dcrat | b48732dd80d273baa411ef94094f19adaf0ed373bb80a6b64bb090af2b97222f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2022 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Size

2.6MB
MD5

1ab16df8f4ca6da3ff749ec6b65c57ed
SHA1

6a86417f494f8cd839cd615a848f9c58f2c546d2
SHA256

b48732dd80d273baa411ef94094f19adaf0ed373bb80a6b64bb090af2b97222f
SHA512

68d32a440844e78d82a97fb51fec8bda440ec8821d6f548daa676ae5fa6d5fb053261b442ef92ae7f73ec8880206cc34df3e9f4920e126bb83767898418619be
SSDEEP

49152:+pTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:+ZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	444	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exetaskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4756-132-0x0000000000AA0000-0x0000000000D44000-memory.dmp	dcrat
C:\Program Files (x86)\Google\CrashReports\taskhostw.exe	dcrat
C:\Program Files (x86)\Google\CrashReports\taskhostw.exe	dcrat
behavioral2/memory/5156-170-0x0000000000230000-0x00000000004D4000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

taskhostw.exe

pid process

5156 taskhostw.exe

pid	process
5156	taskhostw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exetaskhostw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ipinfo.io
30 ipinfo.io

flow	ioc
29	ipinfo.io
30	ipinfo.io

Drops file in Program Files directory 42 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Google\CrashReports\taskhostw.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\smss.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\WmiPrvSE.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXABBC.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXA231.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXB847.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\sihost.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Common Files\Services\69ddcba757bf72	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXAC3A.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXB2A7.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXB8D5.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\services.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\69ddcba757bf72	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files\ModifiableWindowsApps\winlogon.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files\Java\jre1.8.0_66\886983d96e3d3e	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Google\CrashReports\ea9f0e6c9e2dcd	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\fontdrvhost.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX8CD5.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXB219.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files\Java\jre1.8.0_66\csrss.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\services.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\c5b4cb5e9653cc	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files\Google\Chrome\Application\sihost.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\taskhostw.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\spoolsv.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\24dbde2999530e	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Windows Defender\f3b6ecef712a24	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files\Google\Chrome\Application\66fc9ff0ee96c2	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX92F4.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX9382.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCX9691.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXA2AF.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Windows Defender\spoolsv.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCX9603.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Common Files\Services\smss.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\WmiPrvSE.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX8D53.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\RCX9C31.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\RCX9CBF.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\csrss.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

Drops file in Windows directory 10 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	ioc	process
File created	C:\Windows\ja-JP\Registry.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Windows\ja-JP\ee2ad38f3d4382	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\ja-JP\RCXAEDB.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Windows\twain_32\System.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File created	C:\Windows\twain_32\27d1bcfc3c54e0	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\twain_32\System.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\ja-JP\RCXAF78.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\ja-JP\Registry.exe	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\twain_32\RCXA540.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
File opened for modification	C:\Windows\twain_32\RCXA61C.tmp	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4404	schtasks.exe
3324	schtasks.exe
3164	schtasks.exe
4516	schtasks.exe
3184	schtasks.exe
3752	schtasks.exe
1236	schtasks.exe
4160	schtasks.exe
1768	schtasks.exe
4676	schtasks.exe
4776	schtasks.exe
4304	schtasks.exe
3980	schtasks.exe
3644	schtasks.exe
4680	schtasks.exe
4692	schtasks.exe
1324	schtasks.exe
620	schtasks.exe
664	schtasks.exe
2016	schtasks.exe
4164	schtasks.exe
316	schtasks.exe
4704	schtasks.exe
3568	schtasks.exe
4812	schtasks.exe
1600	schtasks.exe
4552	schtasks.exe
3840	schtasks.exe
1444	schtasks.exe
800	schtasks.exe
4584	schtasks.exe
2044	schtasks.exe
4880	schtasks.exe
2176	schtasks.exe
4820	schtasks.exe
1224	schtasks.exe
4668	schtasks.exe
1772	schtasks.exe
100	schtasks.exe
1300	schtasks.exe
4460	schtasks.exe
1432	schtasks.exe
4508	schtasks.exe
4792	schtasks.exe
1752	schtasks.exe
1644	schtasks.exe
2304	schtasks.exe
4072	schtasks.exe

Modifies registry class 1 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe

pid	process
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhostw.exe

pid process

5156 taskhostw.exe

pid	process
5156	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhostw.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	5156	taskhostw.exe
Token: SeBackupPrivilege	6044	vssvc.exe
Token: SeRestorePrivilege	6044	vssvc.exe
Token: SeAuditPrivilege	6044	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

taskhostw.exe

pid process

5156 taskhostw.exe

pid	process
5156	taskhostw.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exe

description	pid	process	target process
PID 4756 wrote to memory of 5076	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 5076	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 3160	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 3160	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 4648	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 4648	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 3424	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 3424	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 2092	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 2092	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 1588	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 1588	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 3308	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 3308	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 4736	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 4736	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 2608	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 2608	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 2548	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 2548	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 1792	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 1792	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 4808	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 4808	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 2888	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 2888	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 1684	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 1684	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 1472	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 1472	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 4668	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 4668	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 1752	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 1752	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	powershell.exe
PID 4756 wrote to memory of 5156	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	taskhostw.exe
PID 4756 wrote to memory of 5156	4756	1ab16df8f4ca6da3ff749ec6b65c57ed.exe	taskhostw.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

1ab16df8f4ca6da3ff749ec6b65c57ed.exetaskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1ab16df8f4ca6da3ff749ec6b65c57ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe

C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe
"C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ab16df8f4ca6da3ff749ec6b65c57ed.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\smss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\WmiPrvSE.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre1.8.0_66\csrss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\smss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\services.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\System.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\sihost.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\spoolsv.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\Registry.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\taskhostw.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\SppExtComObj.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\sihost.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Registry.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Program Files (x86)\Google\CrashReports\taskhostw.exe
"C:\Program Files (x86)\Google\CrashReports\taskhostw.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre1.8.0_66\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre1.8.0_66\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\twain_32\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Oracle\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Oracle\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\ja-JP\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\CrashReports\taskhostw.exe
Filesize
2.6MB

MD5
7f02a5a81e4845f15c4cd4e308708f3e

SHA1
e64add5711689ed5d0f009d9df96b027ad8dc384

SHA256
628787dda532bdd3963a130815d2d665cfe5dbf1632770b2f4530c42f1a0d3cc

SHA512
ebbbb029b599c12133fa5eef01caf2c977a439e8bfd51a2f34dab50510f5b98c27560732f10eebfeb065e8c5dca94c01d531c276cdc44e4ebcee979a292785af

Download Submit
C:\Program Files (x86)\Google\CrashReports\taskhostw.exe
Filesize
2.6MB

MD5
7f02a5a81e4845f15c4cd4e308708f3e

SHA1
e64add5711689ed5d0f009d9df96b027ad8dc384

SHA256
628787dda532bdd3963a130815d2d665cfe5dbf1632770b2f4530c42f1a0d3cc

SHA512
ebbbb029b599c12133fa5eef01caf2c977a439e8bfd51a2f34dab50510f5b98c27560732f10eebfeb065e8c5dca94c01d531c276cdc44e4ebcee979a292785af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
memory/1472-214-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1472-155-0x0000000000000000-mapping.dmp

Download
memory/1472-180-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1588-146-0x0000000000000000-mapping.dmp

Download
memory/1588-158-0x00000294E1C50000-0x00000294E1C72000-memory.dmp

Filesize
136KB

Download
memory/1588-208-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1588-164-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1684-154-0x0000000000000000-mapping.dmp

Download
memory/1684-207-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1684-179-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1752-196-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1752-157-0x0000000000000000-mapping.dmp

Download
memory/1752-216-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1792-151-0x0000000000000000-mapping.dmp

Download
memory/1792-198-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/1792-175-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/2092-205-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/2092-162-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/2092-145-0x0000000000000000-mapping.dmp

Download
memory/2548-150-0x0000000000000000-mapping.dmp

Download
memory/2548-201-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/2548-176-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/2608-149-0x0000000000000000-mapping.dmp

Download
memory/2608-204-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/2608-174-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/2888-153-0x0000000000000000-mapping.dmp

Download
memory/2888-178-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/2888-210-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/3160-160-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/3160-199-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/3160-142-0x0000000000000000-mapping.dmp

Download
memory/3308-189-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/3308-165-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/3308-147-0x0000000000000000-mapping.dmp

Download
memory/3424-163-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/3424-202-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/3424-144-0x0000000000000000-mapping.dmp

Download
memory/4648-209-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4648-161-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4648-143-0x0000000000000000-mapping.dmp

Download
memory/4668-213-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4668-181-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4668-156-0x0000000000000000-mapping.dmp

Download
memory/4736-148-0x0000000000000000-mapping.dmp

Download
memory/4736-203-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4736-172-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4756-173-0x000000001E21A000-0x000000001E21F000-memory.dmp

Filesize
20KB

Download
memory/4756-132-0x0000000000AA0000-0x0000000000D44000-memory.dmp

Filesize
2.6MB

Download
memory/4756-133-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4756-139-0x0000000001560000-0x0000000001570000-memory.dmp

Filesize
64KB

Download
memory/4756-138-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4756-171-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4756-159-0x000000001E210000-0x000000001E214000-memory.dmp

Filesize
16KB

Download
memory/4756-140-0x000000001E217000-0x000000001E21A000-memory.dmp

Filesize
12KB

Download
memory/4756-134-0x000000001D6E0000-0x000000001DC08000-memory.dmp

Filesize
5.2MB

Download
memory/4756-137-0x000000001E214000-0x000000001E217000-memory.dmp

Filesize
12KB

Download
memory/4756-136-0x000000001E210000-0x000000001E214000-memory.dmp

Filesize
16KB

Download
memory/4756-135-0x0000000001560000-0x0000000001570000-memory.dmp

Filesize
64KB

Download
memory/4808-182-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/4808-152-0x0000000000000000-mapping.dmp

Download
memory/4808-177-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/5076-141-0x0000000000000000-mapping.dmp

Download
memory/5076-206-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/5076-169-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/5156-166-0x0000000000000000-mapping.dmp

Download
memory/5156-170-0x0000000000230000-0x00000000004D4000-memory.dmp

Filesize
2.6MB

Download
memory/5156-217-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/5156-218-0x000000001E730000-0x000000001E8F2000-memory.dmp

Filesize
1.8MB

Download
memory/5156-219-0x0000000000979000-0x000000000097F000-memory.dmp

Filesize
24KB

Download
memory/5156-220-0x00007FFB92CC0000-0x00007FFB93781000-memory.dmp

Filesize
10.8MB

Download
memory/5156-221-0x0000000000979000-0x000000000097F000-memory.dmp

Filesize
24KB

Download