b2

SHA1
c639d5e81ecbb56a5acf3a5c46b10ae1fe54a7dd

SHA256
98bf9386b1d3dc307fb193cb7b9ee84e3c794284d07f59a209fe424811233e7f

SHA512
1d1d9b92ba16efdfd74504f5d98701a3ce3bb0f4a08b18d5e2a331977e07a4ab935c199ff582f9cefbb0958f95e1d0d1d132cda0d45dc86b2aea2fd979ca362f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2285f37e-8444-4d28-a3c8-b67f6454e623.vbs

Filesize
761B

MD5
534a92a850b4cd2519e14a3dcb7c2080

SHA1
cc90a38a55aaa8bdf4bdc6d6b5b32a75cc6208f0

SHA256
74e520101c1862ffc99e636532c53920524dd826c923af4d0c1409bda7fa0663

SHA512
dd28cc21f3fd03f37cdcff14e6f4bdd548a1057bdbf3b38a922a5b798fffdfa05b11d6c36d233801e851f9e394afad8cd0936140e0b94e6368806ad350931ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2608f6a4-f938-4f2e-9447-2a00f0e6bbf5.vbs

Filesize
761B

MD5
4ef1c35075870237ee67541888d15c77

SHA1
1053c33ebbf0f573e48b039c7fbc26cc96d45ee2

SHA256
d482d778a56bce0c59f849eaee8ec1949a0b1ef9bc0cc678abbce42ea32ea88a

SHA512
934579067eec6b0e58d18713268aa68df4259bbd0bff8c336524994ff2f6096f14c02d2110d94e918f7eb71ad132934950ab793259752c522071d254f3ee9342

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e733860-fe6d-403a-9cdc-de33c9a0acbe.vbs

Filesize
761B

MD5
ad53068b7e45c731fed2930e66384004

SHA1
cfa0a885601690fb0bd3941f9df09acc7140d49b

SHA256
2b7c77ada01fc9d18a24ae67dbff57d533cafe6da4ddd23e97b3e9cb2002d01e

SHA512
21b135f3be92d0da4bf709dbf2ab2796a3f0a647f6bd0d826e3fe3cb7c521e7b472d845b4ceef754c353f13ef4025327ffab65a4ca4f373682a2d9a33089b484

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ba34988-431c-4305-803e-7416be01e0bd.vbs

Filesize
761B

MD5
073ecdb04ec3ce81d7ef8b2254338d54

SHA1
a3f56821bd35e4b2b5aa5cb8d6e61ca5368b2d28

SHA256
a9b7855b8ee794456520bb42c531b65016299c2a209ef39169b89bca094f6808

SHA512
ba8bc02e191cc3a1ac2fbf2d0dcc49079880666251e0a9eb3268e6f0fce3c38312628cb3e85230ecc6b98c46d84e5a933b0dd9ee9b7230e242a9b4ce2bda1346

Download Submit
C:\Users\Admin\AppData\Local\Temp\88757ef0-5b57-4e31-8957-4cec884dde1e.vbs

Filesize
537B

MD5
92bdca731f6750a62223d81d7f108a20

SHA1
8650e15f8d6056f4425e59cdcd475eb33b8f580a

SHA256
92db3ac95a2defde63327fe7fe56ca7cca0a044e3bc96d456a4d4e4ddb1a2791

SHA512
7e5184cd3c63bdf9e6a362b22155d302cb71f8491254759afd160758bf9c3cc635dbdf84c0fc744c2bb835b903359baed457ba8e5c420841552abcc92977fd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a6RA8xzCC.bat

Filesize
250B

MD5
c9554c5a8e69108caaa647f3de9ecbc7

SHA1
cebba6c5372d9b25024b5ead55215cdfa8f801a7

SHA256
a31089014d48fa51957a75f5218436d19e502637e3e5e924778e140adc653f55

SHA512
e7d57dddc7d8cfdf50b5de248e20f62313afc014d9e644a915f20fbf074c006218dcea6806f72ce4289289f1478ae4a63134053eda7419e317ac9898dbd5ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\9iMPvVJ4No.bat

Filesize
267B

MD5
f4d4e0573ade6c76f538867f1b4e32a5

SHA1
0679faaefb8015f979da539245b7aa1ccab81ef4

SHA256
e1796429ae6d63d0e8d5cf71cd4b50cf6c2ab06255eb764302e626d941d5f7cc

SHA512
8f91be9c4b0411e0d8f105834f3177515a56310cfe6c7f708ea38161bd1ef1c90d93b597815ac23a7b1f5bd6a60c7367bd4d6eda38d9797d61acab6b60032a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fklqan2e.3tj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac90159a-b24f-4786-ac24-5b4eda7037b8.vbs

Filesize
761B

MD5
53b1327ef88d194bddf8c51715c729e5

SHA1
9f14fc45f3758981f755368801a031a3274ff553

SHA256
5dfb9230f1ad87c3cddcfb309096cb1768b726cddc75276b9cbc6c11907c8ab2

SHA512
fc374b47dbf5d222a6aad785f0c55b4f5989f23c858f2f51404f4701219c29a504fdd4b09ee422a164dcafc35e60c07da164acbe68084fedf8e02ec48794be4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\acbc2e6d-5eb3-4ab5-bf00-e2775502dcfe.vbs

Filesize
761B

MD5
958554be24b5537adefd0bca2d04dc6d

SHA1
93011201cc5a03e81cf07f4fcfcff42e34cff9ab

SHA256
cb8c55afa26a9086322584e510f738fe9a3f08cca845e29d8974c76ed504a10b

SHA512
87968577efec9b20cb1dd28b9e8b78f358d6db996c2b41995f6daa1a3fbf5f2b10ec056080c8d6f48158039f88a7aec255b8d10c52b170e5a8ed33fcce20a196

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc476937-1266-4bcb-a76f-1c7f3086d95e.vbs

Filesize
761B

MD5
b5535890fae0bb5c87f562605baf1cfb

SHA1
75b9b91b33eafb1fbc5a8c145a8f5951e077c859

SHA256
e94eb30438ad7375af646822d4dea0c0e8877849c6bbdbf1f0e34438f288a2c9

SHA512
211c7c7df152ca533dba9151a22b9a06c1b2fea0b5b3e52ac00439a066dbaed8346612e134d2a82f68ed0837a3ef3fd2e40c29b50f001eff0d503fe6c5ac13d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1aa85bc-cfee-4cea-ada4-8e333e9c1358.vbs

Filesize
761B

MD5
dc29a10e3ac9ae7b84c1970250639774

SHA1
dfbbb93acd662cc9141407698329799c55e860ea

SHA256
7dd977575e920b913d3f660af25a3bb1a03789d80657fdd5ffdcff22722b14c8

SHA512
82d0de11d2b443287750a012f6d694d1cb71b94e2339ecab698224393cd7d56b662145fa74e062949bfdb4957b76c8f5a1811ed59cf815526fd0129d73fc7f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe62fce6-d0c4-4861-83bc-f818aceff7e1.vbs

Filesize
761B

MD5
e99a227e2868e03beb6aae34ca93dc42

SHA1
7a592b799c82c3611619a78f92237aea3c10cc55

SHA256
34ebbbe4a31ffd9fd7abd02bfe8389dcd369d70651ae19783cb2a78ecee3e064

SHA512
affb96bccb2e11c6f7cf8e25b0a0ffe81a5e5c6f853e602bb0cb44117b746b9dc110f636288e00a9292e7583a415757cd1f4f99bc643e4a175287cec19269dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJNRBzAAII.bat

Filesize
267B

MD5
69cd4c3dc74487e0cf563d9cc2bc6f08

SHA1
c6d9925feb0eb5e68d67c4a609ec23ec72317a50

SHA256
9fcdbe35376545ff649ad79e3bd6c1bfae4167094ecb633577e9ca278838405b

SHA512
4260831de504f717befacf8f162146d2513f841a84ee5cb7bdcc4ad823eb2c2dad70091fd052d99249d2099242d321057359e82bf96d000d9d3f88449bbbc275

Download Submit
C:\Windows\appcompat\encapsulation\services.exe

Filesize
1.6MB

MD5
66d07aba299e88d9fd0562bdde9ef487

SHA1
3187acda67ed22501f39f2b436d064faf9464045

SHA256
d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914

SHA512
64ec5f70e2e57279280b2bd2aa6503138b362e2777be368037102acba1875361e8299460e6075e04aa9f754c9597d63c89d27b80f7b054c766675ef0e8aff875

Download Submit
C:\Windows\debug\dllhost.exe

Filesize
1.6MB

MD5
74d1a45bf9fc12bea253e47f38c8f881

SHA1
9617e13c9c5392caefb508ef284fbbfdc2bf3c28

SHA256
5c1ffe6e344e35467d380854a1e3120898c89f08443be7a1b83468c1a897065c

SHA512
a10f03e4efc8ff596cb52a96f58666889e6438c0ff3d2d8cde8cd034989da7e3e5187d22d39ca39483219b1d56462ca71fba9dc61be47381eaf1bbb31cf315ba

Download Submit
memory/4588-139-0x0000016823CD0000-0x0000016823CF2000-memory.dmp

Filesize
136KB

Download
memory/5224-14-0x000000001BA20000-0x000000001BA28000-memory.dmp

Filesize
32KB

Download
memory/5224-6-0x000000001B8E0000-0x000000001B8F6000-memory.dmp

Filesize
88KB

Download
memory/5224-13-0x000000001BA10000-0x000000001BA1E000-memory.dmp

Filesize
56KB

Download
memory/5224-11-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

Filesize
48KB

Download
memory/5224-10-0x000000001BA80000-0x000000001BA8C000-memory.dmp

Filesize
48KB

Download
memory/5224-9-0x000000001B970000-0x000000001B978000-memory.dmp

Filesize
32KB

Download
memory/5224-8-0x000000001B910000-0x000000001B920000-memory.dmp

Filesize
64KB

Download
memory/5224-7-0x000000001B900000-0x000000001B908000-memory.dmp

Filesize
32KB

Download
memory/5224-15-0x000000001BA30000-0x000000001BA38000-memory.dmp

Filesize
32KB

Download
memory/5224-12-0x000000001BA00000-0x000000001BA0A000-memory.dmp

Filesize
40KB

Download
memory/5224-4-0x000000001B920000-0x000000001B970000-memory.dmp

Filesize
320KB

Download
memory/5224-16-0x000000001BA40000-0x000000001BA4A000-memory.dmp

Filesize
40KB

Download
memory/5224-0-0x00007FFCB6F53000-0x00007FFCB6F55000-memory.dmp

Filesize
8KB

Download
memory/5224-5-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

Filesize
64KB

Download
memory/5224-17-0x000000001BA50000-0x000000001BA5C000-memory.dmp

Filesize
48KB

Download
memory/5224-140-0x00007FFCB6F50000-0x00007FFCB7A11000-memory.dmp

Filesize
10.8MB

Download
memory/5224-3-0x0000000002880000-0x000000000289C000-memory.dmp

Filesize
112KB

Download
memory/5224-2-0x00007FFCB6F50000-0x00007FFCB7A11000-memory.dmp

Filesize
10.8MB

Download
memory/5224-1-0x0000000000500000-0x00000000006A2000-memory.dmp

Filesize
1.6MB

Download