colibri | 8fb6ada4913777c02d68c945590916490da636dd5970542be792737e32a2a64a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2022 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42d2f3d3157c790b31a09a0ca173feae.exe
Size

4.9MB
MD5

42d2f3d3157c790b31a09a0ca173feae
SHA1

a7694973c9dff0f3d624a9c00d2f36dcf9455b10
SHA256

8fb6ada4913777c02d68c945590916490da636dd5970542be792737e32a2a64a
SHA512

b7fea8abe3de9864acaaafae14932695db452607e7fd76542fb1093bfbbf897f86693d7ea207706b952081ff92d05b177d0d224ce4cdf33302b8424dfaa93d90
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 evasion infostealer loader rat spyware stealer trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

DcRat 53 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

42d2f3d3157c790b31a09a0ca173feae.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\5940a34987c991	42d2f3d3157c790b31a09a0ca173feae.exe
5204	schtasks.exe
5488	schtasks.exe
5236	schtasks.exe
3400	schtasks.exe
2896	schtasks.exe
5884	schtasks.exe
5172	schtasks.exe
5904	schtasks.exe
4676	schtasks.exe
2496	schtasks.exe
4728	schtasks.exe
636	schtasks.exe
5852	schtasks.exe
5920	schtasks.exe
1784	schtasks.exe
5156	schtasks.exe
5744	schtasks.exe
File created	C:\Program Files\Windows NT\e6c9b481da804f	42d2f3d3157c790b31a09a0ca173feae.exe
4292	schtasks.exe
5188	schtasks.exe
5600	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	42d2f3d3157c790b31a09a0ca173feae.exe
1788	schtasks.exe
4760	schtasks.exe
544	schtasks.exe
5404	schtasks.exe
5616	schtasks.exe
5728	schtasks.exe
5868	schtasks.exe
2184	schtasks.exe
4384	schtasks.exe
5220	schtasks.exe
5368	schtasks.exe
5936	schtasks.exe
5084	schtasks.exe
4636	schtasks.exe
5764	schtasks.exe
5804	schtasks.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\7a0fd90576e088	42d2f3d3157c790b31a09a0ca173feae.exe
3304	schtasks.exe
4880	schtasks.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\69ddcba757bf72	42d2f3d3157c790b31a09a0ca173feae.exe
5384	schtasks.exe
1872	schtasks.exe
920	schtasks.exe
4488	schtasks.exe
2892	schtasks.exe
5788	schtasks.exe
3136	schtasks.exe
4660	schtasks.exe
5136	schtasks.exe
5824	schtasks.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5136	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5156	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5172	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5188	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5220	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5236	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5204	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5368	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5384	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5404	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5616	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5600	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5764	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5744	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5728	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5788	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5852	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5868	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5884	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5904	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5920	4640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5936	4640	schtasks.exe

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

42d2f3d3157c790b31a09a0ca173feae.exe42d2f3d3157c790b31a09a0ca173feae.exeWaaSMedicAgent.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	42d2f3d3157c790b31a09a0ca173feae.exe

Executes dropped EXE 8 IoCs

Processes:

tmp76CD.tmp.exetmp76CD.tmp.exe42d2f3d3157c790b31a09a0ca173feae.exetmpA4FF.tmp.exetmpA4FF.tmp.exeWaaSMedicAgent.exetmp371D.tmp.exetmp371D.tmp.exe

pid	process
1468	tmp76CD.tmp.exe
4644	tmp76CD.tmp.exe
1272	42d2f3d3157c790b31a09a0ca173feae.exe
5504	tmpA4FF.tmp.exe
5668	tmpA4FF.tmp.exe
4776	WaaSMedicAgent.exe
5700	tmp371D.tmp.exe
5520	tmp371D.tmp.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

42d2f3d3157c790b31a09a0ca173feae.exe42d2f3d3157c790b31a09a0ca173feae.exeWaaSMedicAgent.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	42d2f3d3157c790b31a09a0ca173feae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	42d2f3d3157c790b31a09a0ca173feae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WaaSMedicAgent.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WaaSMedicAgent.exe42d2f3d3157c790b31a09a0ca173feae.exe42d2f3d3157c790b31a09a0ca173feae.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaaSMedicAgent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42d2f3d3157c790b31a09a0ca173feae.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 ipinfo.io
41 ipinfo.io

flow	ioc
40	ipinfo.io
41	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp76CD.tmp.exetmpA4FF.tmp.exetmp371D.tmp.exe

description	pid	process	target process
PID 1468 set thread context of 4644	1468	tmp76CD.tmp.exe	tmp76CD.tmp.exe
PID 5504 set thread context of 5668	5504	tmpA4FF.tmp.exe	tmpA4FF.tmp.exe
PID 5700 set thread context of 5520	5700	tmp371D.tmp.exe	tmp371D.tmp.exe

Drops file in Program Files directory 11 IoCs

Processes:

42d2f3d3157c790b31a09a0ca173feae.exe42d2f3d3157c790b31a09a0ca173feae.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\smss.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\69ddcba757bf72	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files\Windows NT\RCX84FC.tmp	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\tmp76CD.tmp.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\smss.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files\Windows NT\e6c9b481da804f	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX7526.tmp	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files\Windows NT\OfficeClickToRun.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\17c2392aca0cc1	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\tmp76CD.tmp.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Program Files\Windows NT\OfficeClickToRun.exe	42d2f3d3157c790b31a09a0ca173feae.exe

Drops file in Windows directory 15 IoCs

Processes:

42d2f3d3157c790b31a09a0ca173feae.exe42d2f3d3157c790b31a09a0ca173feae.exe

description	ioc	process
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\7a0fd90576e088	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Windows\SoftwareDistribution\5940a34987c991	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Windows\SoftwareDistribution\RCX826B.tmp	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Windows\L2Schemas\backgroundTaskHost.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Windows\LanguageOverlayCache\spoolsv.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Windows\SoftwareDistribution\dllhost.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Windows\SoftwareDistribution\dllhost.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Windows\IdentityCRL\RuntimeBroker.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\explorer.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\RCX7FCA.tmp	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Windows\IdentityCRL\RuntimeBroker.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Windows\IdentityCRL\9e8d7a4ca61bd9	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\explorer.exe	42d2f3d3157c790b31a09a0ca173feae.exe
File created	C:\Windows\L2Schemas\eddb19405b7ce1	42d2f3d3157c790b31a09a0ca173feae.exe
File opened for modification	C:\Windows\L2Schemas\backgroundTaskHost.exe	42d2f3d3157c790b31a09a0ca173feae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
5824	schtasks.exe
5188	schtasks.exe
5600	schtasks.exe
5136	schtasks.exe
5156	schtasks.exe
1784	schtasks.exe
1872	schtasks.exe
2896	schtasks.exe
5084	schtasks.exe
544	schtasks.exe
5744	schtasks.exe
5788	schtasks.exe
5852	schtasks.exe
4384	schtasks.exe
1788	schtasks.exe
5904	schtasks.exe
4676	schtasks.exe
5764	schtasks.exe
5868	schtasks.exe
5884	schtasks.exe
2184	schtasks.exe
2892	schtasks.exe
636	schtasks.exe
920	schtasks.exe
5404	schtasks.exe
5936	schtasks.exe
4660	schtasks.exe
4880	schtasks.exe
4728	schtasks.exe
3304	schtasks.exe
5172	schtasks.exe
5204	schtasks.exe
5728	schtasks.exe
4760	schtasks.exe
2496	schtasks.exe
5220	schtasks.exe
5236	schtasks.exe
4636	schtasks.exe
5368	schtasks.exe
5616	schtasks.exe
5488	schtasks.exe
3400	schtasks.exe
4488	schtasks.exe
5384	schtasks.exe
5804	schtasks.exe
5920	schtasks.exe
3136	schtasks.exe
4292	schtasks.exe

Modifies registry class 3 IoCs

Processes:

WaaSMedicAgent.exe42d2f3d3157c790b31a09a0ca173feae.exe42d2f3d3157c790b31a09a0ca173feae.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	WaaSMedicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	42d2f3d3157c790b31a09a0ca173feae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	42d2f3d3157c790b31a09a0ca173feae.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

42d2f3d3157c790b31a09a0ca173feae.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe42d2f3d3157c790b31a09a0ca173feae.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
380	42d2f3d3157c790b31a09a0ca173feae.exe
380	42d2f3d3157c790b31a09a0ca173feae.exe
380	42d2f3d3157c790b31a09a0ca173feae.exe
380	42d2f3d3157c790b31a09a0ca173feae.exe
380	42d2f3d3157c790b31a09a0ca173feae.exe
380	42d2f3d3157c790b31a09a0ca173feae.exe
380	42d2f3d3157c790b31a09a0ca173feae.exe
4944	powershell.exe
4944	powershell.exe
4576	powershell.exe
4576	powershell.exe
4992	powershell.exe
4992	powershell.exe
1140	powershell.exe
1140	powershell.exe
4828	powershell.exe
4828	powershell.exe
3640	powershell.exe
3640	powershell.exe
3908	powershell.exe
3908	powershell.exe
2336	powershell.exe
2336	powershell.exe
3236	powershell.exe
3236	powershell.exe
944	powershell.exe
944	powershell.exe
1592	powershell.exe
1592	powershell.exe
4828	powershell.exe
2832	powershell.exe
2832	powershell.exe
4944	powershell.exe
4944	powershell.exe
4576	powershell.exe
4576	powershell.exe
1140	powershell.exe
4992	powershell.exe
3640	powershell.exe
3236	powershell.exe
3908	powershell.exe
2336	powershell.exe
944	powershell.exe
1592	powershell.exe
2832	powershell.exe
1272	42d2f3d3157c790b31a09a0ca173feae.exe
1272	42d2f3d3157c790b31a09a0ca173feae.exe
1272	42d2f3d3157c790b31a09a0ca173feae.exe
1272	42d2f3d3157c790b31a09a0ca173feae.exe
6024	powershell.exe
6024	powershell.exe
6012	powershell.exe
6012	powershell.exe
6044	powershell.exe
6044	powershell.exe
6108	powershell.exe
6108	powershell.exe
6076	powershell.exe
6076	powershell.exe
1732	powershell.exe
1732	powershell.exe
5288	powershell.exe
5288	powershell.exe
5024	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	380	42d2f3d3157c790b31a09a0ca173feae.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1272	42d2f3d3157c790b31a09a0ca173feae.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	6012	powershell.exe
Token: SeDebugPrivilege	6044	powershell.exe
Token: SeDebugPrivilege	6108	powershell.exe
Token: SeDebugPrivilege	6076	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	5288	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	4776	WaaSMedicAgent.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WaaSMedicAgent.exe

pid process

4776 WaaSMedicAgent.exe

pid	process
4776	WaaSMedicAgent.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

42d2f3d3157c790b31a09a0ca173feae.exetmp76CD.tmp.exe42d2f3d3157c790b31a09a0ca173feae.exetmpA4FF.tmp.exe

description	pid	process	target process
PID 380 wrote to memory of 1468	380	42d2f3d3157c790b31a09a0ca173feae.exe	tmp76CD.tmp.exe
PID 380 wrote to memory of 1468	380	42d2f3d3157c790b31a09a0ca173feae.exe	tmp76CD.tmp.exe
PID 380 wrote to memory of 1468	380	42d2f3d3157c790b31a09a0ca173feae.exe	tmp76CD.tmp.exe
PID 1468 wrote to memory of 4644	1468	tmp76CD.tmp.exe	tmp76CD.tmp.exe
PID 1468 wrote to memory of 4644	1468	tmp76CD.tmp.exe	tmp76CD.tmp.exe
PID 1468 wrote to memory of 4644	1468	tmp76CD.tmp.exe	tmp76CD.tmp.exe
PID 1468 wrote to memory of 4644	1468	tmp76CD.tmp.exe	tmp76CD.tmp.exe
PID 1468 wrote to memory of 4644	1468	tmp76CD.tmp.exe	tmp76CD.tmp.exe
PID 1468 wrote to memory of 4644	1468	tmp76CD.tmp.exe	tmp76CD.tmp.exe
PID 1468 wrote to memory of 4644	1468	tmp76CD.tmp.exe	tmp76CD.tmp.exe
PID 380 wrote to memory of 3908	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 3908	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 4944	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 4944	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 4576	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 4576	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 4828	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 4828	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 4992	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 4992	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 1140	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 1140	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 3640	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 3640	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 2336	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 2336	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 3236	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 3236	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 944	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 944	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 1592	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 1592	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 2832	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 2832	380	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 380 wrote to memory of 1272	380	42d2f3d3157c790b31a09a0ca173feae.exe	42d2f3d3157c790b31a09a0ca173feae.exe
PID 380 wrote to memory of 1272	380	42d2f3d3157c790b31a09a0ca173feae.exe	42d2f3d3157c790b31a09a0ca173feae.exe
PID 1272 wrote to memory of 5504	1272	42d2f3d3157c790b31a09a0ca173feae.exe	tmpA4FF.tmp.exe
PID 1272 wrote to memory of 5504	1272	42d2f3d3157c790b31a09a0ca173feae.exe	tmpA4FF.tmp.exe
PID 1272 wrote to memory of 5504	1272	42d2f3d3157c790b31a09a0ca173feae.exe	tmpA4FF.tmp.exe
PID 5504 wrote to memory of 5668	5504	tmpA4FF.tmp.exe	tmpA4FF.tmp.exe
PID 5504 wrote to memory of 5668	5504	tmpA4FF.tmp.exe	tmpA4FF.tmp.exe
PID 5504 wrote to memory of 5668	5504	tmpA4FF.tmp.exe	tmpA4FF.tmp.exe
PID 5504 wrote to memory of 5668	5504	tmpA4FF.tmp.exe	tmpA4FF.tmp.exe
PID 5504 wrote to memory of 5668	5504	tmpA4FF.tmp.exe	tmpA4FF.tmp.exe
PID 5504 wrote to memory of 5668	5504	tmpA4FF.tmp.exe	tmpA4FF.tmp.exe
PID 5504 wrote to memory of 5668	5504	tmpA4FF.tmp.exe	tmpA4FF.tmp.exe
PID 1272 wrote to memory of 6012	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 6012	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 6024	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 6024	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 6044	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 6044	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 6076	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 6076	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 6108	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 6108	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 1732	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 1732	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 5024	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 5024	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 1016	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 1016	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 5288	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe
PID 1272 wrote to memory of 5288	1272	42d2f3d3157c790b31a09a0ca173feae.exe	powershell.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

42d2f3d3157c790b31a09a0ca173feae.exe42d2f3d3157c790b31a09a0ca173feae.exeWaaSMedicAgent.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	42d2f3d3157c790b31a09a0ca173feae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaaSMedicAgent.exe

C:\Users\Admin\AppData\Local\Temp\42d2f3d3157c790b31a09a0ca173feae.exe
"C:\Users\Admin\AppData\Local\Temp\42d2f3d3157c790b31a09a0ca173feae.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:380

C:\Users\Admin\AppData\Local\Temp\tmp76CD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp76CD.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\tmp76CD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp76CD.tmp.exe"
3⤵
- Executes dropped EXE
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Users\Admin\AppData\Local\Temp\42d2f3d3157c790b31a09a0ca173feae.exe
"C:\Users\Admin\AppData\Local\Temp\42d2f3d3157c790b31a09a0ca173feae.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1272

C:\Users\Admin\AppData\Local\Temp\tmpA4FF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA4FF.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5504

C:\Users\Admin\AppData\Local\Temp\tmpA4FF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA4FF.tmp.exe"
4⤵
- Executes dropped EXE
PID:5668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Users\Default User\WaaSMedicAgent.exe
"C:\Users\Default User\WaaSMedicAgent.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4776

C:\Users\Admin\AppData\Local\Temp\tmp371D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp371D.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5700

C:\Users\Admin\AppData\Local\Temp\tmp371D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp371D.tmp.exe"
5⤵
- Executes dropped EXE
PID:5520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dee7f20c-ab71-4171-9465-9792f3209af1.vbs"
4⤵
PID:5464

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8e63a26-91d9-4ea4-a59f-7e9631ba8938.vbs"
4⤵
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows NT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\IdentityCRL\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp76CD.tmpt" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\tmp76CD.tmp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp76CD.tmp" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\tmp76CD.tmp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp76CD.tmpt" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\tmp76CD.tmp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\odt\TrustedInstaller.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\42d2f3d3157c790b31a09a0ca173feae.exe.log
Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cfecb4e0f846589c2742fd84d6bbd1db

SHA1
730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec

SHA256
12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa

SHA512
669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cfecb4e0f846589c2742fd84d6bbd1db

SHA1
730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec

SHA256
12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa

SHA512
669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fd75863b92316fbcc874bd5b9b026b8b

SHA1
55e552e47e03ddca877840663ad0375ad55e8b64

SHA256
d656041b6586ee97132c673081298e231a63f0db144e534b907a6ca0234b4a1c

SHA512
0306b650d7dc452be2aab2f35c7d945b28f6370caf0b038ec5b874111ca746af187816bdf80276121e100022432db38f5c23768dd3582981aa2d6526a4b8273c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fd75863b92316fbcc874bd5b9b026b8b

SHA1
55e552e47e03ddca877840663ad0375ad55e8b64

SHA256
d656041b6586ee97132c673081298e231a63f0db144e534b907a6ca0234b4a1c

SHA512
0306b650d7dc452be2aab2f35c7d945b28f6370caf0b038ec5b874111ca746af187816bdf80276121e100022432db38f5c23768dd3582981aa2d6526a4b8273c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fd75863b92316fbcc874bd5b9b026b8b

SHA1
55e552e47e03ddca877840663ad0375ad55e8b64

SHA256
d656041b6586ee97132c673081298e231a63f0db144e534b907a6ca0234b4a1c

SHA512
0306b650d7dc452be2aab2f35c7d945b28f6370caf0b038ec5b874111ca746af187816bdf80276121e100022432db38f5c23768dd3582981aa2d6526a4b8273c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fd75863b92316fbcc874bd5b9b026b8b

SHA1
55e552e47e03ddca877840663ad0375ad55e8b64

SHA256
d656041b6586ee97132c673081298e231a63f0db144e534b907a6ca0234b4a1c

SHA512
0306b650d7dc452be2aab2f35c7d945b28f6370caf0b038ec5b874111ca746af187816bdf80276121e100022432db38f5c23768dd3582981aa2d6526a4b8273c

Download Submit
C:\Users\Admin\AppData\Local\Temp\42d2f3d3157c790b31a09a0ca173feae.exe
Filesize
4.9MB

MD5
42d2f3d3157c790b31a09a0ca173feae

SHA1
a7694973c9dff0f3d624a9c00d2f36dcf9455b10

SHA256
8fb6ada4913777c02d68c945590916490da636dd5970542be792737e32a2a64a

SHA512
b7fea8abe3de9864acaaafae14932695db452607e7fd76542fb1093bfbbf897f86693d7ea207706b952081ff92d05b177d0d224ce4cdf33302b8424dfaa93d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8e63a26-91d9-4ea4-a59f-7e9631ba8938.vbs
Filesize
492B

MD5
c0aa33ed60a2cf634cd0e5b5f26195da

SHA1
d1a58712734b70b016f51348a613785485ca69c7

SHA256
9a3e01a816b5ba944912703f00a69ff75d1794b53dea67ec716b6f34e9ab39c0

SHA512
32fc1d8f0f17037f8196f0f694303275c2b3e93908ab66602b6c0361f9dd545f11ceec2a8bfbb7ba1a9917030498b344f4b81f69a6dc4396ab8bfed17216fed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dee7f20c-ab71-4171-9465-9792f3209af1.vbs
Filesize
716B

MD5
93ae7a080b7f3c15fd94ae9bdfee91f7

SHA1
bc89705528e01dab53b0052b4bb06fe4d6b748a9

SHA256
27c3f75cdbfb6f33481b8e562aa0f433b7898172bb50fbbaa2210e3de0f55547

SHA512
c065621f8e01cf99c09131a0c9a510ba7354c98f8af1decce55d94b02e4f39b2d455400aaddac67526f641356bd1ae267e6b582821b97c97bf61db5832816916

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp371D.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp371D.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp371D.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp76CD.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp76CD.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp76CD.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4FF.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4FF.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4FF.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Default User\WaaSMedicAgent.exe
Filesize
4.9MB

MD5
42d2f3d3157c790b31a09a0ca173feae

SHA1
a7694973c9dff0f3d624a9c00d2f36dcf9455b10

SHA256
8fb6ada4913777c02d68c945590916490da636dd5970542be792737e32a2a64a

SHA512
b7fea8abe3de9864acaaafae14932695db452607e7fd76542fb1093bfbbf897f86693d7ea207706b952081ff92d05b177d0d224ce4cdf33302b8424dfaa93d90

Download Submit
C:\Users\Default\WaaSMedicAgent.exe
Filesize
4.9MB

MD5
42d2f3d3157c790b31a09a0ca173feae

SHA1
a7694973c9dff0f3d624a9c00d2f36dcf9455b10

SHA256
8fb6ada4913777c02d68c945590916490da636dd5970542be792737e32a2a64a

SHA512
b7fea8abe3de9864acaaafae14932695db452607e7fd76542fb1093bfbbf897f86693d7ea207706b952081ff92d05b177d0d224ce4cdf33302b8424dfaa93d90

Download Submit
memory/380-168-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/380-132-0x0000000000550000-0x0000000000A44000-memory.dmp

Filesize
5.0MB

Download
memory/380-135-0x000000001D510000-0x000000001DA38000-memory.dmp

Filesize
5.2MB

Download
memory/380-134-0x000000001CF90000-0x000000001CFE0000-memory.dmp

Filesize
320KB

Download
memory/380-133-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/944-171-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/944-153-0x0000000000000000-mapping.dmp

Download
memory/944-199-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1016-216-0x0000000000000000-mapping.dmp

Download
memory/1016-237-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1016-260-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1140-194-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1140-162-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1140-157-0x0000021EFF6E0000-0x0000021EFF702000-memory.dmp

Filesize
136KB

Download
memory/1140-149-0x0000000000000000-mapping.dmp

Download
memory/1272-235-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1272-165-0x0000000000000000-mapping.dmp

Download
memory/1272-204-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1272-172-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1468-139-0x0000000000A4B000-0x0000000000A51000-memory.dmp

Filesize
24KB

Download
memory/1468-136-0x0000000000000000-mapping.dmp

Download
memory/1592-195-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1592-154-0x0000000000000000-mapping.dmp

Download
memory/1592-187-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1592-169-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1732-225-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1732-251-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/1732-214-0x0000000000000000-mapping.dmp

Download
memory/2184-259-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/2184-227-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/2184-218-0x0000000000000000-mapping.dmp

Download
memory/2336-164-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-197-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/2336-151-0x0000000000000000-mapping.dmp

Download
memory/2832-155-0x0000000000000000-mapping.dmp

Download
memory/2832-170-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-201-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3044-219-0x0000000000000000-mapping.dmp

Download
memory/3044-262-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3044-229-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3236-198-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3236-167-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3236-152-0x0000000000000000-mapping.dmp

Download
memory/3236-186-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3528-254-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3528-220-0x0000000000000000-mapping.dmp

Download
memory/3528-238-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-196-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-161-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-150-0x0000000000000000-mapping.dmp

Download
memory/3908-200-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3908-163-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3908-144-0x0000000000000000-mapping.dmp

Download
memory/4576-146-0x0000000000000000-mapping.dmp

Download
memory/4576-158-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-188-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-193-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4644-143-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4644-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4644-140-0x0000000000000000-mapping.dmp

Download
memory/4776-239-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-231-0x0000000000000000-mapping.dmp

Download
memory/4792-270-0x0000000000000000-mapping.dmp

Download
memory/4828-202-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-147-0x0000000000000000-mapping.dmp

Download
memory/4828-159-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-189-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-145-0x0000000000000000-mapping.dmp

Download
memory/4944-185-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-156-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4944-192-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4992-148-0x0000000000000000-mapping.dmp

Download
memory/4992-190-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/4992-160-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-226-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-215-0x0000000000000000-mapping.dmp

Download
memory/5024-261-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/5288-217-0x0000000000000000-mapping.dmp

Download
memory/5288-228-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/5288-245-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/5464-269-0x0000000000000000-mapping.dmp

Download
memory/5504-191-0x0000000000000000-mapping.dmp

Download
memory/5520-266-0x0000000000000000-mapping.dmp

Download
memory/5668-206-0x0000000000000000-mapping.dmp

Download
memory/5700-263-0x0000000000000000-mapping.dmp

Download
memory/6012-209-0x0000000000000000-mapping.dmp

Download
memory/6012-221-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/6012-252-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/6024-222-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/6024-210-0x0000000000000000-mapping.dmp

Download
memory/6024-240-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/6044-211-0x0000000000000000-mapping.dmp

Download
memory/6044-253-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/6044-223-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/6076-212-0x0000000000000000-mapping.dmp

Download
memory/6076-247-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/6076-224-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/6108-213-0x0000000000000000-mapping.dmp

Download
memory/6108-249-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download
memory/6108-236-0x00007FF99C500000-0x00007FF99CFC1000-memory.dmp

Filesize
10.8MB

Download