dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Size

1.6MB
MD5

2c4dbe075f37719580a096bf67bf048e
SHA1

71673f7af94683985e875f3db73cbf1a5509228e
SHA256

1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567
SHA512

6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5264	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5464	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5444	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	4524	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	4524	schtasks.exe	86

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral26/memory/3412-1-0x0000000000480000-0x0000000000622000-memory.dmp	dcrat
behavioral26/files/0x0007000000024267-26.dat	dcrat
behavioral26/files/0x000d000000024042-61.dat	dcrat
behavioral26/files/0x0008000000022edd-72.dat	dcrat
behavioral26/files/0x000e00000002405b-83.dat	dcrat
behavioral26/files/0x0009000000024261-94.dat	dcrat
behavioral26/files/0x000b000000024269-128.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
1128	powershell.exe
1780	powershell.exe
1968	powershell.exe
2980	powershell.exe
3016	powershell.exe
4388	powershell.exe
2360	powershell.exe
3808	powershell.exe
2168	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 14 IoCs

pid	Process
5648	explorer.exe
6096	explorer.exe
976	explorer.exe
5920	explorer.exe
5456	explorer.exe
5980	explorer.exe
5036	explorer.exe
5524	explorer.exe
3708	explorer.exe
732	explorer.exe
1732	explorer.exe
3740	explorer.exe
1080	explorer.exe
4392	explorer.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4396_651327976\eddb19405b7ce1	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\5940a34987c991	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX531F.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX5320.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\0a1fd5f707cd16	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\edge_BITS_4396_651327976\RCX4692.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\edge_BITS_4396_651327976\backgroundTaskHost.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX4915.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\edge_BITS_4396_651327976\backgroundTaskHost.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\edge_BITS_4396_651327976\RCX4710.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX4993.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\RCX4BA7.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\RCX4C25.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\lsass.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\lsass.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\6203df4a6bafc7	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5464	schtasks.exe
4200	schtasks.exe
4036	schtasks.exe
4912	schtasks.exe
4668	schtasks.exe
5264	schtasks.exe
2800	schtasks.exe
2264	schtasks.exe
4192	schtasks.exe
2904	schtasks.exe
4580	schtasks.exe
4504	schtasks.exe
4644	schtasks.exe
4808	schtasks.exe
4224	schtasks.exe
4116	schtasks.exe
1196	schtasks.exe
2688	schtasks.exe
1568	schtasks.exe
3616	schtasks.exe
4832	schtasks.exe
1072	schtasks.exe
440	schtasks.exe
5444	schtasks.exe
864	schtasks.exe
4792	schtasks.exe
4760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3808	powershell.exe
1780	powershell.exe
3808	powershell.exe
1780	powershell.exe
2668	powershell.exe
2668	powershell.exe
2168	powershell.exe
2168	powershell.exe
1968	powershell.exe
1968	powershell.exe
2980	powershell.exe
2980	powershell.exe
2360	powershell.exe
2360	powershell.exe
4388	powershell.exe
4388	powershell.exe
1128	powershell.exe
1128	powershell.exe
3016	powershell.exe
3016	powershell.exe
1128	powershell.exe
4388	powershell.exe
2980	powershell.exe
1780	powershell.exe
3808	powershell.exe
2168	powershell.exe
2668	powershell.exe
1968	powershell.exe
2360	powershell.exe
3016	powershell.exe
5648	explorer.exe
6096	explorer.exe
976	explorer.exe
5920	explorer.exe
5456	explorer.exe
5980	explorer.exe
5036	explorer.exe
5524	explorer.exe
3708	explorer.exe
732	explorer.exe
1732	explorer.exe
3740	explorer.exe
1080	explorer.exe
4392	explorer.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	5648	explorer.exe
Token: SeDebugPrivilege	6096	explorer.exe
Token: SeDebugPrivilege	976	explorer.exe
Token: SeDebugPrivilege	5920	explorer.exe
Token: SeDebugPrivilege	5456	explorer.exe
Token: SeDebugPrivilege	5980	explorer.exe
Token: SeDebugPrivilege	5036	explorer.exe
Token: SeDebugPrivilege	5524	explorer.exe
Token: SeDebugPrivilege	3708	explorer.exe
Token: SeDebugPrivilege	732	explorer.exe
Token: SeDebugPrivilege	1732	explorer.exe
Token: SeDebugPrivilege	3740	explorer.exe
Token: SeDebugPrivilege	1080	explorer.exe
Token: SeDebugPrivilege	4392	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1968	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	118
PID 3412 wrote to memory of 1968	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	118
PID 3412 wrote to memory of 2168	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	119
PID 3412 wrote to memory of 2168	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	119
PID 3412 wrote to memory of 2668	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	120
PID 3412 wrote to memory of 2668	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	120
PID 3412 wrote to memory of 2980	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	121
PID 3412 wrote to memory of 2980	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	121
PID 3412 wrote to memory of 3016	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	122
PID 3412 wrote to memory of 3016	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	122
PID 3412 wrote to memory of 4388	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	123
PID 3412 wrote to memory of 4388	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	123
PID 3412 wrote to memory of 2360	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	124
PID 3412 wrote to memory of 2360	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	124
PID 3412 wrote to memory of 3808	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	125
PID 3412 wrote to memory of 3808	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	125
PID 3412 wrote to memory of 1128	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	126
PID 3412 wrote to memory of 1128	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	126
PID 3412 wrote to memory of 1780	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	127
PID 3412 wrote to memory of 1780	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	127
PID 3412 wrote to memory of 1032	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	138
PID 3412 wrote to memory of 1032	3412	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	138
PID 1032 wrote to memory of 4764	1032	cmd.exe	140
PID 1032 wrote to memory of 4764	1032	cmd.exe	140
PID 1032 wrote to memory of 5648	1032	cmd.exe	143
PID 1032 wrote to memory of 5648	1032	cmd.exe	143
PID 5648 wrote to memory of 4424	5648	explorer.exe	144
PID 5648 wrote to memory of 4424	5648	explorer.exe	144
PID 5648 wrote to memory of 6052	5648	explorer.exe	145
PID 5648 wrote to memory of 6052	5648	explorer.exe	145
PID 4424 wrote to memory of 6096	4424	WScript.exe	146
PID 4424 wrote to memory of 6096	4424	WScript.exe	146
PID 6096 wrote to memory of 5632	6096	explorer.exe	147
PID 6096 wrote to memory of 5632	6096	explorer.exe	147
PID 6096 wrote to memory of 1356	6096	explorer.exe	148
PID 6096 wrote to memory of 1356	6096	explorer.exe	148
PID 5632 wrote to memory of 976	5632	WScript.exe	154
PID 5632 wrote to memory of 976	5632	WScript.exe	154
PID 976 wrote to memory of 2256	976	explorer.exe	155
PID 976 wrote to memory of 2256	976	explorer.exe	155
PID 976 wrote to memory of 5228	976	explorer.exe	156
PID 976 wrote to memory of 5228	976	explorer.exe	156
PID 2256 wrote to memory of 5920	2256	WScript.exe	157
PID 2256 wrote to memory of 5920	2256	WScript.exe	157
PID 5920 wrote to memory of 3908	5920	explorer.exe	158
PID 5920 wrote to memory of 3908	5920	explorer.exe	158
PID 5920 wrote to memory of 2212	5920	explorer.exe	159
PID 5920 wrote to memory of 2212	5920	explorer.exe	159
PID 3908 wrote to memory of 5456	3908	WScript.exe	163
PID 3908 wrote to memory of 5456	3908	WScript.exe	163
PID 5456 wrote to memory of 692	5456	explorer.exe	164
PID 5456 wrote to memory of 692	5456	explorer.exe	164
PID 5456 wrote to memory of 4296	5456	explorer.exe	165
PID 5456 wrote to memory of 4296	5456	explorer.exe	165
PID 692 wrote to memory of 5980	692	WScript.exe	166
PID 692 wrote to memory of 5980	692	WScript.exe	166
PID 5980 wrote to memory of 2592	5980	explorer.exe	167
PID 5980 wrote to memory of 2592	5980	explorer.exe	167
PID 5980 wrote to memory of 1520	5980	explorer.exe	168
PID 5980 wrote to memory of 1520	5980	explorer.exe	168
PID 2592 wrote to memory of 5036	2592	WScript.exe	170
PID 2592 wrote to memory of 5036	2592	WScript.exe	170
PID 5036 wrote to memory of 3228	5036	explorer.exe	171
PID 5036 wrote to memory of 3228	5036	explorer.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
"C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4396_651327976\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1MnzZZT2yU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4764
- - C:\f9532e701a889cdd91b8\explorer.exe
    "C:\f9532e701a889cdd91b8\explorer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5648
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8245359c-1504-4796-885b-6a96d5d68086.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6096
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2760af1-797a-47b4-93fd-644430a9239a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5632
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9997e281-fc68-4aee-a9c3-51b9e480c17c.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e29b177-f7d1-42a8-9427-1ea10d776af5.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0398a1bf-1299-4eaf-a329-6bc5f36f44bb.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\912d25d1-6f96-4101-abad-85dac30a2e13.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbe0c7a6-fcbd-4721-9b5d-85b1f503c83b.vbs"
        16⤵
        
        PID:3228
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9bc5428-6df0-4af5-9b2e-8a9c73e257d8.vbs"
        18⤵
        
        PID:4488
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29dbff78-672c-4212-9677-78a06fb631b6.vbs"
        20⤵
        
        PID:1956
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3307e65-7125-45bd-a8a2-8ce193471711.vbs"
        22⤵
        
        PID:5816
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2293c28b-89d0-4107-8498-7148c1c8e0d8.vbs"
        24⤵
        
        PID:4816
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4e27007-e4d1-4d32-8600-9d8a75c2cfb9.vbs"
        26⤵
        
        PID:3988
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af616971-026b-4f10-aad0-5cbd30671664.vbs"
        28⤵
        
        PID:4696
        
        C:\f9532e701a889cdd91b8\explorer.exe
        
        C:\f9532e701a889cdd91b8\explorer.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2862b2a4-2e32-43a9-b153-a7bd5683fd45.vbs"
        30⤵
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00e3e448-ce94-49ba-8ea5-6e04ad868c0a.vbs"
        30⤵
        
        PID:4580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68c0492d-d77d-48ee-888e-8bb59f634d0b.vbs"
        28⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\944ef5d8-30fa-4240-a5bd-a24ca63b67af.vbs"
        26⤵
        
        PID:4064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca6a03e4-197e-4091-98bd-45edac876834.vbs"
        24⤵
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff13fa09-8ebc-49cf-8c8d-47b81b550250.vbs"
        22⤵
        
        PID:6044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58e24f8f-42fd-40ed-b9da-62b929e0c54e.vbs"
        20⤵
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bee4e03-13b7-4fe7-8b84-b26651e87367.vbs"
        18⤵
        
        PID:3272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aed89a5f-4b78-4894-89e6-358ca0ebfd4c.vbs"
        16⤵
        
        PID:3796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d90ec06-6f4e-4cba-84ea-37f32ec7b0ef.vbs"
        14⤵
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3e710cd-dc0a-4398-a309-8aabad3d0c84.vbs"
        12⤵
        
        PID:4296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfcb59d5-ef48-436b-b8cb-64274d20ce59.vbs"
        10⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9c32380-a7ca-4263-9dfe-3c2108be7e01.vbs"
        8⤵
        
        PID:5228
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03af30ea-b00e-44df-9a1f-e67aec321b7f.vbs"
        6⤵
        
        PID:1356
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc2f0b53-603d-4384-8b98-b9fe16d1cfa1.vbs"
      4⤵
      PID:6052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\f9532e701a889cdd91b8\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4396_651327976\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4396_651327976\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4396_651327976\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe

Filesize
1.6MB

MD5
bb566d18e6258c20be8cea3e0fd95bd9

SHA1
a470a7e4dcf9db8530a0d63d4e5aaff1140b66ad

SHA256
ffcc93c255d56d87c90b6c81a81507d635e8dd4d6f352c5e3a1878c99230e111

SHA512
7767e04b14c4290dd0da478d4bb72180a5d2794ad8c4620862ce1ee5ed0653bd27baac291d408c2a630318d4d9d2cf38b55966a960444c84eb960199bdf6d567

Download Submit
C:\Program Files\edge_BITS_4396_651327976\backgroundTaskHost.exe

Filesize
1.6MB

MD5
bab951b17fc30f47cd32dfd49befc119

SHA1
3e8b8f9e82d686ad88aa2a9c6e7243231e404884

SHA256
8cc11dc8b33af4e81a67b7ba9d9a0ecb114df6099aeb866ad200a21d3a07e7d7

SHA512
9545f95401ac2c11b264fc6071b3994d09f8725eb42591f9a99bf7ca9477001005a8860bf6bb9f2f40ea045aa72677b50aa2302ee6e7ed3ded54669014e8346e

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
1.6MB

MD5
2c4dbe075f37719580a096bf67bf048e

SHA1
71673f7af94683985e875f3db73cbf1a5509228e

SHA256
1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567

SHA512
6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
1.6MB

MD5
24cbfdd5a48d944d82b9aed1e68a3246

SHA1
ebbbb70f53a768c8a4e69ba8cfe4c628edaa63e4

SHA256
18d149d0d12444c5d8fdb05d91513c65d752e5adf6491ed2df1bbf1686e45269

SHA512
695cdb53d69a55a3dcd3a453ac1706c9fde4d65c932c9d436368bfdb84bdb09aa2657a3633d8df0f1090ddf7b839a3851312cc949b7062a0739dedbb39453a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
672e8b21617ca3b368c6c154913fcfff

SHA1
cb3dab8c008b5fba2af958ce2c416c01baa6a98b

SHA256
b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec

SHA512
98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e10ceaefa38a8a0c7cf27b2938747eae

SHA1
18dd07de4b7d6f6d0fb7e1feebd78f0a93f6c89e

SHA256
d2f2ece67e3314a38df3789214221bbdd06f9f577470b543f6d094b621fba43b

SHA512
84c811e7d313674fff4c24945d275f2aa88380955679bd3a60c7dbde83a370143f3b1b8a677a8b543a571c9069a9262a3f414ff5aff74a283adb81e6321138ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93771c301aacc738330a66a7e48b0c1b

SHA1
f7d7ac01f1f13620b1642d1638c1d212666abbae

SHA256
5512157a9ea31f455e244922910fcdb2b8116288d968b0e5e26c91b266d4de7c

SHA512
a51f43e335c8c6da130866115ee6d890f808379548b129e20e563c5ee0234cca186ecde4fd6bc609f0eba6e32b10d080f4f67483461cdd58ef0a60db78324309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08bb0c2688fc08624e11a31024e29947

SHA1
dab0789759282767104987fa06d6acd5ed8bc616

SHA256
d96effa05d39e4fb1e83f96a753616c0a26559acaa8415d7087a41ca091f42c4

SHA512
30afdd978294eded7257fe8bb3538fd491572ad265498a8764d1a09d7255ad3b352ec3384770f50f97e180b0107eb24318d164c3751256c330a3478e4366999a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c56ba5098c530bbd1cdb28d50090d39

SHA1
ff63178ea722ec2db118c81051bf85544fb6b316

SHA256
0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1

SHA512
cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f68785608a60c0961b2926f9c4d4ff87

SHA1
e90357d9a679b851acf30e5e7aa6f76f2e6d3bb4

SHA256
edeed8daa6363551c6ffe770dc95fc9a767da6a020004c61c8e3d81eccb9d673

SHA512
fa369a235b3d4375e7856e39f42b17fb118fadb0b48fbe71074fa47354d0713662b950142ab5083c01cc850f79bbb0abe154eefe0e754b9b76e8d3b330daf652

Download Submit
C:\Users\Admin\AppData\Local\Temp\0398a1bf-1299-4eaf-a329-6bc5f36f44bb.vbs

Filesize
712B

MD5
18608797565ba77ae330d848d009d5a2

SHA1
6a21865f7f34511f2064b7e36ea5d14aec084632

SHA256
b69f846fe2700022e413ec76e2d37ad4ae34ffb591f3486241ff73eee5131b9e

SHA512
e1ea2fe5d7a7deb0440821fde17cc1b90831d72a46cad696979d4f8597a9d10e2193acd982a64ee31b3ceb44c763d9394b415e69bee9bec3c063288b5de8db6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1MnzZZT2yU.bat

Filesize
201B

MD5
4b1660e5ae2fff4664d1c3f27c444159

SHA1
5a4589a8fa040eb8e082780bfabc0f1816d5a7a5

SHA256
728bff7e0a4b9d0c5fc3ea049ccc436d9e09349186bb45d7f5ea15450a6de1ad

SHA512
25da73701a48f32aea1d5e63eb7d29ee480954db93a73f890c847ebf16603fb3e2628eee65e8c3f95d63519063113bc87e40a2608e92d315c873fe0e3c51cbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2293c28b-89d0-4107-8498-7148c1c8e0d8.vbs

Filesize
712B

MD5
9bc42d424cee95cf90e3d84e8cec55a7

SHA1
c4bbe400862b711d71d1fb773ec13461d98ace6d

SHA256
99b4ccfa5186c484ee22953e4b88f05232e5412fcfd31a436bda60cd00e685b9

SHA512
634af001642e2a0129b74ed716ae4368783f9ec0ce3e02066a87aa13262e89ec84bb502972b838b42df30967e4db5ee23350525113b1e35683f9793805a60323

Download Submit
C:\Users\Admin\AppData\Local\Temp\29dbff78-672c-4212-9677-78a06fb631b6.vbs

Filesize
712B

MD5
1c7e7898c9201ffd571393bd0a3176aa

SHA1
a0f7430c8c4fb3e462a78e4817c9dad6ebed5b50

SHA256
fa4d900b05405ac08fc024a33c4efb8d69727988b36dd0ba8582cf8ab869b4a3

SHA512
d40da53d1fccb2c94a0aaf30e5df65e6ef9b27d979dafdb12b559deea4faefc0ce5f19b0cd6aa0f0b7ca7a10ddd507443e4d559e4680350a857ad63c08f7e760

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e29b177-f7d1-42a8-9427-1ea10d776af5.vbs

Filesize
712B

MD5
77756cb2866fcc6995a2a85e7fee7dec

SHA1
159cfde8b5655545c6627abb962d16f9fc69f540

SHA256
2f7f678e4cea7af771c4852240a09ed98cf529e6fd3bf3bf07014d7c4c04cbfe

SHA512
3dc89de4389ce89856e8b1cefa8b776d48703ab6121c0639bbf1cc9696312c113e705947752ffb74cd61f491f9b87351aa2828aea23c86c97c264bc4032eec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\8245359c-1504-4796-885b-6a96d5d68086.vbs

Filesize
712B

MD5
fb9e2224e87ab12c5fea98823bff7ad3

SHA1
04ccc436a3b7b017d4819c97e4ec63b55e19bcb4

SHA256
c9eba82d3fcd5c25ddd7cffa1d05d81c15b9e54539cf33f0ade692e551e06e5f

SHA512
744fb8cb9aba99cc9a3024707a6a03b4c8cbd6bc0767e934f16487a77194599b64ac4b828dfb8ab0d1ec2b8b6f7665ba0705041d41f0983b591d23aa143f23f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\912d25d1-6f96-4101-abad-85dac30a2e13.vbs

Filesize
712B

MD5
1046a00e70d1699d7a0666b57df24c9e

SHA1
1516a67e22ea9a1ecad71d75c9550e30553f6595

SHA256
6f2f56716d7b4500fa907eff551a76e379a6c734bf54a85e1462428c751c08b5

SHA512
a78abdd6b724dc1b6cd9e48dc8d9e0e7fd60e5f507ff9949d931d25d4b13472be1b4765536084a749210c35ea3e1efc25e6d0bfcfda57ffef9cdf1f1e083fe60

Download Submit
C:\Users\Admin\AppData\Local\Temp\9997e281-fc68-4aee-a9c3-51b9e480c17c.vbs

Filesize
711B

MD5
38f61e5cbabb68e386f5d88d849aecfe

SHA1
8d5246663b7491f4e4dde31d8f30dfa3ecc2221d

SHA256
1882297f67c66b3299286016566cfa8e7eeec0210871a688f233fcf5c4f9180d

SHA512
38c1785001ed6549aac604baadace2007d495d9a73462a84cc6e3cb526b70c5a84e1e0aeb64f0cc8cbbce6c732e5a8316f6e17c10b3afc700747881f3bfb726a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4qk2qep.mea.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2760af1-797a-47b4-93fd-644430a9239a.vbs

Filesize
712B

MD5
603773311e08d7433422d8166cba74a8

SHA1
d2d79102f56179ea0f753e3d409d5540e86fccfb

SHA256
974ad54e61ee12346911ec7e9aa021b31ad2036a3e854f60c2ed697f4550bc63

SHA512
3f9fceff3faf77127d6fff1fe924e1e8e96c08f4aac5fb16d9bcf323e827d3176b7a6358080b3df0b040d0ce958bace67c97273f7e03218efe071ef9313972d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\af616971-026b-4f10-aad0-5cbd30671664.vbs

Filesize
712B

MD5
da31f176af4d20b796c18c46c1c1fd2b

SHA1
e1f20fcf14bff0b7768e08ffb41b492888db3c07

SHA256
4d5d05413969d4320ccca3633beb423c8bcdedb2d4025822609cd44c70283cbb

SHA512
d68dd7d7cf33a926586f7bb4fce4a768eb3d6c190c913555317ab96cb2ae35416e795361cf3111aef584beb3d335fd8bfb116d06f900d4a9c62d758e97b32b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbe0c7a6-fcbd-4721-9b5d-85b1f503c83b.vbs

Filesize
712B

MD5
a81754bf5e2a5a8cf52e7e06f0c1beb8

SHA1
f80ba5affeaafb780702c9dbd09b3ec315a600e8

SHA256
0a4d974aae8579f76fd092bf205f4609fd8ac459bb79bbfa738c1d6e74757fe4

SHA512
72f475d453b01d1c26d8deee3c35456ad36a1b81e44b1127ed495024b17945921cf36dd5406b2be0fe4b2cedc3c1ec8dbbbb716491c1000978e63e4b77f0ba3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3307e65-7125-45bd-a8a2-8ce193471711.vbs

Filesize
711B

MD5
b8c2254fbfa3364e7afde0841cd225ba

SHA1
1c2f4ca0f35f616cd98df8c3788e4cedf2e92162

SHA256
ec899e7aa12bba072501f982bbfaaad574f5f192390c0f10b4917d1997ec6e0c

SHA512
dcf366408c3d8540de9f2d75a35e24cdd6721a3d9de5b36e220814307d4cc7748bcf6026a0ed82643ca5906f74f2a75bb456373ad25b9f93536487e66e7a070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9bc5428-6df0-4af5-9b2e-8a9c73e257d8.vbs

Filesize
712B

MD5
d16c00484e40f9e777937c781f6927ff

SHA1
8fb272c028ef6dce7e54f06a69bc432fe4c8a6ce

SHA256
3731a2e2555c44cb847a25058249f54aad00f4eb412e37860079f7e89cca2f36

SHA512
758402e010ae37c35a793bd4ae70c0f3c2a2a1be3cf3625e33fc4525c286ea8df29d05ac0076a18ab7a116b18d8591542d9607673373ab11725e35984dd67908

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc2f0b53-603d-4384-8b98-b9fe16d1cfa1.vbs

Filesize
488B

MD5
95dddf0e51376e3b6a147245ad4ac2eb

SHA1
501b983bda8389b94a24091628763348ade80ee5

SHA256
226f7bd5e7e0d1223b67a8ad9a3623da958fccadcd9584b119f6c91fe25d5a9c

SHA512
4bbfe3e9b9be2f7995a6dcb7e85f8cae28a4c8fe935ac729bdb99f19342a015c781ed40f039a44ff6e26aef02e184ab936ccf0615520de310238865f9a859a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4e27007-e4d1-4d32-8600-9d8a75c2cfb9.vbs

Filesize
712B

MD5
2ac8dec15ab58639b0cc3c82487b72e0

SHA1
d4b8edf17920fb5fb142ac4e99a1704941c340a6

SHA256
301afdebd60c4a8fd9677068a7d0bec8c3acd292d893d0488c686dd2ea195c00

SHA512
b76499f2ff973b1de1c09f4d5f612f92166bfa42c7a2dd9ae294ea04c644c418cfbe29226430c085d6c8537c1ba0d413082776282d7f7bde1f3eb0d63f2c837f

Download Submit
C:\Users\Default\Saved Games\RuntimeBroker.exe

Filesize
1.6MB

MD5
883fb27cd063ebe5708d44d08f269c46

SHA1
158a7ab30005d822f1ac154941e6923e97c8ee5b

SHA256
96676bb32bab2eea09b9e3c0d972cbddd4e7a460c1acd9b3c8958ebc90247acd

SHA512
eb12acaded1607f079e242f2d5776692aff17fecbc40546b8f8ead02dc29b28a9df5ed8b11d3026dfc6bb57e525413ba3d743cdf9456cd986545068fcc871b67

Download Submit
C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\lsass.exe

Filesize
1.6MB

MD5
152a105c49f64e8ff135d0867f09f721

SHA1
bff736e8318a4a14766af471cc965358c3f0f02d

SHA256
0d232314d18e150dc7a46ae32a1ffc3b7ac6a96959d09f69fa53cdbcc8734358

SHA512
21e909968c7a8bd6f81269f3f876d7ad920eb74c2faba9030af8251397d73cf34527d649abd7676d21e2f6047c85be4591706e3f773ead2161c3836fb8fbf84d

Download Submit
memory/1128-247-0x00000286EC250000-0x00000286EC3BA000-memory.dmp

Filesize
1.4MB

Download
memory/1780-254-0x0000024637A10000-0x0000024637B7A000-memory.dmp

Filesize
1.4MB

Download
memory/1780-168-0x0000024637880000-0x00000246378A2000-memory.dmp

Filesize
136KB

Download
memory/1968-266-0x000002236CB30000-0x000002236CC9A000-memory.dmp

Filesize
1.4MB

Download
memory/2168-263-0x000001BFC7A10000-0x000001BFC7B7A000-memory.dmp

Filesize
1.4MB

Download
memory/2360-269-0x000002CCD5740000-0x000002CCD58AA000-memory.dmp

Filesize
1.4MB

Download
memory/2668-260-0x000001DCA8F80000-0x000001DCA90EA000-memory.dmp

Filesize
1.4MB

Download
memory/2980-272-0x000001C0AD420000-0x000001C0AD58A000-memory.dmp

Filesize
1.4MB

Download
memory/3016-257-0x000002AC3DCF0000-0x000002AC3DE5A000-memory.dmp

Filesize
1.4MB

Download
memory/3412-17-0x000000001BB20000-0x000000001BB2C000-memory.dmp

Filesize
48KB

Download
memory/3412-9-0x000000001B890000-0x000000001B898000-memory.dmp

Filesize
32KB

Download
memory/3412-15-0x000000001BB00000-0x000000001BB08000-memory.dmp

Filesize
32KB

Download
memory/3412-16-0x000000001BB10000-0x000000001BB1A000-memory.dmp

Filesize
40KB

Download
memory/3412-1-0x0000000000480000-0x0000000000622000-memory.dmp

Filesize
1.6MB

Download
memory/3412-154-0x00007FFE31F80000-0x00007FFE32A41000-memory.dmp

Filesize
10.8MB

Download
memory/3412-13-0x000000001BAE0000-0x000000001BAEE000-memory.dmp

Filesize
56KB

Download
memory/3412-0-0x00007FFE31F83000-0x00007FFE31F85000-memory.dmp

Filesize
8KB

Download
memory/3412-12-0x000000001B8D0000-0x000000001B8DA000-memory.dmp

Filesize
40KB

Download
memory/3412-11-0x000000001B8C0000-0x000000001B8CC000-memory.dmp

Filesize
48KB

Download
memory/3412-10-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/3412-14-0x000000001BAF0000-0x000000001BAF8000-memory.dmp

Filesize
32KB

Download
memory/3412-7-0x000000001B270000-0x000000001B278000-memory.dmp

Filesize
32KB

Download
memory/3412-8-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/3412-6-0x0000000002830000-0x0000000002846000-memory.dmp

Filesize
88KB

Download
memory/3412-5-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3412-4-0x000000001B8E0000-0x000000001B930000-memory.dmp

Filesize
320KB

Download
memory/3412-3-0x00000000027F0000-0x000000000280C000-memory.dmp

Filesize
112KB

Download
memory/3412-2-0x00007FFE31F80000-0x00007FFE32A41000-memory.dmp

Filesize
10.8MB

Download
memory/3808-253-0x0000017427950000-0x0000017427ABA000-memory.dmp

Filesize
1.4MB

Download
memory/4388-248-0x000001FAA27E0000-0x000001FAA294A000-memory.dmp

Filesize
1.4MB

Download