dcrat | b48732dd80d273baa411ef94094f19adaf0ed373bb80a6b64bb090af2b97222f

Analysis

max time kernel
81s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Size

2.6MB
MD5

1ab16df8f4ca6da3ff749ec6b65c57ed
SHA1

6a86417f494f8cd839cd615a848f9c58f2c546d2
SHA256

b48732dd80d273baa411ef94094f19adaf0ed373bb80a6b64bb090af2b97222f
SHA512

68d32a440844e78d82a97fb51fec8bda440ec8821d6f548daa676ae5fa6d5fb053261b442ef92ae7f73ec8880206cc34df3e9f4920e126bb83767898418619be
SSDEEP

49152:+pTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:+ZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	368	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	368	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1048-54-0x0000000000FB0000-0x0000000001254000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe	dcrat
behavioral1/memory/2004-217-0x0000000000F70000-0x0000000001214000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe	dcrat
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe

pid process

1396 1ab16df8f4ca6da3ff749ec6b65c57ed.exe

pid	process
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
7 ipinfo.io

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 17 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\powershell.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files\7-Zip\Lang\e978f868350d50	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\powershell.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6203df4a6bafc7	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX41CC.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\6203df4a6bafc7	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files\VideoLAN\lsm.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX4546.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files\VideoLAN\101b941d020240	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\56085415360792	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files\VideoLAN\lsm.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

Drops file in Windows directory 11 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\DataStore\Logs\27d1bcfc3c54e0	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\RCX29D5.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\RCX2D50.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\System.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Windows\Migration\WTR\wininit.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\Migration\WTR\wininit.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Windows\SoftwareDistribution\DataStore\Logs\System.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Windows\twain_32\Idle.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Windows\twain_32\6ccacd8608530f	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Windows\Migration\WTR\56085415360792	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\twain_32\Idle.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1480	schtasks.exe
1580	schtasks.exe
548	schtasks.exe
1728	schtasks.exe
952	schtasks.exe
1604	schtasks.exe
948	schtasks.exe
1624	schtasks.exe
1588	schtasks.exe
1420	schtasks.exe
1636	schtasks.exe
2044	schtasks.exe
1780	schtasks.exe
740	schtasks.exe
1440	schtasks.exe
1152	schtasks.exe
1972	schtasks.exe
540	schtasks.exe
992	schtasks.exe
540	schtasks.exe
112	schtasks.exe
456	schtasks.exe
1824	schtasks.exe
2092	schtasks.exe
1844	schtasks.exe
1516	schtasks.exe
600	schtasks.exe
472	schtasks.exe
948	schtasks.exe
620	schtasks.exe
2000	schtasks.exe
956	schtasks.exe
1532	schtasks.exe
1884	schtasks.exe
2064	schtasks.exe
804	schtasks.exe
612	schtasks.exe
1344	schtasks.exe
872	schtasks.exe
1168	schtasks.exe
1304	schtasks.exe
1392	schtasks.exe
1496	schtasks.exe
2008	schtasks.exe
316	schtasks.exe
2140	schtasks.exe
1708	schtasks.exe
804	schtasks.exe
1556	schtasks.exe
1732	schtasks.exe
1228	schtasks.exe
1984	schtasks.exe
856	schtasks.exe
1332	schtasks.exe
760	schtasks.exe
1980	schtasks.exe
684	schtasks.exe
624	schtasks.exe
1544	schtasks.exe
1328	schtasks.exe
1756	schtasks.exe
648	schtasks.exe
1988	schtasks.exe
1356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe1ab16df8f4ca6da3ff749ec6b65c57ed.exe

pid	process
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe1ab16df8f4ca6da3ff749ec6b65c57ed.exeschtasks.exepowershell.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	process
Token: SeDebugPrivilege	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Token: SeDebugPrivilege	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Token: SeDebugPrivilege	1732	schtasks.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	1440	schtasks.exe
Token: SeDebugPrivilege	1884	schtasks.exe
Token: SeDebugPrivilege	648	schtasks.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	pid	process	target process
PID 1048 wrote to memory of 924	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 924	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 924	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1692	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1692	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1692	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1732	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1732	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1732	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1884	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1884	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1884	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1440	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1440	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1440	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 648	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 648	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 648	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1048 wrote to memory of 1396	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
PID 1048 wrote to memory of 1396	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
PID 1048 wrote to memory of 1396	1048	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
PID 1396 wrote to memory of 2224	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2224	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2224	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2236	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2236	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2236	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2256	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2256	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2256	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2284	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2284	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2284	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2304	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2304	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2304	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2332	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2332	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2332	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2352	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2352	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2352	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2376	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2376	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2376	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2400	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2400	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2400	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2420	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2420	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2420	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2456	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2456	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2456	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2544	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2544	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 1396 wrote to memory of 2544	1396	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe
"C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\explorer.exe'
2⤵
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
2⤵
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\DataStore\Logs\System.exe'
2⤵
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\csrss.exe'
2⤵
PID:1440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'
2⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe
"C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe'
3⤵
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'
3⤵
PID:2236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalLow\Sun\Java\powershell.exe'
3⤵
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe'
3⤵
PID:2284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\conhost.exe'
3⤵
PID:2304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\powershell.exe'
3⤵
PID:2352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
3⤵
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'
3⤵
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\Idle.exe'
3⤵
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\lsm.exe'
3⤵
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'
3⤵
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'
3⤵
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'
3⤵
PID:2888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\csrss.exe'
3⤵
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'
3⤵
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'
3⤵
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'
3⤵
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\wininit.exe'
3⤵
PID:3024

C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe
"C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe"
3⤵
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\lsm.exe'
3⤵
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\conhost.exe'
3⤵
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\twain_32\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /f
1⤵
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\lsm.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe
Filesize
2.6MB

MD5
1ab16df8f4ca6da3ff749ec6b65c57ed

SHA1
6a86417f494f8cd839cd615a848f9c58f2c546d2

SHA256
b48732dd80d273baa411ef94094f19adaf0ed373bb80a6b64bb090af2b97222f

SHA512
68d32a440844e78d82a97fb51fec8bda440ec8821d6f548daa676ae5fa6d5fb053261b442ef92ae7f73ec8880206cc34df3e9f4920e126bb83767898418619be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\lsass.exe
Filesize
2.6MB

MD5
1ab16df8f4ca6da3ff749ec6b65c57ed

SHA1
6a86417f494f8cd839cd615a848f9c58f2c546d2

SHA256
b48732dd80d273baa411ef94094f19adaf0ed373bb80a6b64bb090af2b97222f

SHA512
68d32a440844e78d82a97fb51fec8bda440ec8821d6f548daa676ae5fa6d5fb053261b442ef92ae7f73ec8880206cc34df3e9f4920e126bb83767898418619be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Filesize
2.6MB

MD5
1ab16df8f4ca6da3ff749ec6b65c57ed

SHA1
6a86417f494f8cd839cd615a848f9c58f2c546d2

SHA256
b48732dd80d273baa411ef94094f19adaf0ed373bb80a6b64bb090af2b97222f

SHA512
68d32a440844e78d82a97fb51fec8bda440ec8821d6f548daa676ae5fa6d5fb053261b442ef92ae7f73ec8880206cc34df3e9f4920e126bb83767898418619be

Download Submit
C:\Users\Admin\AppData\Local\Temp\861618fce7a13414d9661467cafea3df858c46384.5.332Rat01ae5043b4edcb8cf00c21396080e054436dcfb1
Filesize
1KB

MD5
e763c15c16f1962ee477a6b26c412dc1

SHA1
203239826e30167acdcf0eead1f672fa9ad93ad4

SHA256
629ab89206f826b47e3c4ccbb1b2faee6ba34c86b1235c6c3140bdc1f0b80be5

SHA512
fafcfe32228798e6f66f9982c2d6979a5d21996f87e3487bf9c46dc278e8fa60ddb6cb2101d729be1a1cbd4d9b363e8110c8ec0aa20b24ea2246cfcb9a62aa42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f42ed53a4ab8477cf41df82dfa38580d

SHA1
3e13ebbfd7e7904a3579e00085038f78dfc22482

SHA256
bee08a13413f534ebda424bda00dc9bb4bfd4712f3a1b3e1429033434b32a880

SHA512
be51a8f4b719f3e12b1e51044510486ddcf91fd1443097f408c5bc92c07c75d0e179838d393c5792c9717b2d5bc5e60b56865b95a803e23489413749bb36f9ec

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/648-97-0x000007FEEB330000-0x000007FEEBD53000-memory.dmp

Filesize
10.1MB

Download
memory/648-79-0x0000000000000000-mapping.dmp

Download
memory/648-129-0x000000000242B000-0x000000000244A000-memory.dmp

Filesize
124KB

Download
memory/648-128-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/648-115-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

Filesize
3.0MB

Download
memory/648-119-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/648-103-0x000007FEEDA50000-0x000007FEEE5AD000-memory.dmp

Filesize
11.4MB

Download
memory/648-107-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/924-126-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/924-108-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/924-127-0x000000000296B000-0x000000000298A000-memory.dmp

Filesize
124KB

Download
memory/924-74-0x0000000000000000-mapping.dmp

Download
memory/924-117-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/924-120-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/924-89-0x000007FEEB330000-0x000007FEEBD53000-memory.dmp

Filesize
10.1MB

Download
memory/924-104-0x000007FEEDA50000-0x000007FEEE5AD000-memory.dmp

Filesize
11.4MB

Download
memory/1048-63-0x0000000000950000-0x000000000095C000-memory.dmp

Filesize
48KB

Download
memory/1048-59-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1048-66-0x0000000000AF0000-0x0000000000B02000-memory.dmp

Filesize
72KB

Download
memory/1048-71-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/1048-96-0x000000001B306000-0x000000001B325000-memory.dmp

Filesize
124KB

Download
memory/1048-67-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/1048-57-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/1048-58-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1048-72-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/1048-62-0x0000000000900000-0x0000000000956000-memory.dmp

Filesize
344KB

Download
memory/1048-56-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1048-61-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/1048-68-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/1048-70-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/1048-69-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/1048-73-0x000000001B306000-0x000000001B325000-memory.dmp

Filesize
124KB

Download
memory/1048-65-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/1048-54-0x0000000000FB0000-0x0000000001254000-memory.dmp

Filesize
2.6MB

Download
memory/1048-90-0x000000001B306000-0x000000001B325000-memory.dmp

Filesize
124KB

Download
memory/1048-55-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download
memory/1048-64-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/1048-60-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/1396-238-0x000000001AF36000-0x000000001AF55000-memory.dmp

Filesize
124KB

Download
memory/1396-112-0x000000001AF36000-0x000000001AF55000-memory.dmp

Filesize
124KB

Download
memory/1396-92-0x0000000000000000-mapping.dmp

Download
memory/1396-100-0x000000001AF36000-0x000000001AF55000-memory.dmp

Filesize
124KB

Download
memory/1396-98-0x00000000001A0000-0x00000000001B2000-memory.dmp

Filesize
72KB

Download
memory/1396-99-0x000000001AD90000-0x000000001ADE6000-memory.dmp

Filesize
344KB

Download
memory/1440-122-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/1440-78-0x0000000000000000-mapping.dmp

Download
memory/1440-95-0x000007FEEB330000-0x000007FEEBD53000-memory.dmp

Filesize
10.1MB

Download
memory/1440-105-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/1440-116-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1440-101-0x000007FEEDA50000-0x000007FEEE5AD000-memory.dmp

Filesize
11.4MB

Download
memory/1440-123-0x000000000244B000-0x000000000246A000-memory.dmp

Filesize
124KB

Download
memory/1440-118-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/1512-201-0x0000000000000000-mapping.dmp

Download
memory/1616-193-0x0000000000000000-mapping.dmp

Download
memory/1692-75-0x0000000000000000-mapping.dmp

Download
memory/1732-111-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1732-110-0x000007FEEDA50000-0x000007FEEE5AD000-memory.dmp

Filesize
11.4MB

Download
memory/1732-121-0x00000000022D4000-0x00000000022D7000-memory.dmp

Filesize
12KB

Download
memory/1732-124-0x00000000022D4000-0x00000000022D7000-memory.dmp

Filesize
12KB

Download
memory/1732-87-0x000007FEEB330000-0x000007FEEBD53000-memory.dmp

Filesize
10.1MB

Download
memory/1732-80-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1732-125-0x00000000022DB000-0x00000000022FA000-memory.dmp

Filesize
124KB

Download
memory/1732-76-0x0000000000000000-mapping.dmp

Download
memory/1732-109-0x00000000022D4000-0x00000000022D7000-memory.dmp

Filesize
12KB

Download
memory/1884-86-0x000007FEEB330000-0x000007FEEBD53000-memory.dmp

Filesize
10.1MB

Download
memory/1884-102-0x000007FEEDA50000-0x000007FEEE5AD000-memory.dmp

Filesize
11.4MB

Download
memory/1884-106-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1884-113-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1884-77-0x0000000000000000-mapping.dmp

Download
memory/1884-114-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/2004-211-0x0000000000000000-mapping.dmp

Download
memory/2004-217-0x0000000000F70000-0x0000000001214000-memory.dmp

Filesize
2.6MB

Download
memory/2224-168-0x0000000002334000-0x0000000002337000-memory.dmp

Filesize
12KB

Download
memory/2224-159-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2224-153-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2224-131-0x0000000000000000-mapping.dmp

Download
memory/2224-230-0x0000000002334000-0x0000000002337000-memory.dmp

Filesize
12KB

Download
memory/2224-231-0x000000000233B000-0x000000000235A000-memory.dmp

Filesize
124KB

Download
memory/2236-132-0x0000000000000000-mapping.dmp

Download
memory/2236-160-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2236-244-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/2236-174-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2236-155-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2236-245-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2256-162-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2256-237-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/2256-176-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2256-133-0x0000000000000000-mapping.dmp

Download
memory/2256-220-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/2284-134-0x0000000000000000-mapping.dmp

Download
memory/2284-165-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2284-180-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/2284-235-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/2284-177-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2284-236-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/2304-184-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2304-161-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2304-194-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2304-135-0x0000000000000000-mapping.dmp

Download
memory/2332-167-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2332-179-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2332-186-0x0000000002320000-0x00000000023A0000-memory.dmp

Filesize
512KB

Download
memory/2332-136-0x0000000000000000-mapping.dmp

Download
memory/2352-137-0x0000000000000000-mapping.dmp

Download
memory/2376-138-0x0000000000000000-mapping.dmp

Download
memory/2400-170-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2400-139-0x0000000000000000-mapping.dmp

Download
memory/2400-182-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2420-140-0x0000000000000000-mapping.dmp

Download
memory/2420-190-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/2420-183-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2420-172-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2456-192-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2456-143-0x0000000000000000-mapping.dmp

Download
memory/2544-203-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2544-149-0x0000000000000000-mapping.dmp

Download
memory/2672-158-0x0000000000000000-mapping.dmp

Download
memory/2672-208-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2672-200-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2776-207-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2776-246-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/2776-197-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2776-247-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/2776-166-0x0000000000000000-mapping.dmp

Download
memory/2848-214-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2848-173-0x0000000000000000-mapping.dmp

Download
memory/2848-222-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2848-254-0x0000000001FDB000-0x0000000001FFA000-memory.dmp

Filesize
124KB

Download
memory/2888-221-0x000007FEEB7A0000-0x000007FEEC2FD000-memory.dmp

Filesize
11.4MB

Download
memory/2888-178-0x0000000000000000-mapping.dmp

Download
memory/2888-213-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download
memory/2980-185-0x0000000000000000-mapping.dmp

Download
memory/3024-189-0x0000000000000000-mapping.dmp

Download
memory/3024-219-0x000007FEEC300000-0x000007FEECD23000-memory.dmp

Filesize
10.1MB

Download