dcrat | 70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-01-2023 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afb679b10d49b2052e1239c345dee646.exe
Size

3.0MB
MD5

afb679b10d49b2052e1239c345dee646
SHA1

5cc8ce5753431b0cc4901aa53d8489e37a91c672
SHA256

70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998
SHA512

14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967
SSDEEP

49152:hwQVR+A3rrXAafICZyKC5iEqpVJ2pfexGqjNJ8JrSwAca2R7TQALtMiTdUdvVSMt:hwQVP7x6iEgBxVr8lMfkT1DBUdvge9Gi

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1164	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1164	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

afb679b10d49b2052e1239c345dee646.exeWmiPrvSE.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1980-54-0x0000000000040000-0x0000000000346000-memory.dmp	dcrat
C:\Users\Admin\Music\WmiPrvSE.exe	dcrat
C:\Users\Admin\Music\WmiPrvSE.exe	dcrat
behavioral1/memory/2688-140-0x00000000008E0000-0x0000000000BE6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

WmiPrvSE.exe

pid process

2688 WmiPrvSE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2688	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

afb679b10d49b2052e1239c345dee646.exeWmiPrvSE.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	afb679b10d49b2052e1239c345dee646.exe

Drops file in Program Files directory 11 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe	afb679b10d49b2052e1239c345dee646.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\6ccacd8608530f	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\VideoLAN\services.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\56085415360792	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\winlogon.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\explorer.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\7a0fd90576e088	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\VideoLAN\c5b4cb5e9653cc	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\cc11b995f2a76d	afb679b10d49b2052e1239c345dee646.exe

Drops file in Windows directory 2 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exe

description	ioc	process
File created	C:\Windows\Branding\ShellBrd\Idle.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\Branding\ShellBrd\6ccacd8608530f	afb679b10d49b2052e1239c345dee646.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
560	schtasks.exe
2280	schtasks.exe
2304	schtasks.exe
316	schtasks.exe
1840	schtasks.exe
1092	schtasks.exe
884	schtasks.exe
1984	schtasks.exe
1144	schtasks.exe
1752	schtasks.exe
1604	schtasks.exe
2120	schtasks.exe
2136	schtasks.exe
584	schtasks.exe
1144	schtasks.exe
788	schtasks.exe
2164	schtasks.exe
2016	schtasks.exe
1480	schtasks.exe
1268	schtasks.exe
1076	schtasks.exe
2096	schtasks.exe
1760	schtasks.exe
592	schtasks.exe
2208	schtasks.exe
1504	schtasks.exe
1552	schtasks.exe
1032	schtasks.exe
1688	schtasks.exe
1620	schtasks.exe
1356	schtasks.exe
1748	schtasks.exe
360	schtasks.exe
1676	schtasks.exe
824	schtasks.exe
1052	schtasks.exe
1020	schtasks.exe
1772	schtasks.exe
2076	schtasks.exe
1324	schtasks.exe
2188	schtasks.exe
2236	schtasks.exe
1292	schtasks.exe
1036	schtasks.exe
1564	schtasks.exe
1692	schtasks.exe
980	schtasks.exe
2260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exeWmiPrvSE.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1980	afb679b10d49b2052e1239c345dee646.exe
2688	WmiPrvSE.exe
2488	powershell.exe
2328	powershell.exe
2400	powershell.exe
2732	powershell.exe
2432	powershell.exe
2752	powershell.exe
2644	powershell.exe
2476	powershell.exe
2380	powershell.exe
2360	powershell.exe
2340	powershell.exe
2692	powershell.exe
2456	powershell.exe
2664	powershell.exe
2576	powershell.exe
2712	powershell.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe
2688	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1980	afb679b10d49b2052e1239c345dee646.exe
Token: SeDebugPrivilege	2688	WmiPrvSE.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeBackupPrivilege	604	vssvc.exe
Token: SeRestorePrivilege	604	vssvc.exe
Token: SeAuditPrivilege	604	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.execmd.exeWmiPrvSE.exe

description	pid	process	target process
PID 1980 wrote to memory of 2328	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2328	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2328	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2340	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2340	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2340	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2360	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2360	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2360	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2380	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2380	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2380	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2400	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2400	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2400	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2432	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2432	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2432	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2456	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2456	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2456	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2476	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2476	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2476	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2488	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2488	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2488	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2528	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2528	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2528	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2576	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2576	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2576	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2644	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2644	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2644	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2664	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2664	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2664	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2692	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2692	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2692	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2712	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2712	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2712	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2732	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2732	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2732	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2752	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2752	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2752	1980	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 1980 wrote to memory of 2868	1980	afb679b10d49b2052e1239c345dee646.exe	cmd.exe
PID 1980 wrote to memory of 2868	1980	afb679b10d49b2052e1239c345dee646.exe	cmd.exe
PID 1980 wrote to memory of 2868	1980	afb679b10d49b2052e1239c345dee646.exe	cmd.exe
PID 2868 wrote to memory of 2396	2868	cmd.exe	w32tm.exe
PID 2868 wrote to memory of 2396	2868	cmd.exe	w32tm.exe
PID 2868 wrote to memory of 2396	2868	cmd.exe	w32tm.exe
PID 2868 wrote to memory of 2688	2868	cmd.exe	WmiPrvSE.exe
PID 2868 wrote to memory of 2688	2868	cmd.exe	WmiPrvSE.exe
PID 2868 wrote to memory of 2688	2868	cmd.exe	WmiPrvSE.exe
PID 2688 wrote to memory of 268	2688	WmiPrvSE.exe	WScript.exe
PID 2688 wrote to memory of 268	2688	WmiPrvSE.exe	WScript.exe
PID 2688 wrote to memory of 268	2688	WmiPrvSE.exe	WScript.exe
PID 2688 wrote to memory of 1868	2688	WmiPrvSE.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

afb679b10d49b2052e1239c345dee646.exeWmiPrvSE.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe
"C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WMIADAP.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\services.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\Idle.exe'
2⤵
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\lsm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\WmiPrvSE.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Solitaire\fr-FR\winlogon.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3cpwEOfdce.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2396

C:\Users\Admin\Music\WmiPrvSE.exe
"C:\Users\Admin\Music\WmiPrvSE.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2688

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23ddcf22-d85a-43d2-a480-7dc15ec4e9b5.vbs"
4⤵
PID:268

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14b8ad65-ea76-4d74-830b-3c5068ac5171.vbs"
4⤵
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Music\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Solitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14b8ad65-ea76-4d74-830b-3c5068ac5171.vbs
Filesize
485B

MD5
9707bcffccf9f94709ded7e01f22ec10

SHA1
e734e039475b3e2728bf1ef84975c7082d5d7b78

SHA256
42d2b10137124d71963856a32cd5ec8e39e87d02804a3f91b99511d6ae7741ee

SHA512
e392986ca9e93c3ac5ffa6df1ccd88638984f287b3c9a80f05a581552c05dd881768c5cff3707f00f4c0a3eddad741cc426d5168cd3150a3bcb13d263584488b

Download Submit
C:\Users\Admin\AppData\Local\Temp\23ddcf22-d85a-43d2-a480-7dc15ec4e9b5.vbs
Filesize
709B

MD5
0d23e2e841e5e4caef6a7e82d9d9b966

SHA1
f8dc740dd1b88e2d68c8ba17c23d741575df4ba9

SHA256
5f5bc7876a5935d48b94db6cf167fef7af4af5af5d84f0c2d69d848fbb34424d

SHA512
72343bab2df18f8f949711e01e9341d0cf513d0fedada70b7ec1880e3c13b29e495f213f91fa8030b7a358d34fdd75bd38d44b076842141fdae7d8c47bf7c998

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cpwEOfdce.bat
Filesize
198B

MD5
857d39fd5a4912b56d85f187fef626c5

SHA1
c82258642a28b9792944d1031368b3c42d9f03cb

SHA256
81df79a471b5a96cc751d4edccbfa5b38f13d7a7bf9f90414d4ba47bef945e53

SHA512
022c2342d3a1f31945933fbc0f363f2e11540aabe319ca5b6ef5ee2cf4bc0edc1a74efd8e26c0737c85586183b7a7fa5491936ae01911083c8a240a1129db656

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
523d65463eebfe6d3726b5fd15b38baa

SHA1
a62ad97078aa46fc0dbe90370ea5617709bac4e7

SHA256
dcce267e185ff56b61f6edd050bf1f376341e28413610af47e6ce2db8220729d

SHA512
aa7dbe8efc4ad78d0712b4ec21f4144aea900680a55d319a3f43fdee1f5fe2826d347a4d2d192c58afe862d9468bb0220ad4d0dd4665d9434f5257025ecb03cf

Download Submit
C:\Users\Admin\Music\WmiPrvSE.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Users\Admin\Music\WmiPrvSE.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
memory/268-200-0x0000000000000000-mapping.dmp

Download
memory/1868-201-0x0000000000000000-mapping.dmp

Download
memory/1980-75-0x000000001AA70000-0x000000001AA7C000-memory.dmp

Filesize
48KB

Download
memory/1980-60-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/1980-54-0x0000000000040000-0x0000000000346000-memory.dmp

Filesize
3.0MB

Download
memory/1980-55-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download
memory/1980-56-0x00000000008E0000-0x00000000008EE000-memory.dmp

Filesize
56KB

Download
memory/1980-57-0x0000000000900000-0x000000000091C000-memory.dmp

Filesize
112KB

Download
memory/1980-58-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/1980-59-0x00000000020E0000-0x00000000020F6000-memory.dmp

Filesize
88KB

Download
memory/1980-77-0x000000001AE60000-0x000000001AE6C000-memory.dmp

Filesize
48KB

Download
memory/1980-61-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/1980-62-0x0000000002110000-0x000000000211A000-memory.dmp

Filesize
40KB

Download
memory/1980-63-0x0000000002330000-0x0000000002386000-memory.dmp

Filesize
344KB

Download
memory/1980-64-0x0000000002120000-0x000000000212C000-memory.dmp

Filesize
48KB

Download
memory/1980-65-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/1980-76-0x000000001AE50000-0x000000001AE5A000-memory.dmp

Filesize
40KB

Download
memory/1980-66-0x0000000002180000-0x0000000002192000-memory.dmp

Filesize
72KB

Download
memory/1980-67-0x0000000002190000-0x000000000219A000-memory.dmp

Filesize
40KB

Download
memory/1980-74-0x000000001AA60000-0x000000001AA68000-memory.dmp

Filesize
32KB

Download
memory/1980-73-0x000000001AA50000-0x000000001AA5E000-memory.dmp

Filesize
56KB

Download
memory/1980-72-0x000000001AA40000-0x000000001AA48000-memory.dmp

Filesize
32KB

Download
memory/1980-68-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/1980-71-0x00000000023D0000-0x00000000023DE000-memory.dmp

Filesize
56KB

Download
memory/1980-70-0x00000000023C0000-0x00000000023CA000-memory.dmp

Filesize
40KB

Download
memory/1980-69-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download
memory/2328-78-0x0000000000000000-mapping.dmp

Download
memory/2328-151-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2328-162-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/2328-87-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/2328-94-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2328-185-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/2328-186-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/2340-168-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/2340-209-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/2340-155-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2340-191-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/2340-134-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2340-79-0x0000000000000000-mapping.dmp

Download
memory/2360-143-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2360-183-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/2360-80-0x0000000000000000-mapping.dmp

Download
memory/2360-161-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/2360-148-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2380-131-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2380-192-0x0000000001FB4000-0x0000000001FB7000-memory.dmp

Filesize
12KB

Download
memory/2380-81-0x0000000000000000-mapping.dmp

Download
memory/2380-169-0x0000000001FB4000-0x0000000001FB7000-memory.dmp

Filesize
12KB

Download
memory/2380-156-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2380-208-0x000000001B940000-0x000000001BC3F000-memory.dmp

Filesize
3.0MB

Download
memory/2396-124-0x0000000000000000-mapping.dmp

Download
memory/2400-187-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/2400-136-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2400-206-0x000000001B9E0000-0x000000001BCDF000-memory.dmp

Filesize
3.0MB

Download
memory/2400-82-0x0000000000000000-mapping.dmp

Download
memory/2400-163-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/2432-83-0x0000000000000000-mapping.dmp

Download
memory/2432-189-0x0000000002264000-0x0000000002267000-memory.dmp

Filesize
12KB

Download
memory/2432-205-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/2432-135-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2432-153-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2432-165-0x0000000002264000-0x0000000002267000-memory.dmp

Filesize
12KB

Download
memory/2456-179-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2456-141-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2456-84-0x0000000000000000-mapping.dmp

Download
memory/2456-197-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2456-174-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2476-142-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2476-85-0x0000000000000000-mapping.dmp

Download
memory/2476-213-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/2476-172-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2476-222-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/2476-195-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2476-160-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2476-224-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2488-86-0x0000000000000000-mapping.dmp

Download
memory/2488-220-0x000000000277B000-0x000000000279A000-memory.dmp

Filesize
124KB

Download
memory/2488-219-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2488-145-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2488-194-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2488-184-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/2488-159-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2488-171-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2528-88-0x0000000000000000-mapping.dmp

Download
memory/2576-223-0x00000000027CB000-0x00000000027EA000-memory.dmp

Filesize
124KB

Download
memory/2576-199-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/2576-221-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/2576-181-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2576-158-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2576-176-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/2576-91-0x0000000000000000-mapping.dmp

Download
memory/2644-170-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2644-157-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2644-215-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/2644-146-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2644-193-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2644-95-0x0000000000000000-mapping.dmp

Download
memory/2664-216-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2664-96-0x0000000000000000-mapping.dmp

Download
memory/2664-198-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2664-175-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2664-180-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2664-147-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2688-138-0x0000000000000000-mapping.dmp

Download
memory/2688-167-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/2688-140-0x00000000008E0000-0x0000000000BE6000-memory.dmp

Filesize
3.0MB

Download
memory/2692-210-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/2692-173-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/2692-178-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2692-196-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/2692-97-0x0000000000000000-mapping.dmp

Download
memory/2692-144-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2712-98-0x0000000000000000-mapping.dmp

Download
memory/2712-211-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/2712-149-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2712-177-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/2712-202-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/2712-182-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2732-188-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/2732-207-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/2732-152-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2732-164-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/2732-99-0x0000000000000000-mapping.dmp

Download
memory/2752-133-0x000007FEEAE70000-0x000007FEEB893000-memory.dmp

Filesize
10.1MB

Download
memory/2752-190-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/2752-166-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/2752-154-0x000007FEE9A80000-0x000007FEEA5DD000-memory.dmp

Filesize
11.4MB

Download
memory/2752-100-0x0000000000000000-mapping.dmp

Download
memory/2868-106-0x0000000000000000-mapping.dmp

Download