dcrat | bfe4b2b5b1b9c2e8253848be27b277f1daf99314ff0ac964dc595bdef841a6c3

Analysis

max time kernel
41s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-01-2023 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ou6mS40OHrkbwQiM7ccaR.exe
Size

2.4MB
MD5

4ceeb0d068653ada01e702ba61dfdb7f
SHA1

0e09a416c381e657f39af975f259d09da0324300
SHA256

bfe4b2b5b1b9c2e8253848be27b277f1daf99314ff0ac964dc595bdef841a6c3
SHA512

798904e3ef1ef5f898185577c2dc15dd8872f4e70f638f8f94f90846ac11eecbad72d843406512863d58a882df8ad40c02ad2d9daa6289f3c46fff724f5f1b73
SSDEEP

24576:1RNpngHRc5DYZYLUsZ9p48N41XMFBDeQzC/tqELdO0U7TBd1X/SQOvjASm:PPDvx94V0eQuPdmJdV/J

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1736	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1736	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Ou6mS40OHrkbwQiM7ccaR.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Ou6mS40OHrkbwQiM7ccaR.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1228-54-0x00000000012A0000-0x000000000150A000-memory.dmp	dcrat

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Ou6mS40OHrkbwQiM7ccaR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ou6mS40OHrkbwQiM7ccaR.exe

Drops file in Program Files directory 20 IoCs

Processes:

Ou6mS40OHrkbwQiM7ccaR.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\en-US\RCX9EC1.tmp	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\Idle.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files (x86)\MSBuild\explorer.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files (x86)\MSBuild\dwm.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files\Uninstall Information\6cb0b6c459d5d3	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX3EAB.tmp	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX5AD6.tmp	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX700E.tmp	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files (x86)\MSBuild\6cb0b6c459d5d3	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files\Windows Defender\en-US\6ccacd8608530f	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files (x86)\MSBuild\explorer.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files\Uninstall Information\dwm.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files\Windows Defender\en-US\Idle.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files (x86)\MSBuild\dwm.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files (x86)\MSBuild\7a0fd90576e088	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Program Files\Uninstall Information\dwm.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX8277.tmp	Ou6mS40OHrkbwQiM7ccaR.exe

Drops file in Windows directory 12 IoCs

Processes:

Ou6mS40OHrkbwQiM7ccaR.exe

description	ioc	process
File opened for modification	C:\Windows\IME\ja-JP\WmiPrvSE.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Windows\Vss\RCX909C.tmp	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Windows\de-DE\WMIADAP.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Windows\IME\ja-JP\24dbde2999530e	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Windows\de-DE\WMIADAP.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Windows\Vss\886983d96e3d3e	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Windows\de-DE\75a57c1bdf437c	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Windows\IME\ja-JP\RCX68FB.tmp	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Windows\Vss\csrss.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File opened for modification	C:\Windows\de-DE\RCX97AF.tmp	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Windows\IME\ja-JP\WmiPrvSE.exe	Ou6mS40OHrkbwQiM7ccaR.exe
File created	C:\Windows\Vss\csrss.exe	Ou6mS40OHrkbwQiM7ccaR.exe

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1048	schtasks.exe
1324	schtasks.exe
2136	schtasks.exe
2160	schtasks.exe
620	schtasks.exe
1984	schtasks.exe
1416	schtasks.exe
1076	schtasks.exe
796	schtasks.exe
2224	schtasks.exe
1680	schtasks.exe
1132	schtasks.exe
316	schtasks.exe
2372	schtasks.exe
1620	schtasks.exe
1380	schtasks.exe
2072	schtasks.exe
1172	schtasks.exe
1288	schtasks.exe
1268	schtasks.exe
2244	schtasks.exe
1688	schtasks.exe
2024	schtasks.exe
1744	schtasks.exe
1600	schtasks.exe
656	schtasks.exe
2344	schtasks.exe
1632	schtasks.exe
676	schtasks.exe
320	schtasks.exe
2264	schtasks.exe
2180	schtasks.exe
2116	schtasks.exe
1964	schtasks.exe
1352	schtasks.exe
2016	schtasks.exe
964	schtasks.exe
1964	schtasks.exe
1212	schtasks.exe
1304	schtasks.exe
2284	schtasks.exe
1552	schtasks.exe
1484	schtasks.exe
2304	schtasks.exe
540	schtasks.exe
1320	schtasks.exe
1800	schtasks.exe
108	schtasks.exe
1152	schtasks.exe
2204	schtasks.exe
560	schtasks.exe
1708	schtasks.exe
2328	schtasks.exe
2092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ou6mS40OHrkbwQiM7ccaR.exe

pid	process
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe
1228	Ou6mS40OHrkbwQiM7ccaR.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Ou6mS40OHrkbwQiM7ccaR.exe

description pid process

Token: SeDebugPrivilege 1228 Ou6mS40OHrkbwQiM7ccaR.exe

description	pid	process
Token: SeDebugPrivilege	1228	Ou6mS40OHrkbwQiM7ccaR.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

Ou6mS40OHrkbwQiM7ccaR.exe

description	pid	process	target process
PID 1228 wrote to memory of 2420	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2420	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2420	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2432	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2432	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2432	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2444	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2444	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2444	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2472	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2472	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2472	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2488	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2488	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2488	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2524	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2524	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2524	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2536	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2536	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2536	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2580	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2580	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2580	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2592	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2592	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2592	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2652	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2652	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2652	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2664	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2664	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2664	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2712	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2712	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2712	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2724	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2724	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2724	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2760	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2760	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2760	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2780	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2780	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2780	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2964	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2964	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2964	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2068	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2068	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe
PID 1228 wrote to memory of 2068	1228	Ou6mS40OHrkbwQiM7ccaR.exe	powershell.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Ou6mS40OHrkbwQiM7ccaR.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Ou6mS40OHrkbwQiM7ccaR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Ou6mS40OHrkbwQiM7ccaR.exe

C:\Users\Admin\AppData\Local\Temp\Ou6mS40OHrkbwQiM7ccaR.exe
"C:\Users\Admin\AppData\Local\Temp\Ou6mS40OHrkbwQiM7ccaR.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ou6mS40OHrkbwQiM7ccaR.exe'
2⤵
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\smss.exe'
2⤵
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
2⤵
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
2⤵
PID:2472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\explorer.exe'
2⤵
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'
2⤵
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'
2⤵
PID:2536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\wininit.exe'
2⤵
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\dwm.exe'
2⤵
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'
2⤵
PID:2652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\ja-JP\WmiPrvSE.exe'
2⤵
PID:2664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'
2⤵
PID:2712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\spoolsv.exe'
2⤵
PID:2724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\wininit.exe'
2⤵
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'
2⤵
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'
2⤵
PID:2964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\csrss.exe'
2⤵
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\IME\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f782aacb1f88bb95fe68277195b72ef

SHA1
ada0d46deab671cfec00340fad3c00be829403f0

SHA256
7ffba331a3cd661918b57983589c26c2d37bfc24590e5a031769e9ced4282c75

SHA512
281a868a69b8f6149f29600c0421eee442cde828fd548496c09e3af8356bd693b7a88f23d1fa33af809e0451b15a561ce0a1128e20f4dd3bf62e9c24bcc3362c

Download Submit
memory/1228-67-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/1228-65-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/1228-70-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/1228-71-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/1228-72-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/1228-73-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/1228-74-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/1228-75-0x000000001B006000-0x000000001B025000-memory.dmp

Filesize
124KB

Download
memory/1228-76-0x000000001B006000-0x000000001B025000-memory.dmp

Filesize
124KB

Download
memory/1228-59-0x00000000006B0000-0x00000000006C6000-memory.dmp

Filesize
88KB

Download
memory/1228-69-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/1228-54-0x00000000012A0000-0x000000000150A000-memory.dmp

Filesize
2.4MB

Download
memory/1228-60-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/1228-55-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/1228-61-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/1228-62-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/1228-63-0x0000000000C70000-0x0000000000CC6000-memory.dmp

Filesize
344KB

Download
memory/1228-56-0x0000000000680000-0x000000000069C000-memory.dmp

Filesize
112KB

Download
memory/1228-64-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/1228-58-0x00000000006A0000-0x00000000006B0000-memory.dmp

Filesize
64KB

Download
memory/1228-57-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1228-66-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/1228-68-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2068-113-0x0000000000000000-mapping.dmp

Download
memory/2420-98-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2420-196-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/2420-192-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/2420-144-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/2420-181-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/2420-84-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/2420-139-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2420-172-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/2420-77-0x0000000000000000-mapping.dmp

Download
memory/2432-78-0x0000000000000000-mapping.dmp

Download
memory/2432-194-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/2432-106-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2432-145-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/2432-141-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2444-79-0x0000000000000000-mapping.dmp

Download
memory/2444-175-0x000000001B960000-0x000000001BC5F000-memory.dmp

Filesize
3.0MB

Download
memory/2444-193-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/2444-185-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/2444-157-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2444-189-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2444-127-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2444-168-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2472-80-0x0000000000000000-mapping.dmp

Download
memory/2472-179-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/2472-151-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/2472-135-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2472-165-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2488-128-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2488-209-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2488-81-0x0000000000000000-mapping.dmp

Download
memory/2488-169-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/2488-142-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2488-146-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2488-186-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/2524-158-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2524-156-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2524-82-0x0000000000000000-mapping.dmp

Download
memory/2524-126-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2536-180-0x00000000026AB000-0x00000000026CA000-memory.dmp

Filesize
124KB

Download
memory/2536-160-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2536-207-0x00000000026AB000-0x00000000026CA000-memory.dmp

Filesize
124KB

Download
memory/2536-148-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/2536-134-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2536-83-0x0000000000000000-mapping.dmp

Download
memory/2536-171-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/2536-205-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/2580-150-0x0000000001E40000-0x0000000001EC0000-memory.dmp

Filesize
512KB

Download
memory/2580-85-0x0000000000000000-mapping.dmp

Download
memory/2580-133-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2580-161-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2592-130-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2592-187-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/2592-86-0x0000000000000000-mapping.dmp

Download
memory/2592-197-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2592-163-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2592-149-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2592-199-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/2592-170-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/2652-159-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2652-147-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/2652-88-0x0000000000000000-mapping.dmp

Download
memory/2652-131-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2652-191-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/2664-174-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/2664-155-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/2664-89-0x0000000000000000-mapping.dmp

Download
memory/2664-140-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2664-167-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2664-203-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/2664-184-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/2664-201-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/2712-91-0x0000000000000000-mapping.dmp

Download
memory/2712-137-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2712-164-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2712-195-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2712-153-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2724-92-0x0000000000000000-mapping.dmp

Download
memory/2760-166-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2760-152-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/2760-188-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/2760-136-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2760-177-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/2760-200-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/2760-198-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/2760-93-0x0000000000000000-mapping.dmp

Download
memory/2780-154-0x0000000001FD4000-0x0000000001FD7000-memory.dmp

Filesize
12KB

Download
memory/2780-183-0x0000000001FDB000-0x0000000001FFA000-memory.dmp

Filesize
124KB

Download
memory/2780-162-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2780-173-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/2780-99-0x0000000000000000-mapping.dmp

Download
memory/2780-129-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download
memory/2780-206-0x0000000001FD4000-0x0000000001FD7000-memory.dmp

Filesize
12KB

Download
memory/2780-208-0x0000000001FDB000-0x0000000001FFA000-memory.dmp

Filesize
124KB

Download
memory/2964-202-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2964-109-0x0000000000000000-mapping.dmp

Download
memory/2964-176-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/2964-138-0x000007FEEA250000-0x000007FEEADAD000-memory.dmp

Filesize
11.4MB

Download
memory/2964-190-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/2964-143-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2964-204-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/2964-132-0x000007FEEADB0000-0x000007FEEB7D3000-memory.dmp

Filesize
10.1MB

Download