dcrat | e5d28ec84e4b5f023e3f386cf7e0776850b67e2bad1299413885f3fdd757f58c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e864953c3a95b063ace86177e1914753.exe
Size

5.9MB
MD5

e864953c3a95b063ace86177e1914753
SHA1

472bc71ef2e9c06ff3271fc0623f79a95ed2fe93
SHA256

d11fecef716ab9ab91bb2342635dd89113e0cce4313229abbc80462facaefad9
SHA512

f947ad181a748964673ce7fcff6ba8cb192079cf4f095ce60e44b4ff0a5bd241a06b0cca88899b91ad8064c3d000946a6da1bb7d7b61759b9a5888e8aa64a435
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4J:hyeU11Rvqmu8TWKnF6N/1wo

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2984	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2984	schtasks.exe	30

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e864953c3a95b063ace86177e1914753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e864953c3a95b063ace86177e1914753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e864953c3a95b063ace86177e1914753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1976	powershell.exe
2972	powershell.exe
1596	powershell.exe
1360	powershell.exe
2932	powershell.exe
268	powershell.exe
2296	powershell.exe
2480	powershell.exe
1268	powershell.exe
2324	powershell.exe
1728	powershell.exe
2072	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e864953c3a95b063ace86177e1914753.exe

Executes dropped EXE 3 IoCs

pid	Process
768	System.exe
2300	System.exe
3020	System.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e864953c3a95b063ace86177e1914753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e864953c3a95b063ace86177e1914753.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
768	System.exe
768	System.exe
2300	System.exe
2300	System.exe
3020	System.exe
3020	System.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\System.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files (x86)\Adobe\27d1bcfc3c54e0	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCXD9D3.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXF45C.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXF46D.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXFA98.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXFCAC.tmp	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files (x86)\Common Files\Adobe\6ccacd8608530f	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files\7-Zip\Lang\lsass.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files (x86)\Adobe\csrss.exe	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Adobe\System.exe	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Adobe\csrss.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\56085415360792	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\csrss.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files (x86)\Adobe\886983d96e3d3e	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files\Uninstall Information\OSPPSVC.exe	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wininit.exe	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lsass.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files\Uninstall Information\1610b97d3ab4a7	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXE8CF.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Idle.exe	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCXD388.tmp	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files\7-Zip\Lang\6203df4a6bafc7	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCXD387.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXDC55.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXE8BE.tmp	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\f3b6ecef712a24	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCXDA51.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXFA97.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXFCAD.tmp	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Idle.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files\Uninstall Information\OSPPSVC.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wininit.exe	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXDCC3.tmp	e864953c3a95b063ace86177e1914753.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\System.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Windows\Fonts\27d1bcfc3c54e0	e864953c3a95b063ace86177e1914753.exe
File created	C:\Windows\winsxs\wininit.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Windows\Resources\Themes\Aero\WmiPrvSE.exe	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\RCXF1EA.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\RCXF258.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\WmiPrvSE.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Windows\Fonts\System.exe	e864953c3a95b063ace86177e1914753.exe
File created	C:\Windows\Resources\Themes\Aero\24dbde2999530e	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Windows\Fonts\RCXD59B.tmp	e864953c3a95b063ace86177e1914753.exe
File opened for modification	C:\Windows\Fonts\RCXD59C.tmp	e864953c3a95b063ace86177e1914753.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1172	schtasks.exe
1368	schtasks.exe
2548	schtasks.exe
2712	schtasks.exe
2748	schtasks.exe
3040	schtasks.exe
1292	schtasks.exe
1916	schtasks.exe
2948	schtasks.exe
1056	schtasks.exe
2728	schtasks.exe
2684	schtasks.exe
2004	schtasks.exe
2896	schtasks.exe
1816	schtasks.exe
2760	schtasks.exe
2996	schtasks.exe
2968	schtasks.exe
2636	schtasks.exe
2600	schtasks.exe
2488	schtasks.exe
1992	schtasks.exe
1700	schtasks.exe
2068	schtasks.exe
2900	schtasks.exe
2524	schtasks.exe
1576	schtasks.exe
2912	schtasks.exe
2484	schtasks.exe
2052	schtasks.exe
888	schtasks.exe
2772	schtasks.exe
2336	schtasks.exe
2036	schtasks.exe
2832	schtasks.exe
3024	schtasks.exe
2228	schtasks.exe
1124	schtasks.exe
2556	schtasks.exe
1448	schtasks.exe
1468	schtasks.exe
872	schtasks.exe
2264	schtasks.exe
1976	schtasks.exe
1336	schtasks.exe
1236	schtasks.exe
780	schtasks.exe
1800	schtasks.exe
2112	schtasks.exe
1096	schtasks.exe
2628	schtasks.exe
2516	schtasks.exe
268	schtasks.exe
2564	schtasks.exe
1300	schtasks.exe
2244	schtasks.exe
2324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2164	e864953c3a95b063ace86177e1914753.exe
2324	powershell.exe
268	powershell.exe
2932	powershell.exe
2072	powershell.exe
2972	powershell.exe
1268	powershell.exe
2480	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	e864953c3a95b063ace86177e1914753.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	768	System.exe
Token: SeDebugPrivilege	2300	System.exe
Token: SeDebugPrivilege	3020	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1728	2164	e864953c3a95b063ace86177e1914753.exe	89
PID 2164 wrote to memory of 1728	2164	e864953c3a95b063ace86177e1914753.exe	89
PID 2164 wrote to memory of 1728	2164	e864953c3a95b063ace86177e1914753.exe	89
PID 2164 wrote to memory of 268	2164	e864953c3a95b063ace86177e1914753.exe	90
PID 2164 wrote to memory of 268	2164	e864953c3a95b063ace86177e1914753.exe	90
PID 2164 wrote to memory of 268	2164	e864953c3a95b063ace86177e1914753.exe	90
PID 2164 wrote to memory of 2296	2164	e864953c3a95b063ace86177e1914753.exe	91
PID 2164 wrote to memory of 2296	2164	e864953c3a95b063ace86177e1914753.exe	91
PID 2164 wrote to memory of 2296	2164	e864953c3a95b063ace86177e1914753.exe	91
PID 2164 wrote to memory of 2072	2164	e864953c3a95b063ace86177e1914753.exe	92
PID 2164 wrote to memory of 2072	2164	e864953c3a95b063ace86177e1914753.exe	92
PID 2164 wrote to memory of 2072	2164	e864953c3a95b063ace86177e1914753.exe	92
PID 2164 wrote to memory of 2480	2164	e864953c3a95b063ace86177e1914753.exe	93
PID 2164 wrote to memory of 2480	2164	e864953c3a95b063ace86177e1914753.exe	93
PID 2164 wrote to memory of 2480	2164	e864953c3a95b063ace86177e1914753.exe	93
PID 2164 wrote to memory of 1976	2164	e864953c3a95b063ace86177e1914753.exe	94
PID 2164 wrote to memory of 1976	2164	e864953c3a95b063ace86177e1914753.exe	94
PID 2164 wrote to memory of 1976	2164	e864953c3a95b063ace86177e1914753.exe	94
PID 2164 wrote to memory of 2972	2164	e864953c3a95b063ace86177e1914753.exe	95
PID 2164 wrote to memory of 2972	2164	e864953c3a95b063ace86177e1914753.exe	95
PID 2164 wrote to memory of 2972	2164	e864953c3a95b063ace86177e1914753.exe	95
PID 2164 wrote to memory of 2932	2164	e864953c3a95b063ace86177e1914753.exe	96
PID 2164 wrote to memory of 2932	2164	e864953c3a95b063ace86177e1914753.exe	96
PID 2164 wrote to memory of 2932	2164	e864953c3a95b063ace86177e1914753.exe	96
PID 2164 wrote to memory of 1360	2164	e864953c3a95b063ace86177e1914753.exe	97
PID 2164 wrote to memory of 1360	2164	e864953c3a95b063ace86177e1914753.exe	97
PID 2164 wrote to memory of 1360	2164	e864953c3a95b063ace86177e1914753.exe	97
PID 2164 wrote to memory of 1596	2164	e864953c3a95b063ace86177e1914753.exe	99
PID 2164 wrote to memory of 1596	2164	e864953c3a95b063ace86177e1914753.exe	99
PID 2164 wrote to memory of 1596	2164	e864953c3a95b063ace86177e1914753.exe	99
PID 2164 wrote to memory of 2324	2164	e864953c3a95b063ace86177e1914753.exe	100
PID 2164 wrote to memory of 2324	2164	e864953c3a95b063ace86177e1914753.exe	100
PID 2164 wrote to memory of 2324	2164	e864953c3a95b063ace86177e1914753.exe	100
PID 2164 wrote to memory of 1268	2164	e864953c3a95b063ace86177e1914753.exe	102
PID 2164 wrote to memory of 1268	2164	e864953c3a95b063ace86177e1914753.exe	102
PID 2164 wrote to memory of 1268	2164	e864953c3a95b063ace86177e1914753.exe	102
PID 2164 wrote to memory of 780	2164	e864953c3a95b063ace86177e1914753.exe	113
PID 2164 wrote to memory of 780	2164	e864953c3a95b063ace86177e1914753.exe	113
PID 2164 wrote to memory of 780	2164	e864953c3a95b063ace86177e1914753.exe	113
PID 780 wrote to memory of 2676	780	cmd.exe	115
PID 780 wrote to memory of 2676	780	cmd.exe	115
PID 780 wrote to memory of 2676	780	cmd.exe	115
PID 780 wrote to memory of 768	780	cmd.exe	116
PID 780 wrote to memory of 768	780	cmd.exe	116
PID 780 wrote to memory of 768	780	cmd.exe	116
PID 768 wrote to memory of 2452	768	System.exe	117
PID 768 wrote to memory of 2452	768	System.exe	117
PID 768 wrote to memory of 2452	768	System.exe	117
PID 768 wrote to memory of 3048	768	System.exe	118
PID 768 wrote to memory of 3048	768	System.exe	118
PID 768 wrote to memory of 3048	768	System.exe	118
PID 2452 wrote to memory of 2300	2452	WScript.exe	119
PID 2452 wrote to memory of 2300	2452	WScript.exe	119
PID 2452 wrote to memory of 2300	2452	WScript.exe	119
PID 2300 wrote to memory of 1620	2300	System.exe	120
PID 2300 wrote to memory of 1620	2300	System.exe	120
PID 2300 wrote to memory of 1620	2300	System.exe	120
PID 2300 wrote to memory of 2564	2300	System.exe	121
PID 2300 wrote to memory of 2564	2300	System.exe	121
PID 2300 wrote to memory of 2564	2300	System.exe	121
PID 1620 wrote to memory of 3020	1620	WScript.exe	122
PID 1620 wrote to memory of 3020	1620	WScript.exe	122
PID 1620 wrote to memory of 3020	1620	WScript.exe	122
PID 3020 wrote to memory of 1488	3020	System.exe	123

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e864953c3a95b063ace86177e1914753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e864953c3a95b063ace86177e1914753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e864953c3a95b063ace86177e1914753.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e864953c3a95b063ace86177e1914753.exe
"C:\Users\Admin\AppData\Local\Temp\e864953c3a95b063ace86177e1914753.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xiuQmrpE1z.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2676
- - C:\Program Files (x86)\Adobe\System.exe
    "C:\Program Files (x86)\Adobe\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a19284a8-2d09-4263-a035-94675f07fb93.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Program Files (x86)\Adobe\System.exe
        
        "C:\Program Files (x86)\Adobe\System.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2300
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0688267b-e583-499e-890c-9f836f380179.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Program Files (x86)\Adobe\System.exe
        
        "C:\Program Files (x86)\Adobe\System.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae594efa-0e86-4d79-88ea-f073e189c2d8.vbs"
        8⤵
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ef7be1b-2965-4901-8d03-69785dd29dcf.vbs"
        8⤵
        
        PID:3060
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0ecb15b-02bf-4b27-9014-1e38d0f6be7f.vbs"
        6⤵
        
        PID:2564
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf94b9db-74fd-472f-9719-14fb5f13ed20.vbs"
      4⤵
      PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864953c3a95b063ace86177e1914753e" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\e864953c3a95b063ace86177e1914753.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864953c3a95b063ace86177e1914753" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\e864953c3a95b063ace86177e1914753.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e864953c3a95b063ace86177e1914753e" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\e864953c3a95b063ace86177e1914753.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\Aero\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\Aero\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe

Filesize
5.9MB

MD5
d3e505654478f20437a64b1c7a7e55c7

SHA1
0c60f2d6af4e21af65737f010783a2973d96c081

SHA256
220ac47725df6dffd34410b7c9c3943ec03d72bbc1f0bb0420ed81898f060b8d

SHA512
43efbb1033f2a3e5c221be89ab38498b6654e660ccf52c16ee38ecf4f9fad0dc6297d5a64f5978a340fbd0a40236dc1705485d7ce5919a3c4175d801656d6a25

Download Submit
C:\Program Files\Uninstall Information\OSPPSVC.exe

Filesize
5.9MB

MD5
e864953c3a95b063ace86177e1914753

SHA1
472bc71ef2e9c06ff3271fc0623f79a95ed2fe93

SHA256
d11fecef716ab9ab91bb2342635dd89113e0cce4313229abbc80462facaefad9

SHA512
f947ad181a748964673ce7fcff6ba8cb192079cf4f095ce60e44b4ff0a5bd241a06b0cca88899b91ad8064c3d000946a6da1bb7d7b61759b9a5888e8aa64a435

Download Submit
C:\Program Files\Uninstall Information\OSPPSVC.exe

Filesize
5.9MB

MD5
d9b06ab21cfab745eb7a3372a6ebb5bf

SHA1
24fb9566c6b339a9b4afb2d74dbbb002c797c659

SHA256
237c25b67181a8d58fc99f6d0bfafeebcf843d0cde744229143278292936b129

SHA512
4c81076f138951eebab76b7d19a76ba2b6a95bfafe5527228688ac2d0a1ded3adea8a0bf36111f94124738c77bf23ef60d53d8c4e6601278cb4e38833abc6484

Download Submit
C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\System.exe

Filesize
5.9MB

MD5
ba40fbd80c0cf3daf515f8855e4fc246

SHA1
6f1b34fdda7f20df53830ec6e589781d0f0c0fd2

SHA256
23e7709f9a0214994b92c4386e9550ffbce8855e4a0a700a143cc4acbe6500c1

SHA512
2333a2a2c76b4c5136ec1108d60c49a17218d64e23c0e15e28b2cbd59279902d60cc6a861f976d91ff3c315b57bb9d78fbb909182d76b9a34db896acab1bf5fe

Download Submit
C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe

Filesize
5.9MB

MD5
65e00725432ea8bb0c8c3583ae3ed05f

SHA1
d148b8cbd3a9d08eb3055191a22596bd3c5b8af3

SHA256
a9f912ccbbdecc1cbacbe643e072cb74554eeed101563cb4a4e9fa0d84d4f0ec

SHA512
ce89400a732abc920b3ffcc920b95635cfe695d588a63d7f76d64aa93951b33f0965751ee90a6f34b507cc08d7750ff488a615caab0a220323d12f39e961132c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0688267b-e583-499e-890c-9f836f380179.vbs

Filesize
715B

MD5
a5c9932b876806b98fa8c9ceebf0dbe6

SHA1
01115eed886d957ca4b23840c1ae7bc237bda32e

SHA256
ec3f937420d48a57ecf15f71a093d75eabe99758b1ed0dd2d78cd844205de8bf

SHA512
76749deea9d714fae8797b8de754145416b83e478b06105a92743a79c06a13d4c88f41d0d127d4a36abbb22ed9279710e8583adf66b74af52f62df32729bad02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a19284a8-2d09-4263-a035-94675f07fb93.vbs

Filesize
714B

MD5
06059fb9bf25a46370c8881119b3bff0

SHA1
d5a1873aec23687cd057747061c9e97f65cca10a

SHA256
6d9e863d4b7fc8010328ec52ae325afda1fd2b8bd1372b1ad498c1af41d86943

SHA512
d557fa74ee5787bebf7b88972baf7bc0603f6698a5a4706d71973456a81ea8fd4e4889ab5961e59fedfef4b7330446c7604a9d2688d58024e14c1fbd9ec69887

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae594efa-0e86-4d79-88ea-f073e189c2d8.vbs

Filesize
715B

MD5
ee6c88547f1f8b467607f208a016aa6e

SHA1
a8a8211fcb566d3350bf2f01affcb261d619d4ae

SHA256
1b218dd8f8c3b886cfb189b0d3fadcf600b088c39835e14608e84dd4dd66ea1d

SHA512
b3dbd319484384def9073c5348bf91751a97446f31673dedc85f607cd6752bc3633c85374b82ebf2ae92d07da1a8389c045dc0c055f2b9f5adf16d30c0f3c27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf94b9db-74fd-472f-9719-14fb5f13ed20.vbs

Filesize
491B

MD5
1472c06fef5bbf0aae8e56eca1158ec3

SHA1
cb9753e3ba1a3c66bb18987f6ca048dfe9effa06

SHA256
878521f7e18a2d7572e516bf1d35268a329068ed6ef25342fbc496b69c43945e

SHA512
d50c7917c9cd3756fe33a894b499b6611c355f862e33db2baf17821597ec28244abdd593ad3049a924b215ef278d002bf55838bf05b9330514a07f8793c39b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiuQmrpE1z.bat

Filesize
204B

MD5
1d224cf32518614a4416128dd7bf4f4d

SHA1
1774bbcac3041373c6d42e8c4ccef4499ebadf93

SHA256
dccc3341a96f4d920972757519d6f9afdf46d4c60cb10493ebba3883920892bc

SHA512
43d3c76d1154552e7c40cc96d437cf89e3165c1cb8bbcfeb376445f2958a5314e3914bf0a7530747c7a0ec5bd816dd7d5db99e9e08dfc80e20dcc43b0f442b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YNDUA34979QW49QOODWI.temp

Filesize
7KB

MD5
c1c253fa77b9f00a5361ac4e6f0f0cca

SHA1
417cdda0a61c015c17c1cbb7f5fe9e8d14cd6b60

SHA256
c074cdfba89a042928e5d8d4e74431c011df133dd7fa55d7e76ee81ac69b2d98

SHA512
f47ae1af6c305e0a0eccc04cdbe643206a740f8fac65dec96646585c9b85b201eb6f4053ab246bd1d9bf6bbe00d8d2061ebecbde243085bd7c0dfdec330c1f3c

Download Submit
C:\Users\Public\Music\Idle.exe

Filesize
5.9MB

MD5
98c7ec6b36dca2ebf852b9a8390d9c23

SHA1
f4b7d5ce53e194bc8870f441e6d1451a35958ff3

SHA256
fac8871a5afb114eb5a1c7fffcef2fd82abf85db4dde4d1e1a400e841d2d7f16

SHA512
f6586a2aad06939628121794480f40ccc12cc665b33d7e3508dd549fbece5940c43372a0ba80cc9a99566197ce07b7337ba7805e9372f25c1fa9de9759989892

Download Submit
C:\Windows\Resources\Themes\Aero\WmiPrvSE.exe

Filesize
5.9MB

MD5
2221aac350855eea75ef07451125daa4

SHA1
ddb456a74c66daa4fc8fe89fb513d090bb95210d

SHA256
6fc2d4e4810550fbe1cedd9881eac18b3e9b510ee11a4039d502a27cbce518af

SHA512
ea771359f19f9d4e129ba4205aac679e0a4bd0320e60068d0034ff8466d78746cc52304a7920182c397261f9b9a0041f09dd8a3a6f67916c847c1d78d1db1ee7

Download Submit
memory/768-363-0x0000000000E50000-0x0000000001748000-memory.dmp

Filesize
9.0MB

Download
memory/768-365-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/768-366-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2164-31-0x000000001BA50000-0x000000001BA5A000-memory.dmp

Filesize
40KB

Download
memory/2164-16-0x0000000002B00000-0x0000000002B0A000-memory.dmp

Filesize
40KB

Download
memory/2164-18-0x0000000002B10000-0x0000000002B1C000-memory.dmp

Filesize
48KB

Download
memory/2164-19-0x000000001B450000-0x000000001B458000-memory.dmp

Filesize
32KB

Download
memory/2164-20-0x000000001B460000-0x000000001B46C000-memory.dmp

Filesize
48KB

Download
memory/2164-21-0x000000001B470000-0x000000001B478000-memory.dmp

Filesize
32KB

Download
memory/2164-23-0x000000001B8B0000-0x000000001B8C2000-memory.dmp

Filesize
72KB

Download
memory/2164-24-0x000000001B8E0000-0x000000001B8EC000-memory.dmp

Filesize
48KB

Download
memory/2164-25-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

Filesize
48KB

Download
memory/2164-27-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/2164-26-0x000000001BA00000-0x000000001BA08000-memory.dmp

Filesize
32KB

Download
memory/2164-28-0x000000001BA20000-0x000000001BA2C000-memory.dmp

Filesize
48KB

Download
memory/2164-29-0x000000001BA40000-0x000000001BA48000-memory.dmp

Filesize
32KB

Download
memory/2164-30-0x000000001BA30000-0x000000001BA3C000-memory.dmp

Filesize
48KB

Download
memory/2164-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

Filesize
4KB

Download
memory/2164-32-0x000000001BA60000-0x000000001BA6E000-memory.dmp

Filesize
56KB

Download
memory/2164-33-0x000000001BA70000-0x000000001BA78000-memory.dmp

Filesize
32KB

Download
memory/2164-34-0x000000001BA80000-0x000000001BA8E000-memory.dmp

Filesize
56KB

Download
memory/2164-35-0x000000001BA90000-0x000000001BA98000-memory.dmp

Filesize
32KB

Download
memory/2164-36-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

Filesize
48KB

Download
memory/2164-37-0x000000001BAB0000-0x000000001BAB8000-memory.dmp

Filesize
32KB

Download
memory/2164-38-0x000000001BAC0000-0x000000001BACA000-memory.dmp

Filesize
40KB

Download
memory/2164-39-0x000000001BB60000-0x000000001BB6C000-memory.dmp

Filesize
48KB

Download
memory/2164-17-0x000000001B860000-0x000000001B8B6000-memory.dmp

Filesize
344KB

Download
memory/2164-15-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/2164-14-0x00000000029D0000-0x00000000029D8000-memory.dmp

Filesize
32KB

Download
memory/2164-13-0x00000000029C0000-0x00000000029CC000-memory.dmp

Filesize
48KB

Download
memory/2164-12-0x0000000002A60000-0x0000000002A72000-memory.dmp

Filesize
72KB

Download
memory/2164-185-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

Filesize
4KB

Download
memory/2164-11-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/2164-220-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2164-10-0x0000000002990000-0x00000000029A6000-memory.dmp

Filesize
88KB

Download
memory/2164-9-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/2164-1-0x0000000000270000-0x0000000000B68000-memory.dmp

Filesize
9.0MB

Download
memory/2164-8-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/2164-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2164-360-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2164-7-0x0000000002960000-0x000000000297C000-memory.dmp

Filesize
112KB

Download
memory/2164-6-0x0000000000F80000-0x0000000000F88000-memory.dmp

Filesize
32KB

Download
memory/2164-5-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/2164-4-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/2164-3-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-378-0x0000000000E00000-0x0000000000E56000-memory.dmp

Filesize
344KB

Download
memory/2300-379-0x000000001AF10000-0x000000001AF22000-memory.dmp

Filesize
72KB

Download
memory/2324-317-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2324-319-0x0000000002090000-0x0000000002098000-memory.dmp

Filesize
32KB

Download
memory/3020-391-0x0000000001140000-0x0000000001A38000-memory.dmp

Filesize
9.0MB

Download