dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Size

2.5MB
MD5

3dbf7d9fdfd5a0151f1003095ba9655c
SHA1

4f5de06a720298a5e32660fd0f56733ad611060f
SHA256

86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26
SHA512

3405c202bad0e95f18341f8c664f94626bec55db6ef9c15ff9a5b6cb2632e73375fec802d64e5ca3b924829ec1729c06f01fcb9a5013ac22d5b5b437812eb2ef
SSDEEP

49152:qGVFTkAxSKOfsx79ZnGGHMgVj2x+0XrSqWsn+fz+pV6ZKvTYnp:qGVyWNGGN2sqWs+fz+pVZTYp

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4744	schtasks.exe
		4832	schtasks.exe
		4764	schtasks.exe
File created	C:\Windows\System32\SIHClient\5b884080fd4f94		86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
		2284	schtasks.exe
		968	schtasks.exe
		4632	schtasks.exe
File created	C:\Windows\System32\SIHClient\fontdrvhost.exe		86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
		4880	schtasks.exe
		4720	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1476	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1476	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	1476	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	1476	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	1476	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	1476	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1476	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	1476	schtasks.exe	88

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5508	powershell.exe
3852	powershell.exe
3248	powershell.exe
3540	powershell.exe
3508	powershell.exe
4404	powershell.exe
3512	powershell.exe
6004	powershell.exe
5440	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 16 IoCs

pid	Process
4480	dllhost.exe
2788	dllhost.exe
4776	dllhost.exe
1796	dllhost.exe
6044	dllhost.exe
6076	dllhost.exe
4812	dllhost.exe
5332	dllhost.exe
4756	dllhost.exe
2348	dllhost.exe
1972	dllhost.exe
1776	dllhost.exe
5804	dllhost.exe
4932	dllhost.exe
5640	dllhost.exe
1284	dllhost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\7e20f84d5244aba7145631d4073af8\\smss.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Google\\GoogleUpdater\\134.0.6985.0\\Crashpad\\reports\\RuntimeBroker.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Defender\\dllhost.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\SIHClient\\fontdrvhost.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxBlockMap\\StartMenuExperienceHost.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\unsecapp.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\SIHClient\fontdrvhost.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\SIHClient\fontdrvhost.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\SIHClient\5b884080fd4f94	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\SIHClient\RCX97CD.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\SIHClient\RCX97CE.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\unsecapp.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\RCXA7E8.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Program Files\Windows Defender\RCXA9EC.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\unsecapp.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\29c1c3cc0f7685	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Program Files\Windows Defender\dllhost.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Program Files\Windows Defender\5940a34987c991	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Program Files\Windows Defender\RCXA9ED.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Program Files\Windows Defender\dllhost.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\RuntimeBroker.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\9e8d7a4ca61bd9	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\RuntimeBroker.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCX9F84.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXA002.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\RCXA779.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\StartMenuExperienceHost.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\55b276f4edf653	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\StartMenuExperienceHost.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\RCXA275.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\22eafd247d37c3	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\RCX9CF2.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\RCX9D70.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\RCXA274.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
968	schtasks.exe
4632	schtasks.exe
4720	schtasks.exe
4744	schtasks.exe
4832	schtasks.exe
4880	schtasks.exe
4764	schtasks.exe
2284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
3512	powershell.exe
3512	powershell.exe
5508	powershell.exe
5508	powershell.exe
5440	powershell.exe
5440	powershell.exe
3508	powershell.exe
3508	powershell.exe
4404	powershell.exe
4404	powershell.exe
3248	powershell.exe
3248	powershell.exe
6004	powershell.exe
6004	powershell.exe
3540	powershell.exe
3540	powershell.exe
3852	powershell.exe
3852	powershell.exe
5440	powershell.exe
5508	powershell.exe
3508	powershell.exe
3248	powershell.exe
3512	powershell.exe
4404	powershell.exe
6004	powershell.exe
3852	powershell.exe
3540	powershell.exe
4480	dllhost.exe
4480	dllhost.exe
4480	dllhost.exe
4480	dllhost.exe
4480	dllhost.exe
4480	dllhost.exe
4480	dllhost.exe
4480	dllhost.exe
4480	dllhost.exe
4480	dllhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	5440	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	6004	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	4480	dllhost.exe
Token: SeDebugPrivilege	2788	dllhost.exe
Token: SeDebugPrivilege	4776	dllhost.exe
Token: SeDebugPrivilege	1796	dllhost.exe
Token: SeDebugPrivilege	6044	dllhost.exe
Token: SeDebugPrivilege	6076	dllhost.exe
Token: SeDebugPrivilege	4812	dllhost.exe
Token: SeDebugPrivilege	5332	dllhost.exe
Token: SeDebugPrivilege	4756	dllhost.exe
Token: SeDebugPrivilege	2348	dllhost.exe
Token: SeDebugPrivilege	1972	dllhost.exe
Token: SeDebugPrivilege	1776	dllhost.exe
Token: SeDebugPrivilege	5804	dllhost.exe
Token: SeDebugPrivilege	4932	dllhost.exe
Token: SeDebugPrivilege	5640	dllhost.exe
Token: SeDebugPrivilege	1284	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 3540	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	101
PID 1672 wrote to memory of 3540	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	101
PID 1672 wrote to memory of 3508	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	102
PID 1672 wrote to memory of 3508	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	102
PID 1672 wrote to memory of 4404	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	103
PID 1672 wrote to memory of 4404	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	103
PID 1672 wrote to memory of 5508	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	104
PID 1672 wrote to memory of 5508	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	104
PID 1672 wrote to memory of 3852	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	105
PID 1672 wrote to memory of 3852	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	105
PID 1672 wrote to memory of 3248	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	106
PID 1672 wrote to memory of 3248	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	106
PID 1672 wrote to memory of 3512	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	107
PID 1672 wrote to memory of 3512	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	107
PID 1672 wrote to memory of 6004	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	108
PID 1672 wrote to memory of 6004	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	108
PID 1672 wrote to memory of 5440	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	109
PID 1672 wrote to memory of 5440	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	109
PID 1672 wrote to memory of 628	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	119
PID 1672 wrote to memory of 628	1672	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	119
PID 628 wrote to memory of 4376	628	cmd.exe	121
PID 628 wrote to memory of 4376	628	cmd.exe	121
PID 628 wrote to memory of 4480	628	cmd.exe	124
PID 628 wrote to memory of 4480	628	cmd.exe	124
PID 4480 wrote to memory of 5108	4480	dllhost.exe	125
PID 4480 wrote to memory of 5108	4480	dllhost.exe	125
PID 4480 wrote to memory of 3116	4480	dllhost.exe	126
PID 4480 wrote to memory of 3116	4480	dllhost.exe	126
PID 5108 wrote to memory of 2788	5108	WScript.exe	127
PID 5108 wrote to memory of 2788	5108	WScript.exe	127
PID 2788 wrote to memory of 1088	2788	dllhost.exe	128
PID 2788 wrote to memory of 1088	2788	dllhost.exe	128
PID 2788 wrote to memory of 5796	2788	dllhost.exe	129
PID 2788 wrote to memory of 5796	2788	dllhost.exe	129
PID 1088 wrote to memory of 4776	1088	WScript.exe	134
PID 1088 wrote to memory of 4776	1088	WScript.exe	134
PID 4776 wrote to memory of 3632	4776	dllhost.exe	135
PID 4776 wrote to memory of 3632	4776	dllhost.exe	135
PID 4776 wrote to memory of 5968	4776	dllhost.exe	136
PID 4776 wrote to memory of 5968	4776	dllhost.exe	136
PID 3632 wrote to memory of 1796	3632	WScript.exe	141
PID 3632 wrote to memory of 1796	3632	WScript.exe	141
PID 1796 wrote to memory of 4668	1796	dllhost.exe	142
PID 1796 wrote to memory of 4668	1796	dllhost.exe	142
PID 1796 wrote to memory of 2196	1796	dllhost.exe	143
PID 1796 wrote to memory of 2196	1796	dllhost.exe	143
PID 4668 wrote to memory of 6044	4668	WScript.exe	144
PID 4668 wrote to memory of 6044	4668	WScript.exe	144
PID 6044 wrote to memory of 3448	6044	dllhost.exe	145
PID 6044 wrote to memory of 3448	6044	dllhost.exe	145
PID 6044 wrote to memory of 1856	6044	dllhost.exe	146
PID 6044 wrote to memory of 1856	6044	dllhost.exe	146
PID 3448 wrote to memory of 6076	3448	WScript.exe	147
PID 3448 wrote to memory of 6076	3448	WScript.exe	147
PID 6076 wrote to memory of 516	6076	dllhost.exe	148
PID 6076 wrote to memory of 516	6076	dllhost.exe	148
PID 6076 wrote to memory of 4988	6076	dllhost.exe	149
PID 6076 wrote to memory of 4988	6076	dllhost.exe	149
PID 516 wrote to memory of 4812	516	WScript.exe	150
PID 516 wrote to memory of 4812	516	WScript.exe	150
PID 4812 wrote to memory of 60	4812	dllhost.exe	151
PID 4812 wrote to memory of 60	4812	dllhost.exe	151
PID 4812 wrote to memory of 4112	4812	dllhost.exe	152
PID 4812 wrote to memory of 4112	4812	dllhost.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
"C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe"
1⤵
- DcRat
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SIHClient\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NMYLg36mPr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4376
- - C:\Recovery\WindowsRE\dllhost.exe
    "C:\Recovery\WindowsRE\dllhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dea64b1-0017-400c-b597-fe15b656bfd8.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b2c1977-51de-4384-999b-e946eac2c79d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90cca7c7-31fc-4c1c-b710-b5df7d6ebe49.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\772338fa-53fc-46c1-9d6f-0e2d8b392c2c.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96496437-f54f-4901-88ea-e64f25e7468a.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dbcb100-836f-47ab-b026-5437f05b6efe.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12a7eeb5-d8f0-4b9e-9b3d-243231d4be46.vbs"
        16⤵
        
        PID:60
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68b49671-b3dd-45f0-a29e-b624d2a758a0.vbs"
        18⤵
        
        PID:2788
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a501cfc-566c-4ea9-b890-a5dfe3ab6d61.vbs"
        20⤵
        
        PID:456
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0907154f-15a5-43e9-9bea-f5580ddc4756.vbs"
        22⤵
        
        PID:2544
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\474d4ce1-9cf2-4e1e-97d2-1e4e9d0e3563.vbs"
        24⤵
        
        PID:2784
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbfb8f36-a1d0-46b2-8c39-795d7da42f82.vbs"
        26⤵
        
        PID:5964
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2017d9dd-5e03-4bbb-a14f-5ea2c9d53f97.vbs"
        28⤵
        
        PID:628
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0171358-32e9-4c66-b2dc-8c3fa8e76151.vbs"
        30⤵
        
        PID:3604
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a2a9e4a-a333-41ba-893b-acaf7133a937.vbs"
        32⤵
        
        PID:3768
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        C:\Recovery\WindowsRE\dllhost.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03c5934f-5346-4760-945c-a7e67553b4f2.vbs"
        34⤵
        
        PID:4176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\330fc13c-3c34-4611-9cd4-cfa2a4d849ab.vbs"
        34⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aabfe5fc-982f-4dbc-b65f-0e54345670c3.vbs"
        32⤵
        
        PID:4368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62aa679b-b235-49b1-9dbe-5d48bd417920.vbs"
        30⤵
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7714a77d-d8e0-4d97-b9c8-55727f1bf970.vbs"
        28⤵
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16b25624-e717-447b-938b-b146583200e4.vbs"
        26⤵
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92430682-7665-4e5d-8354-24bf0f96fd38.vbs"
        24⤵
        
        PID:3892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71d22236-14e4-469c-851a-73cd000efede.vbs"
        22⤵
        
        PID:4396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65d655f0-19ba-4d21-8428-bee5fb8db1da.vbs"
        20⤵
        
        PID:3128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70e38ec4-d077-47e9-b513-df0616637d3d.vbs"
        18⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa6035c3-ad1e-41bc-8001-3f2b8e71886f.vbs"
        16⤵
        
        PID:4112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c9e5857-263c-4d75-b896-947a57ebca9f.vbs"
        14⤵
        
        PID:4988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5e91826-4dab-493a-a331-949f7da84838.vbs"
        12⤵
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cebcb6e-85d9-4572-8607-064aa5fd057f.vbs"
        10⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5f24709-c4af-41ce-8549-9d3a73f30d58.vbs"
        8⤵
        
        PID:5968
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56b0967f-460f-474e-bef7-5d3f850a7677.vbs"
        6⤵
        
        PID:5796
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1296a635-8277-44d3-aac8-58ad1e38213d.vbs"
      4⤵
      PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\SIHClient\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\RuntimeBroker.exe

Filesize
2.5MB

MD5
4cddc62797cae3448fb03c837714ae97

SHA1
7d5bf47a946df3477cfd2cacfe72134159f1f54f

SHA256
63979a6fa7c36ba55434028dc7c65c7f7ff71fa024755ef05ea11ef57ea2e60c

SHA512
e16d417bd9191f20152260ddb15d16320158760eda11b42fa16dc95d3a64c36543ea84e0f7fe17562d04f51af5b5ffbf57c415ec3980d8f093ea6ce0e8d170db

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
2.5MB

MD5
ae885987f9e1ba7b783870cddb5955eb

SHA1
2d6f9146b00913bc3860254888e23334511e8278

SHA256
ee8a89124b87bd1a9c7f9c113cb2938197230f4d57e077983cf4054658f425bd

SHA512
64f58284a6ca307d1fa25ac2ca5e8182abcdc5f7ecc5c59b7949a111dfd58315a061dc99e47a5d611a6e7393ed303be605fd2fb8f30f7bc885ba601a549bd0b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
9699cf9bb24ebbc9b1035710e92b7bd2

SHA1
73f0f26db57ea306970a76f42c647bbce02a3f23

SHA256
fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5

SHA512
3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77c3c3e6edde95327e5255c97f03f1aa

SHA1
bf90bbebcadd07d730c5793a512ed30c4db1d776

SHA256
a80450170e547a9d4d050e3237edfcc561a6c936d180f6d0867a22a6487afa99

SHA512
8c3fbc3312def0c2ba51036a30ac23d5c50bcdf2a273ee4802fe05c73c0d94cb8b115291e0ed91a23f150ff9f69b2046276cc062a9ba6c7be92bcd975e850077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
abc61b7a532b5a8ab5bede2f413c1a71

SHA1
82ed1d78231b408bd8c072b7e08ac0aec0c43a7e

SHA256
43027d7e917d7dc6caa6621eec3187dbfb8c2d3d02f3e0b4c8cf0a37505c9a51

SHA512
2ebe7180da937c44f332dfec8e1b0e5a6b00a8825555829ad6a631d7e54252d3254b9c544370717042cc6c118b83f21f09798d5891d3919363c69439af956adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1e3c555747900d8c9652a014303474aa

SHA1
1b2057ff00b20996fe74977d7e336be9d4625283

SHA256
6a419c7390f12be16e2d1e752539a2a429f41e35ce0381bee1d824571769e2f1

SHA512
067ea6a394f54acfc44d64fdf11463a74cb5d6bba3fe253e7625455754c528bd678fd1c679e949e928b7fc11b563c256b0b0e33474f7c58eb0735d7aacd3232d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c79cf713064165d9921621736789b679

SHA1
4d8b3c69ddab8dd528496de06ce7e6e6c2758389

SHA256
6de25d006efb9912c4460725c3ff494adc8585749971235d743dae6cb568068e

SHA512
22dbec206c054253a245c7eac9cbfa4d62b49a11b02adea88b6dc8e1ee4243d46e8f61efa5374d43260ff686dbd3c769b7e14bbc6d5fb2f8999f258a904a04a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
226b55fdb0a63ac9ca46990a4a0accf2

SHA1
cb4ca93fa4a4e7ac4c2278a71da33cab8d99bc84

SHA256
44cb3bbf708735f43c9f07b3be3b110ae35b8c4904a0a9b8e0496c7ae313885a

SHA512
a45725acce36bb369715127097cfc9f481ac1ea42fb819e7df8559ecb83ad03beee2c089616146b02fc5406356ef855a3f7d3a06dc125336c6bb46b7ceba46df

Download Submit
C:\Users\Admin\AppData\Local\Temp\0907154f-15a5-43e9-9bea-f5580ddc4756.vbs

Filesize
709B

MD5
af74ff04007f96d2f62866af6793b19e

SHA1
deb5167d80a536223108bce33d0ac60edd9d680a

SHA256
037553bf1fd4c24f86a5daa9440a81cb96279a03a0a296da0fbcb024e6a0e289

SHA512
aae419430da1bb4383acc23ff3bad2920dfec79099d5b722a8eb009e82125be7e697271bc291f97522343bd61fc38b452b6eb82415bbbe052317e0630b599bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1296a635-8277-44d3-aac8-58ad1e38213d.vbs

Filesize
485B

MD5
d37e774c320529e564ee1f7683a14716

SHA1
8792ae9bc48d3350a85b92c56bf8cc60c3a1ff34

SHA256
ee4e7b2e281bb5c19873e08b720814037bdc35c4a81c95a104cc17b849248c83

SHA512
f66ae95c9f2f530357fdf3c2a1b48b9ecb18683f2ccfc60c827756b9db381241094f05db55c817bb1ae6749dccd018058e139f91f6838f54caaf25f7a139e24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\12a7eeb5-d8f0-4b9e-9b3d-243231d4be46.vbs

Filesize
709B

MD5
2bdc51866135f385cdf109a47030ac4d

SHA1
1ce606324ad1dd6113a407ba0d1ef08310593608

SHA256
08dcd206dd5496ccda1f49e82cc6023981263396a830428c533aa5b9aeea2687

SHA512
e8b2698e8ae187f3bba18a2aeb624df85aa5cd65c8e0474cb87445efa2b8673d736ccdc843fc5754b849ca9aaa3486953165a6480f88da8b955cb84addd2fd75

Download Submit
C:\Users\Admin\AppData\Local\Temp\2017d9dd-5e03-4bbb-a14f-5ea2c9d53f97.vbs

Filesize
709B

MD5
79fc6386aad63a9afe2a1ed2459dd2c1

SHA1
f84a9c7b4a4556b52246d5e109121e86739cdfd5

SHA256
eabee2ef1727934c96559f88504546af5c8060d14a3a510e700394870b0720cd

SHA512
e915ae6ac803a0c90f05f36e801d55b5038081c0996677d44477d83eeb710423c141b7a2024d4c2db407746d12104bea1555d55604007b46cc327495d08081f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dea64b1-0017-400c-b597-fe15b656bfd8.vbs

Filesize
709B

MD5
937df97c4384e834ee1a2cc0f3c9c915

SHA1
d698ea2e591aaa5a53fc87fb64be6c765bbb2bef

SHA256
3884b64ef8b39e827f01bf3bee5b8ba0732f52decff976e6e161246feaa8e239

SHA512
ea7abaeb2c255fd8d33ddb6b9eaa8c83c5c1bc7d6be88e92f345e680ee5b4fc46646770e6374ae84242d918d49faae9bc154b0503b6c7ee4fd44466ae5e9e886

Download Submit
C:\Users\Admin\AppData\Local\Temp\474d4ce1-9cf2-4e1e-97d2-1e4e9d0e3563.vbs

Filesize
709B

MD5
2bf0612845f4c628eb567f843b2a1ef3

SHA1
b8faab40894a0409a80e2f2de523cf103f0207d2

SHA256
2054ede9cdcf9e8efa7c04199c54707f6a496074a299bdf3581fcea1616c50d1

SHA512
af4d4468b6db7691e8562bd002fffc9629d2d10f297403aa286aaccb84209fe6f32b5fb6649bc891eefed9e0ad29d8390e665a5fae78d35dec039ec99e23da57

Download Submit
C:\Users\Admin\AppData\Local\Temp\4dbcb100-836f-47ab-b026-5437f05b6efe.vbs

Filesize
709B

MD5
849cff253c03356e62861a7c159f3d9e

SHA1
46f3906ced7522af7e9495ec7113bc31dd8e0d84

SHA256
b7fca8b8276cdef63b44e0576748db5a37cad324efdd110f7263bfa36a30663f

SHA512
67b99387d8d10f1220e22b494ea12a6ba8d07b21a97615d1defedaa90424d122d53a4593b767d8bdfa5f68288d45db0240a0004cc86c5171955c7a464462e520

Download Submit
C:\Users\Admin\AppData\Local\Temp\68b49671-b3dd-45f0-a29e-b624d2a758a0.vbs

Filesize
709B

MD5
21f7bb05829821592e5feef0e68cf9aa

SHA1
3c251c0ec9432f726773c26922871658bd8603e9

SHA256
faf9c113a655a97946913d805bb06e9447058f703bb1c5d731f6420749a22c7e

SHA512
cc88b513daa62549786d7d2230acd0fcf5ef9eb4ed70eee296e0c8fd154554253240332e5f5620c2bda4559a45a63fd26fb60b15c6edf8a08e5e5dec2b6e7f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\772338fa-53fc-46c1-9d6f-0e2d8b392c2c.vbs

Filesize
709B

MD5
8e00df50937eafed48b9061d032ac5e6

SHA1
ff014dc769b6c8799123da206d33bea0e1004ae7

SHA256
526027e46524505ba03983763539e7fa4b301796e875a9b9e5bb61726e299609

SHA512
c1bb1e863d37a797b33d42bf191b22a142a933444380011a810a494d48bab9622b1912fbe41771c141f1bf43276bd4cd8e3369d361d401ab379032c88a16f0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a501cfc-566c-4ea9-b890-a5dfe3ab6d61.vbs

Filesize
709B

MD5
746891f65b73b2fc7fe3e8be1fea30b3

SHA1
e90ad39dc42da4e84fb968c96e4f25ac6b784849

SHA256
5fef0ed7ee93d83ec6a1c961dff961958339acae5326283e0b7c435a98913d85

SHA512
d82a01dd60fbadb34778a9aa5c90d51b2247f9bf8667aba9c863f7cfa850a357c5f082718bf878d260b6f6946145d5ffa24e6c37d5c8c9c931494cee519656ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b2c1977-51de-4384-999b-e946eac2c79d.vbs

Filesize
709B

MD5
7a4b4c4755e4a8054685dc3f192c5e1b

SHA1
5d4cc79c6565e48bd00ac1a04f2b1c735b40aefe

SHA256
449b18fba9ee3a81fc7fcb3bf9780fb0fbbf923b894aacfd0df11cdb73751a2e

SHA512
81056a0b9d672d66e5414819d504e7b6a56a2850d75e976e596c7d1f0f3e118394640f137bde5637e16affb6fe71c5eda97a723e129ca06cc8b3ec4f13aa6f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\90cca7c7-31fc-4c1c-b710-b5df7d6ebe49.vbs

Filesize
709B

MD5
91f3c5c671d0e3eeb318fb22137c13b2

SHA1
7211711381877604f634dae3e7cca7804f6b6167

SHA256
5c692f1c7cae0f7b5e14a19aca0bd638d39c11173f35e3aeda5c2e19c22f599a

SHA512
c2d211d86e3180e4d95fd85a01ace7d95e48f40c226a9f933f391817c164525ad457b91bfd76fe7e5c96f573d2d58b768a90c3980de1675391c4aa170c9b2379

Download Submit
C:\Users\Admin\AppData\Local\Temp\96496437-f54f-4901-88ea-e64f25e7468a.vbs

Filesize
709B

MD5
5753b2d72c6d0cec2531fc82af1e3448

SHA1
fc89f761b47f75f62a429cb49c8ca1ddfbde70c6

SHA256
be065a835a9d26d66156351850d2cfad666426364b15cfe82283f38da6654901

SHA512
15268c38dde99f2ee72868d1fb3e0001d217d50c68678d671d04cf040174d9cae6e5d4184f95f4629cba5dcb5087fb89d607765eb48fe5673e478fd0bc3665c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMYLg36mPr.bat

Filesize
197B

MD5
3c2921d1c02afbb707ae7de400d6add1

SHA1
f9df3d39e8bf4ba66d17ba20956e0796498a1b60

SHA256
a37b6e682193197f22ef07083bc7b2ec9cc0525924d0f09c348201245991a4a2

SHA512
3596b3c219d49eb029459abdf3d981581d696be3f7436c432cb23680cd75fe2ff859d82687e3c8d7d2a3de9e83efec69e167afcd9d5aa2d3fe810392c151eaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umuleras.uoo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbfb8f36-a1d0-46b2-8c39-795d7da42f82.vbs

Filesize
709B

MD5
d81732f13ccd87473445a4efb3ec82af

SHA1
7333b4334e410af26400c52d4fee87aa0179c9d6

SHA256
f0029e664b210906ab25d39038054457fa7cc3a95f057f2775dbaab85d05195a

SHA512
c22494c038cc83811dd085ab3e2ce853fc79d4c9c5aee39a8acc3bde4e902346f815d291fb45e76a2ea4a0c6477e299311dbc227ef8cd015cf95cefe1f5c05e9

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxBlockMap\StartMenuExperienceHost.exe

Filesize
2.5MB

MD5
14ee49e3d4f6bf8d6fa729897e0fc3df

SHA1
aff512f2524517afae8d3df209ca638a42ed35ba

SHA256
a4518fc9daa01cdece46ac772495019b5a9bfa41f949e8b9bdb0aa0d83c88e6a

SHA512
48589e74e97f3dad66b6ab7cfe80cd922ce44111733a762994449bb466cfa926ad4721c6ddebfe07347049a6da80f12bb2aba58df3b1653d539a32e97e0a971f

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe

Filesize
2.5MB

MD5
3dbf7d9fdfd5a0151f1003095ba9655c

SHA1
4f5de06a720298a5e32660fd0f56733ad611060f

SHA256
86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26

SHA512
3405c202bad0e95f18341f8c664f94626bec55db6ef9c15ff9a5b6cb2632e73375fec802d64e5ca3b924829ec1729c06f01fcb9a5013ac22d5b5b437812eb2ef

Download Submit
memory/1672-2-0x00007FFD9D450000-0x00007FFD9DF11000-memory.dmp

Filesize
10.8MB

Download
memory/1672-15-0x0000000003720000-0x000000000372A000-memory.dmp

Filesize
40KB

Download
memory/1672-5-0x00000000034C0000-0x0000000003510000-memory.dmp

Filesize
320KB

Download
memory/1672-6-0x0000000001A90000-0x0000000001AA0000-memory.dmp

Filesize
64KB

Download
memory/1672-4-0x0000000003450000-0x000000000346C000-memory.dmp

Filesize
112KB

Download
memory/1672-13-0x0000000003520000-0x000000000352A000-memory.dmp

Filesize
40KB

Download
memory/1672-14-0x00000000036A0000-0x00000000036AC000-memory.dmp

Filesize
48KB

Download
memory/1672-3-0x0000000001960000-0x000000000196C000-memory.dmp

Filesize
48KB

Download
memory/1672-12-0x0000000003510000-0x000000000351A000-memory.dmp

Filesize
40KB

Download
memory/1672-1-0x0000000000F30000-0x00000000011B6000-memory.dmp

Filesize
2.5MB

Download
memory/1672-18-0x00000000036C0000-0x00000000036CA000-memory.dmp

Filesize
40KB

Download
memory/1672-17-0x00000000036B0000-0x00000000036B8000-memory.dmp

Filesize
32KB

Download
memory/1672-16-0x000000001BF00000-0x000000001BF0C000-memory.dmp

Filesize
48KB

Download
memory/1672-7-0x0000000003470000-0x0000000003480000-memory.dmp

Filesize
64KB

Download
memory/1672-10-0x0000000003490000-0x00000000034A2000-memory.dmp

Filesize
72KB

Download
memory/1672-9-0x0000000003480000-0x0000000003488000-memory.dmp

Filesize
32KB

Download
memory/1672-133-0x00007FFD9D450000-0x00007FFD9DF11000-memory.dmp

Filesize
10.8MB

Download
memory/1672-8-0x0000000003650000-0x00000000036A6000-memory.dmp

Filesize
344KB

Download
memory/1672-0-0x00007FFD9D453000-0x00007FFD9D455000-memory.dmp

Filesize
8KB

Download
memory/1672-11-0x000000001D0F0000-0x000000001D618000-memory.dmp

Filesize
5.2MB

Download
memory/1776-373-0x0000000001220000-0x0000000001232000-memory.dmp

Filesize
72KB

Download
memory/3248-241-0x00000253BC280000-0x00000253BC3EA000-memory.dmp

Filesize
1.4MB

Download
memory/3508-240-0x000002584CA20000-0x000002584CB8A000-memory.dmp

Filesize
1.4MB

Download
memory/3512-239-0x000001CCD9A60000-0x000001CCD9BCA000-memory.dmp

Filesize
1.4MB

Download
memory/3540-236-0x000001B228C90000-0x000001B228DFA000-memory.dmp

Filesize
1.4MB

Download
memory/3852-238-0x000001635D6B0000-0x000001635D81A000-memory.dmp

Filesize
1.4MB

Download
memory/4404-244-0x000001F6DD130000-0x000001F6DD29A000-memory.dmp

Filesize
1.4MB

Download
memory/4480-248-0x00000000000F0000-0x0000000000376000-memory.dmp

Filesize
2.5MB

Download
memory/4480-249-0x000000001AF60000-0x000000001AFB6000-memory.dmp

Filesize
344KB

Download
memory/4776-273-0x000000001BA00000-0x000000001BA12000-memory.dmp

Filesize
72KB

Download
memory/5440-222-0x0000020771BD0000-0x0000020771D3A000-memory.dmp

Filesize
1.4MB

Download
memory/5508-143-0x0000017374660000-0x0000017374682000-memory.dmp

Filesize
136KB

Download
memory/5508-237-0x0000017374690000-0x00000173747FA000-memory.dmp

Filesize
1.4MB

Download
memory/5640-403-0x0000000003130000-0x0000000003186000-memory.dmp

Filesize
344KB

Download
memory/6004-235-0x00000155C05C0000-0x00000155C072A000-memory.dmp

Filesize
1.4MB

Download