dcrat | 7ddbec7fac00ec5624f45da5879ebfa97d95b21c7842cbaa1058daa46a47bd41

Analysis

max time kernel
60s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Size

5.9MB
MD5

c3aaa8d0678c59cfe55a289d29c5b3d1
SHA1

2c592322b164e7fa9282bfdb7a650dbe4d41492c
SHA256

c18fdffa9d1b4bc8ae2f14f8685b9dcad5d250760d0fe059c522115dac9a3d24
SHA512

e36f85f15ee3e026fcac40603e8985277f1196d2435cb95c24ffa9afc1dbd09c69474be0d601c7b6a6c67bec203369cfb1e67aa6db1ae1a0056910b12bd70408
SSDEEP

98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4G:ByeU11Rvqmu8TWKnF6N/1w3

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6076	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5968	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5864	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5876	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5656	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5132	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5716	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	5860	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	5860	schtasks.exe	89

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4924	powershell.exe
4788	powershell.exe
4692	powershell.exe
4620	powershell.exe
5692	powershell.exe
4668	powershell.exe
2844	powershell.exe
4848	powershell.exe
4900	powershell.exe
4744	powershell.exe
6132	powershell.exe
4856	powershell.exe
4984	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c3aaa8d0678c59cfe55a289d29c5b3d1.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 4 IoCs

pid	Process
2976	RuntimeBroker.exe
1460	RuntimeBroker.exe
2844	RuntimeBroker.exe
5060	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
2976	RuntimeBroker.exe
2976	RuntimeBroker.exe
1460	RuntimeBroker.exe
1460	RuntimeBroker.exe
2844	RuntimeBroker.exe
2844	RuntimeBroker.exe
5060	RuntimeBroker.exe
5060	RuntimeBroker.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4764_1444133187\6203df4a6bafc7	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RCX864F.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RCX8650.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\explorer.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files\edge_BITS_4764_1444133187\RCX9A43.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files\edge_BITS_4764_1444133187\RCX9AC1.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files\edge_BITS_4764_1444133187\lsass.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\explorer.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\7a0fd90576e088	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files\edge_BITS_4764_1444133187\lsass.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5100	schtasks.exe
2360	schtasks.exe
5876	schtasks.exe
4964	schtasks.exe
5864	schtasks.exe
2484	schtasks.exe
4588	schtasks.exe
452	schtasks.exe
5704	schtasks.exe
3164	schtasks.exe
944	schtasks.exe
5716	schtasks.exe
1808	schtasks.exe
380	schtasks.exe
1464	schtasks.exe
4724	schtasks.exe
3592	schtasks.exe
4404	schtasks.exe
1112	schtasks.exe
4868	schtasks.exe
4872	schtasks.exe
5900	schtasks.exe
4584	schtasks.exe
1392	schtasks.exe
4316	schtasks.exe
1624	schtasks.exe
4808	schtasks.exe
4976	schtasks.exe
512	schtasks.exe
5048	schtasks.exe
1528	schtasks.exe
5656	schtasks.exe
5132	schtasks.exe
544	schtasks.exe
1648	schtasks.exe
5032	schtasks.exe
6076	schtasks.exe
5968	schtasks.exe
3028	schtasks.exe
4572	schtasks.exe
4932	schtasks.exe
5104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
6132	powershell.exe
6132	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	6132	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	5692	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	2976	RuntimeBroker.exe
Token: SeDebugPrivilege	1460	RuntimeBroker.exe
Token: SeDebugPrivilege	2844	RuntimeBroker.exe
Token: SeDebugPrivilege	5060	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 6132	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	140
PID 4040 wrote to memory of 6132	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	140
PID 4040 wrote to memory of 4620	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	141
PID 4040 wrote to memory of 4620	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	141
PID 4040 wrote to memory of 4744	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	142
PID 4040 wrote to memory of 4744	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	142
PID 4040 wrote to memory of 4692	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	143
PID 4040 wrote to memory of 4692	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	143
PID 4040 wrote to memory of 4788	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	145
PID 4040 wrote to memory of 4788	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	145
PID 4040 wrote to memory of 4924	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	147
PID 4040 wrote to memory of 4924	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	147
PID 4040 wrote to memory of 4984	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	148
PID 4040 wrote to memory of 4984	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	148
PID 4040 wrote to memory of 4900	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	149
PID 4040 wrote to memory of 4900	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	149
PID 4040 wrote to memory of 4848	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	150
PID 4040 wrote to memory of 4848	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	150
PID 4040 wrote to memory of 2844	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	151
PID 4040 wrote to memory of 2844	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	151
PID 4040 wrote to memory of 4668	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	153
PID 4040 wrote to memory of 4668	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	153
PID 4040 wrote to memory of 5692	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	154
PID 4040 wrote to memory of 5692	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	154
PID 4040 wrote to memory of 4856	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	156
PID 4040 wrote to memory of 4856	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	156
PID 4040 wrote to memory of 2976	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	166
PID 4040 wrote to memory of 2976	4040	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	166
PID 2976 wrote to memory of 836	2976	RuntimeBroker.exe	168
PID 2976 wrote to memory of 836	2976	RuntimeBroker.exe	168
PID 2976 wrote to memory of 5772	2976	RuntimeBroker.exe	169
PID 2976 wrote to memory of 5772	2976	RuntimeBroker.exe	169
PID 836 wrote to memory of 1460	836	WScript.exe	170
PID 836 wrote to memory of 1460	836	WScript.exe	170
PID 1460 wrote to memory of 1184	1460	RuntimeBroker.exe	171
PID 1460 wrote to memory of 1184	1460	RuntimeBroker.exe	171
PID 1460 wrote to memory of 5152	1460	RuntimeBroker.exe	172
PID 1460 wrote to memory of 5152	1460	RuntimeBroker.exe	172
PID 1184 wrote to memory of 2844	1184	WScript.exe	176
PID 1184 wrote to memory of 2844	1184	WScript.exe	176
PID 2844 wrote to memory of 3996	2844	RuntimeBroker.exe	177
PID 2844 wrote to memory of 3996	2844	RuntimeBroker.exe	177
PID 2844 wrote to memory of 4740	2844	RuntimeBroker.exe	178
PID 2844 wrote to memory of 4740	2844	RuntimeBroker.exe	178
PID 3996 wrote to memory of 5060	3996	WScript.exe	179
PID 3996 wrote to memory of 5060	3996	WScript.exe	179
PID 5060 wrote to memory of 6064	5060	RuntimeBroker.exe	180
PID 5060 wrote to memory of 6064	5060	RuntimeBroker.exe	180
PID 5060 wrote to memory of 3724	5060	RuntimeBroker.exe	181
PID 5060 wrote to memory of 3724	5060	RuntimeBroker.exe	181

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c3aaa8d0678c59cfe55a289d29c5b3d1.exe
"C:\Users\Admin\AppData\Local\Temp\c3aaa8d0678c59cfe55a289d29c5b3d1.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/60739cf6f660743813/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/900323d723f1dd1206/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2976
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac67dde7-40e6-471e-ab62-06d0e1d84bf2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
      C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1460
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd1a3dcd-dfc2-44ba-b799-a663d59cffae.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
      - C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
        
        C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\968a42c1-6d8f-4221-b233-fa7d3c06b993.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
        
        C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\162390ca-c9d3-4b85-9d80-e36b75477a7a.vbs"
        9⤵
        
        PID:6064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\538b8378-90bd-4770-bdf9-e90328e5d455.vbs"
        9⤵
        
        PID:3724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc5c95df-f464-444f-b557-d74ca9af481f.vbs"
        7⤵
        
        PID:4740
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6caf9c37-a3b3-4b18-adbe-a4ee7baee59c.vbs"
        5⤵
        
        PID:5152
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86d55aaa-43a9-470c-9d27-3e37ef2cc53c.vbs"
    3⤵
    PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\60739cf6f660743813\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c3aaa8d0678c59cfe55a289d29c5b3d1c" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\c3aaa8d0678c59cfe55a289d29c5b3d1.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c3aaa8d0678c59cfe55a289d29c5b3d1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\c3aaa8d0678c59cfe55a289d29c5b3d1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c3aaa8d0678c59cfe55a289d29c5b3d1c" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Roaming\c3aaa8d0678c59cfe55a289d29c5b3d1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\My Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\60739cf6f660743813\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4764_1444133187\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4764_1444133187\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4764_1444133187\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\60739cf6f660743813\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\60739cf6f660743813\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\60739cf6f660743813\smss.exe

Filesize
5.9MB

MD5
8a8e198dc7cf9b726e390c42f1e6b499

SHA1
3cefba279c40ec89d233c69da26274974760486d

SHA256
2d071c37606fb1d13d8da84df505d23f126b14b3c7cf25f33dc374775b525dd4

SHA512
6a3c56385d282a07124deff8012915c8ff3ca2e1fbbc9720e23871df2ac4a008396e778283bbd40d9a8461e670583774263e36d630aa5bcdac0a1fc735e46cc6

Download Submit
C:\900323d723f1dd1206\RuntimeBroker.exe

Filesize
5.9MB

MD5
c3aaa8d0678c59cfe55a289d29c5b3d1

SHA1
2c592322b164e7fa9282bfdb7a650dbe4d41492c

SHA256
c18fdffa9d1b4bc8ae2f14f8685b9dcad5d250760d0fe059c522115dac9a3d24

SHA512
e36f85f15ee3e026fcac40603e8985277f1196d2435cb95c24ffa9afc1dbd09c69474be0d601c7b6a6c67bec203369cfb1e67aa6db1ae1a0056910b12bd70408

Download Submit
C:\Program Files\edge_BITS_4764_1444133187\lsass.exe

Filesize
5.9MB

MD5
fe4b9c1f935712f24708bc7eab175c0d

SHA1
20afb97a25eab2e5759c9393aee1d10c841269db

SHA256
5e7ab09cd82d46f3a0dc38feae761fad07f2e9388a03e9569593faec68ee01bf

SHA512
7b32fd747e30191fcbf1820010e04c9c47b6a26438a2db49a27cb6554326ff2a5bc8ef533d2d85ad5f504bdaade6d44ed3b269ed06dc8775354f6881ddea7f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
30552f7617959d837dbc5167ec0a3824

SHA1
a471b8d31983b3885cee92ead3f3f2b6621c1ebe

SHA256
c8f05399999cda0a1d159d9be58d5d7e39b783290d57a238cfdb22c000301c18

SHA512
37af8e93814f95ea8773b093803ca74475fcc2f0006bcbbd0ecc28d6ab6acb742afed81d5b859f6429128761b440a355f2b35fe38242fae9d8069c8ab23c84b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75b793d8785da13700a6ebd48c30d77d

SHA1
b7d004bac69f44d9c847a49933d1df3e4dafd5db

SHA256
ab63179aa6eded5be6820711bfa2b7a9ba0184e6247a9a2aa1ebd839aba08a6b

SHA512
37e43c7b8d21173bc02237c5e1871a79ec95a96984671eeb5f9863dfce157f5f2bc90a6102b1beac6c8c8f928aa5b5094ae822d953f3833ea4e119ec664d4070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ee21a21f8b414c5a89db56be6641dd5

SHA1
2403dc36f95bcc4536ac61057a9ce76e11b470f9

SHA256
49cd0e958905a47f71f38c2211bacb5607f7903ae593a6e7f8156a1bab364d71

SHA512
996352f4281526569825fbbf6de92fd01b724ebe3dff34516df65c9986cff7cc9ebdba5b3068808740087441508a0678e44bce158f9f998431b441b5d31aa7aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
241a30ee59b4b06c007874e90fe80d6d

SHA1
5f1ba41ebc6984909a65725c2e686c6012bd32c6

SHA256
91b63fc7449595695b9e0ee26704ea721dc66d7da9e99b38c66962f6d93e65bb

SHA512
61f9ce6d433cc8efe06587ddcb4921a1bf6516fcd3c36ad79a2583acf1122202bf9565ccd5e8c28430b0fd09b1564b2a17b97f7a6c9e6ffe5a0ea76400fbaaf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a0a5a1b68ad6facd1636fe5f5e1c4359

SHA1
e4fee6d6a2476904d9ba14d9045341df3616ca4a

SHA256
7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a

SHA512
1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\162390ca-c9d3-4b85-9d80-e36b75477a7a.vbs

Filesize
724B

MD5
06d33e1ad8c5f367b50f9a258291e8ea

SHA1
cc6cd5b1ac126417bfd8f6e218627b9369382574

SHA256
731354e3a3b60050a2975188e58ee9805884c8870246d6dfeb2822220dcea02c

SHA512
7bd1b318a932857ba02ef4408800fd23f3fba01c335a6d00856cccf28b58292c8dbf3840bf67877917c1ef3d06a56f52f49976d45a6acac7bed8c2861c5c4e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\86d55aaa-43a9-470c-9d27-3e37ef2cc53c.vbs

Filesize
500B

MD5
d1c1bf0de894c4bc992062be6117b60e

SHA1
2620b9fe73672a2504abf7e71d23eb6c9de195f4

SHA256
17d5da7343b915a3d8cf17577ddfe422cb91e8689cbaa8a83bfaff708ea33af1

SHA512
1e4ca19d44e9a0c3cadfbc7767ff2f2861ab3e6184c6782c472134a8b0c19f8ef5e8f7ed31e0011815cf30a453371e5aee1b0f85b348406421bcaf82995717ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\968a42c1-6d8f-4221-b233-fa7d3c06b993.vbs

Filesize
724B

MD5
1ae2029ff4fd1ce9c38c94474176ac8b

SHA1
8d8a4f821505e3d05c0792aed111a06b7a9242d6

SHA256
9a2b5e867e41e4115f85970bae3b26a319aec0c17c4a5a7354ee6284b6492fde

SHA512
0c33bf59df0105c051f3f4b88b7262c38e6e4b243dba5443d992fe8e2027e67e320fbd8291aec4efa25f58ed7e2153ee0a08b852f9c4104db8f47728c93b66b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sj3r3p1h.lqz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac67dde7-40e6-471e-ab62-06d0e1d84bf2.vbs

Filesize
724B

MD5
501c64ad20b00e1670ea5a3240b694e9

SHA1
71b1978ff8af5298273c0fbda708455256ca6cca

SHA256
3811d31f15f072f5b0f19987095e76867725237e8ac00ece6ad83a4ee0779d99

SHA512
239eacbab7aa868d4772f9af251593a85ba7d8648afb1e685a20d87c47038b6c45ea9d273686af73aba3a822fddcba86e5dbfc031737deec4843ee1c18ed42b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd1a3dcd-dfc2-44ba-b799-a663d59cffae.vbs

Filesize
724B

MD5
562f33a1951618164a9dba5659db3746

SHA1
061dda02121fd59c0e66f48cde7cfa27fe1ec6a4

SHA256
b6e4dd0a30bf98b3f134e6bdabe90c5331c228e27996610cdfb629bcfd061839

SHA512
bc9ca64ac2e1f0306b307cb7de790dec13cafd46bb7fb62455073423ae4a470e224e722626718086a64be9342da058953fffebc757f5b03acce4e2d62434b436

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
5.9MB

MD5
37d46ad2eb766d102b010fc696ac185e

SHA1
a5b1c82cf479b44fa605b4412a74917556fcb2b3

SHA256
f323a6a82b91cff3fbde5be64d325a3ed503099134ec73cd4d10d147b9b48d96

SHA512
a444e1b16b09d2a9400be3d0c9a45747b9660c65c904abb74acbdb6eab4ea1391d254adad0822f3865d025ba9d81a0bb0d66f112414572d7b87ccde39e1bc263

Download Submit
C:\Users\Default\Pictures\dllhost.exe

Filesize
5.9MB

MD5
57a6db9b71981bd3ce9c2133d5a4499b

SHA1
ad3b81b1f26c59b7c36382e929a8a21fe98fa5c7

SHA256
d11c4f556a9b8cbd9b4efc930251f084085c810ae1d381146ed840fd77623572

SHA512
ac3c33a1102d3186090ecbe1047fbf649a6a428b96c49b97f1682387ffcdaaacfea84961d8e02ab99a4121944eb79f7e9c276de4c433b17a2c6d63ff5d2edd48

Download Submit
memory/2844-455-0x000000001DB70000-0x000000001DB82000-memory.dmp

Filesize
72KB

Download
memory/2844-456-0x000000001DBB0000-0x000000001DC06000-memory.dmp

Filesize
344KB

Download
memory/2976-398-0x0000000000B80000-0x0000000001478000-memory.dmp

Filesize
9.0MB

Download
memory/2976-428-0x000000001DB30000-0x000000001DB42000-memory.dmp

Filesize
72KB

Download
memory/2976-429-0x000000001DB80000-0x000000001DBD6000-memory.dmp

Filesize
344KB

Download
memory/4040-17-0x000000001C250000-0x000000001C25A000-memory.dmp

Filesize
40KB

Download
memory/4040-215-0x00007FFE58B30000-0x00007FFE595F1000-memory.dmp

Filesize
10.8MB

Download
memory/4040-26-0x000000001DAD0000-0x000000001DADC000-memory.dmp

Filesize
48KB

Download
memory/4040-29-0x000000001DB00000-0x000000001DB0C000-memory.dmp

Filesize
48KB

Download
memory/4040-28-0x000000001DAF0000-0x000000001DAF8000-memory.dmp

Filesize
32KB

Download
memory/4040-30-0x000000001DB10000-0x000000001DB1C000-memory.dmp

Filesize
48KB

Download
memory/4040-31-0x000000001DDA0000-0x000000001DDA8000-memory.dmp

Filesize
32KB

Download
memory/4040-32-0x000000001DB20000-0x000000001DB2C000-memory.dmp

Filesize
48KB

Download
memory/4040-33-0x000000001DB30000-0x000000001DB3A000-memory.dmp

Filesize
40KB

Download
memory/4040-34-0x000000001DB40000-0x000000001DB4E000-memory.dmp

Filesize
56KB

Download
memory/4040-36-0x000000001DB60000-0x000000001DB6E000-memory.dmp

Filesize
56KB

Download
memory/4040-35-0x000000001DB50000-0x000000001DB58000-memory.dmp

Filesize
32KB

Download
memory/4040-37-0x000000001DB70000-0x000000001DB78000-memory.dmp

Filesize
32KB

Download
memory/4040-38-0x000000001DB80000-0x000000001DB8C000-memory.dmp

Filesize
48KB

Download
memory/4040-39-0x000000001DDB0000-0x000000001DDB8000-memory.dmp

Filesize
32KB

Download
memory/4040-40-0x000000001DDC0000-0x000000001DDCA000-memory.dmp

Filesize
40KB

Download
memory/4040-41-0x000000001DDD0000-0x000000001DDDC000-memory.dmp

Filesize
48KB

Download
memory/4040-25-0x000000001E0D0000-0x000000001E5F8000-memory.dmp

Filesize
5.2MB

Download
memory/4040-24-0x000000001DAA0000-0x000000001DAB2000-memory.dmp

Filesize
72KB

Download
memory/4040-22-0x000000001DA90000-0x000000001DA98000-memory.dmp

Filesize
32KB

Download
memory/4040-21-0x000000001DB90000-0x000000001DB9C000-memory.dmp

Filesize
48KB

Download
memory/4040-195-0x00007FFE58B33000-0x00007FFE58B35000-memory.dmp

Filesize
8KB

Download
memory/4040-20-0x000000001DA80000-0x000000001DA88000-memory.dmp

Filesize
32KB

Download
memory/4040-27-0x000000001DAE0000-0x000000001DAEC000-memory.dmp

Filesize
48KB

Download
memory/4040-1-0x0000000000B20000-0x0000000001418000-memory.dmp

Filesize
9.0MB

Download
memory/4040-19-0x000000001DA70000-0x000000001DA7C000-memory.dmp

Filesize
48KB

Download
memory/4040-18-0x000000001C260000-0x000000001C2B6000-memory.dmp

Filesize
344KB

Download
memory/4040-399-0x00007FFE58B30000-0x00007FFE595F1000-memory.dmp

Filesize
10.8MB

Download
memory/4040-0-0x00007FFE58B33000-0x00007FFE58B35000-memory.dmp

Filesize
8KB

Download
memory/4040-16-0x0000000003700000-0x0000000003710000-memory.dmp

Filesize
64KB

Download
memory/4040-15-0x00000000036F0000-0x00000000036F8000-memory.dmp

Filesize
32KB

Download
memory/4040-14-0x0000000003710000-0x000000000371C000-memory.dmp

Filesize
48KB

Download
memory/4040-13-0x00000000036E0000-0x00000000036F2000-memory.dmp

Filesize
72KB

Download
memory/4040-12-0x00000000036D0000-0x00000000036D8000-memory.dmp

Filesize
32KB

Download
memory/4040-11-0x00000000036B0000-0x00000000036C6000-memory.dmp

Filesize
88KB

Download
memory/4040-9-0x0000000003690000-0x0000000003698000-memory.dmp

Filesize
32KB

Download
memory/4040-10-0x00000000036A0000-0x00000000036B0000-memory.dmp

Filesize
64KB

Download
memory/4040-8-0x000000001C200000-0x000000001C250000-memory.dmp

Filesize
320KB

Download
memory/4040-7-0x0000000003670000-0x000000000368C000-memory.dmp

Filesize
112KB

Download
memory/4040-6-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download
memory/4040-5-0x0000000001D00000-0x0000000001D0E000-memory.dmp

Filesize
56KB

Download
memory/4040-4-0x0000000001CF0000-0x0000000001CFE000-memory.dmp

Filesize
56KB

Download
memory/4040-3-0x00007FFE58B30000-0x00007FFE595F1000-memory.dmp

Filesize
10.8MB

Download
memory/4040-2-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/4620-274-0x000001DFE8CB0000-0x000001DFE8CD2000-memory.dmp

Filesize
136KB

Download
memory/5060-469-0x000000001E2E0000-0x000000001E2F2000-memory.dmp

Filesize
72KB

Download