dcrat | 66faa0ab77f8471078f93a7d389f95ddffd4b5fc6abf7f79fee3f1dd9a70a5b7

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2023 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6694ce753703a4ea040569e562d11db.exe
Size

8.3MB
MD5

a6694ce753703a4ea040569e562d11db
SHA1

fc04eaf80dbd392d764ed0944e3fbae77061e143
SHA256

66faa0ab77f8471078f93a7d389f95ddffd4b5fc6abf7f79fee3f1dd9a70a5b7
SHA512

264680369ad9612e5ddc5ca5d83f7ffbc5b99aa4319178e2a1d02fa5f464edce181445239feb12403f9f69d8216d46fa4ef900a9996ea204190432be3d01002b
SSDEEP

196608:/BbOQL+V2yoqdQmRrdA6lsuErSEEJwdF6OrtYPXk0:Zr+oy9dQOls+9JOrt8

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	1044	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	1044	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\INST.exe	dcrat
C:\comsurrogateHost\WinHost.exe	dcrat
C:\comsurrogateHost\WinHost.exe	dcrat
behavioral2/memory/3800-150-0x0000000000E50000-0x0000000001012000-memory.dmp	dcrat
C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe	dcrat
C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinHost.exeINST.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WinHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	INST.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

Processes:

INST.exeWinHost.exeOfficeClickToRun.exe

pid process

2164 INST.exe
3800 WinHost.exe
2276 OfficeClickToRun.exe
Loads dropped DLL 2 IoCs

Processes:

a6694ce753703a4ea040569e562d11db.exe

pid process

3848 a6694ce753703a4ea040569e562d11db.exe
3848 a6694ce753703a4ea040569e562d11db.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2164	INST.exe
3800	WinHost.exe
2276	OfficeClickToRun.exe

pid	process
3848	a6694ce753703a4ea040569e562d11db.exe
3848	a6694ce753703a4ea040569e562d11db.exe

Drops file in Program Files directory 14 IoCs

Processes:

WinHost.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\e1ef82546f0b02	WinHost.exe
File created	C:\Program Files\Common Files\services.exe	WinHost.exe
File created	C:\Program Files\Windows Security\dllhost.exe	WinHost.exe
File created	C:\Program Files (x86)\Windows Mail\WinHost.exe	WinHost.exe
File created	C:\Program Files (x86)\Windows Mail\25c003d51b4a56	WinHost.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\smss.exe	WinHost.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\spoolsv.exe	WinHost.exe
File created	C:\Program Files\Windows Security\5940a34987c991	WinHost.exe
File created	C:\Program Files\Common Files\c5b4cb5e9653cc	WinHost.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\69ddcba757bf72	WinHost.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\f3b6ecef712a24	WinHost.exe
File created	C:\Program Files (x86)\Adobe\SppExtComObj.exe	WinHost.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe	WinHost.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\e6c9b481da804f	WinHost.exe

Drops file in Windows directory 3 IoCs

Processes:

WinHost.exe

description	ioc	process
File created	C:\Windows\bcastdvr\sppsvc.exe	WinHost.exe
File opened for modification	C:\Windows\bcastdvr\sppsvc.exe	WinHost.exe
File created	C:\Windows\bcastdvr\0a1fd5f707cd16	WinHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4140	schtasks.exe
4268	schtasks.exe
4384	schtasks.exe
3704	schtasks.exe
4356	schtasks.exe
2172	schtasks.exe
2260	schtasks.exe
4520	schtasks.exe
884	schtasks.exe
1960	schtasks.exe
1332	schtasks.exe
632	schtasks.exe
4380	schtasks.exe
2768	schtasks.exe
4116	schtasks.exe
3748	schtasks.exe
2316	schtasks.exe
3756	schtasks.exe
1264	schtasks.exe
4908	schtasks.exe
1140	schtasks.exe
1616	schtasks.exe
5052	schtasks.exe
2544	schtasks.exe
3432	schtasks.exe
1508	schtasks.exe
1168	schtasks.exe
1360	schtasks.exe
516	schtasks.exe
2076	schtasks.exe
4440	schtasks.exe
4408	schtasks.exe
4124	schtasks.exe
3048	schtasks.exe
4412	schtasks.exe
680	schtasks.exe
3424	schtasks.exe
4904	schtasks.exe
4664	schtasks.exe
3148	schtasks.exe
3620	schtasks.exe
4052	schtasks.exe
1732	schtasks.exe
4896	schtasks.exe
2104	schtasks.exe
852	schtasks.exe
1664	schtasks.exe
396	schtasks.exe
1992	schtasks.exe
3104	schtasks.exe
3548	schtasks.exe
4636	schtasks.exe
3420	schtasks.exe
4484	schtasks.exe

Modifies registry class 1 IoCs

Processes:

INST.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings INST.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	INST.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WinHost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOfficeClickToRun.exe

pid	process
3800	WinHost.exe
4948	powershell.exe
4948	powershell.exe
3032	powershell.exe
3032	powershell.exe
2396	powershell.exe
2396	powershell.exe
3428	powershell.exe
3428	powershell.exe
4544	powershell.exe
4544	powershell.exe
1744	powershell.exe
1744	powershell.exe
4560	powershell.exe
4560	powershell.exe
2640	powershell.exe
2640	powershell.exe
2680	powershell.exe
2680	powershell.exe
3004	powershell.exe
3004	powershell.exe
3916	powershell.exe
3916	powershell.exe
1300	powershell.exe
1300	powershell.exe
2544	powershell.exe
2544	powershell.exe
4384	powershell.exe
4384	powershell.exe
176	powershell.exe
176	powershell.exe
1344	powershell.exe
1344	powershell.exe
3880	powershell.exe
3880	powershell.exe
5000	powershell.exe
5000	powershell.exe
4940	powershell.exe
4940	powershell.exe
4948	powershell.exe
4948	powershell.exe
2396	powershell.exe
2396	powershell.exe
3032	powershell.exe
3032	powershell.exe
3428	powershell.exe
3428	powershell.exe
4544	powershell.exe
4544	powershell.exe
1744	powershell.exe
1744	powershell.exe
2640	powershell.exe
2640	powershell.exe
4560	powershell.exe
4560	powershell.exe
2276	OfficeClickToRun.exe
2276	OfficeClickToRun.exe
3004	powershell.exe
2680	powershell.exe
2680	powershell.exe
3916	powershell.exe
2544	powershell.exe
1300	powershell.exe
1344	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3800	WinHost.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	176	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	2276	OfficeClickToRun.exe
Token: SeDebugPrivilege	4940	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

2276 OfficeClickToRun.exe

pid	process
2276	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

a6694ce753703a4ea040569e562d11db.exea6694ce753703a4ea040569e562d11db.execmd.exeINST.exeWScript.execmd.exeWinHost.exe

description	pid	process	target process
PID 3640 wrote to memory of 3848	3640	a6694ce753703a4ea040569e562d11db.exe	a6694ce753703a4ea040569e562d11db.exe
PID 3640 wrote to memory of 3848	3640	a6694ce753703a4ea040569e562d11db.exe	a6694ce753703a4ea040569e562d11db.exe
PID 3848 wrote to memory of 4732	3848	a6694ce753703a4ea040569e562d11db.exe	cmd.exe
PID 3848 wrote to memory of 4732	3848	a6694ce753703a4ea040569e562d11db.exe	cmd.exe
PID 3848 wrote to memory of 3516	3848	a6694ce753703a4ea040569e562d11db.exe	cmd.exe
PID 3848 wrote to memory of 3516	3848	a6694ce753703a4ea040569e562d11db.exe	cmd.exe
PID 3516 wrote to memory of 2164	3516	cmd.exe	INST.exe
PID 3516 wrote to memory of 2164	3516	cmd.exe	INST.exe
PID 3516 wrote to memory of 2164	3516	cmd.exe	INST.exe
PID 2164 wrote to memory of 3328	2164	INST.exe	WScript.exe
PID 2164 wrote to memory of 3328	2164	INST.exe	WScript.exe
PID 2164 wrote to memory of 3328	2164	INST.exe	WScript.exe
PID 3328 wrote to memory of 1108	3328	WScript.exe	cmd.exe
PID 3328 wrote to memory of 1108	3328	WScript.exe	cmd.exe
PID 3328 wrote to memory of 1108	3328	WScript.exe	cmd.exe
PID 1108 wrote to memory of 3800	1108	cmd.exe	WinHost.exe
PID 1108 wrote to memory of 3800	1108	cmd.exe	WinHost.exe
PID 3800 wrote to memory of 3032	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 3032	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 4948	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 4948	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 3428	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 3428	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 2396	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 2396	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 4544	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 4544	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 1744	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 1744	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 4560	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 4560	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 2640	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 2640	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 2680	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 2680	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 3004	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 3004	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 3916	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 3916	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 1300	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 1300	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 2544	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 2544	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 4384	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 4384	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 176	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 176	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 1344	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 1344	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 3880	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 3880	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 5000	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 5000	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 4940	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 4940	3800	WinHost.exe	powershell.exe
PID 3800 wrote to memory of 2276	3800	WinHost.exe	OfficeClickToRun.exe
PID 3800 wrote to memory of 2276	3800	WinHost.exe	OfficeClickToRun.exe

C:\Users\Admin\AppData\Local\Temp\a6694ce753703a4ea040569e562d11db.exe
"C:\Users\Admin\AppData\Local\Temp\a6694ce753703a4ea040569e562d11db.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\a6694ce753703a4ea040569e562d11db.exe
"C:\Users\Admin\AppData\Local\Temp\a6694ce753703a4ea040569e562d11db.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SYSTEM32\cmd.exe
cmd /c echo %temp%
3⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\INST.exe
C:\Users\Admin\AppData\Local\Temp\INST.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comsurrogateHost\5T5j9r4zEzAvnCyslVcDEvRSsEppj.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comsurrogateHost\EZiocTqBNGws3mZhoVDMTtEuY.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\comsurrogateHost\WinHost.exe
"C:\comsurrogateHost\WinHost.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\comsurrogateHost\WinHost.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\sppsvc.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\services.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\comsurrogateHost\taskhostw.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\SearchApp.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\dllhost.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\SppExtComObj.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\spoolsv.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\dllhost.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\WinHost.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\backgroundTaskHost.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe
"C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\comsurrogateHost\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\comsurrogateHost\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\comsurrogateHost\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Music\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinHostW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\WinHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\WinHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinHostW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\WinHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe
Filesize
1.7MB

MD5
c136d0999730855ecdb87e11dc9121eb

SHA1
c85cbbb4f2b2404a0e792e362cc1c4cb000e13a4

SHA256
b7017260816d0314e2f698308722678015dae9a5398aee03890ac1081495b02c

SHA512
d7e8af79488c0d3a3df51d5b2db691c7187d86bd2652fbf688e8801057a4fc57e1bc5da5c7e7ca4e7e97b07d444f0bde2e4a4eaa2a1c7360f93210d9cbc2bf07

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\OfficeClickToRun.exe
Filesize
1.7MB

MD5
c136d0999730855ecdb87e11dc9121eb

SHA1
c85cbbb4f2b2404a0e792e362cc1c4cb000e13a4

SHA256
b7017260816d0314e2f698308722678015dae9a5398aee03890ac1081495b02c

SHA512
d7e8af79488c0d3a3df51d5b2db691c7187d86bd2652fbf688e8801057a4fc57e1bc5da5c7e7ca4e7e97b07d444f0bde2e4a4eaa2a1c7360f93210d9cbc2bf07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe
Filesize
2.0MB

MD5
9b38c248adf55ae32ebe2110697149a1

SHA1
722d82bdad399dc4413db09e13af6a473bf67224

SHA256
3158212ae957d8ff8d4476843dc576be190d25755a84e7b0bebe6e838ca62fe0

SHA512
eb267f5b0a2b2e431d45e6201f2f776ef35efe67be09b0a83d345fdba8da2da0c03625763309686e97b536bedb6eb96fd363139649c8db1cd2e0b6f7cf4c4f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe
Filesize
2.0MB

MD5
9b38c248adf55ae32ebe2110697149a1

SHA1
722d82bdad399dc4413db09e13af6a473bf67224

SHA256
3158212ae957d8ff8d4476843dc576be190d25755a84e7b0bebe6e838ca62fe0

SHA512
eb267f5b0a2b2e431d45e6201f2f776ef35efe67be09b0a83d345fdba8da2da0c03625763309686e97b536bedb6eb96fd363139649c8db1cd2e0b6f7cf4c4f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36402\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36402\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36402\base_library.zip
Filesize
1.7MB

MD5
c6b150f2eca4eec01765bdae9a78e097

SHA1
1eaf2a18863af05d4f8183978ea6ecadd21ed3de

SHA256
b8e074772e3f8203de0e4313ac274de4d4e5b5e847a3fe3dc4171413ea2a4502

SHA512
697cdcd1f23cf67683836cca593df643f3f2d3f139fdbf86bf990bd7c29a6721d8199fbff491cb234d2fb65bcd4f32f07796b8b522b895a52095d17628beb846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36402\python311.dll
Filesize
5.5MB

MD5
a72993488cecd88b3e19487d646f88f6

SHA1
5d359f4121e0be04a483f9ad1d8203ffc958f9a0

SHA256
aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038

SHA512
c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36402\python311.dll
Filesize
5.5MB

MD5
a72993488cecd88b3e19487d646f88f6

SHA1
5d359f4121e0be04a483f9ad1d8203ffc958f9a0

SHA256
aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038

SHA512
c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

Download Submit
C:\comsurrogateHost\5T5j9r4zEzAvnCyslVcDEvRSsEppj.vbe
Filesize
218B

MD5
5932056a7718e9fbe0f788b39222f2c6

SHA1
a045d205da4cc9afbff6f2f93b57d06d703c3e25

SHA256
a924d6d53f234f63d4807f1832de148db799cd08c3eee09dd67e5cb8f371bdc9

SHA512
516364207e8723ce908563db5f6dd5b34c592701a9d25742aa54f2ba860243c02fb77e5a857bd9553d3ca1dc208e5431f3071e15cfedf275ed26dc8ba8554fdb

Download Submit
C:\comsurrogateHost\EZiocTqBNGws3mZhoVDMTtEuY.bat
Filesize
33B

MD5
0a2e8e338a22af24449b258939a8d77e

SHA1
c165a9a21e639cb6247f25e62dcd45a959a10b28

SHA256
15b877434652c496b6d610322a838d9c7f88dbebb0dced6926fb1b7967e2f075

SHA512
92fc7550c2764fd5661b67f7083c0152bcd93229da57f7d3159629af2649dc450f476a40d48ff66c3ad7a4257486481bfeaf281aab7d61838c36511f462b27ff

Download Submit
C:\comsurrogateHost\WinHost.exe
Filesize
1.7MB

MD5
c136d0999730855ecdb87e11dc9121eb

SHA1
c85cbbb4f2b2404a0e792e362cc1c4cb000e13a4

SHA256
b7017260816d0314e2f698308722678015dae9a5398aee03890ac1081495b02c

SHA512
d7e8af79488c0d3a3df51d5b2db691c7187d86bd2652fbf688e8801057a4fc57e1bc5da5c7e7ca4e7e97b07d444f0bde2e4a4eaa2a1c7360f93210d9cbc2bf07

Download Submit
C:\comsurrogateHost\WinHost.exe
Filesize
1.7MB

MD5
c136d0999730855ecdb87e11dc9121eb

SHA1
c85cbbb4f2b2404a0e792e362cc1c4cb000e13a4

SHA256
b7017260816d0314e2f698308722678015dae9a5398aee03890ac1081495b02c

SHA512
d7e8af79488c0d3a3df51d5b2db691c7187d86bd2652fbf688e8801057a4fc57e1bc5da5c7e7ca4e7e97b07d444f0bde2e4a4eaa2a1c7360f93210d9cbc2bf07

Download Submit
memory/176-168-0x0000000000000000-mapping.dmp

Download
memory/176-235-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/176-190-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/1108-146-0x0000000000000000-mapping.dmp

Download
memory/1300-226-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/1300-165-0x0000000000000000-mapping.dmp

Download
memory/1300-195-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/1344-191-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/1344-169-0x0000000000000000-mapping.dmp

Download
memory/1344-225-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/1744-210-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/1744-183-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/1744-159-0x0000000000000000-mapping.dmp

Download
memory/2164-140-0x0000000000000000-mapping.dmp

Download
memory/2276-176-0x0000000000000000-mapping.dmp

Download
memory/2276-236-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/2276-196-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/2396-203-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/2396-179-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/2396-157-0x0000000000000000-mapping.dmp

Download
memory/2544-166-0x0000000000000000-mapping.dmp

Download
memory/2544-234-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/2544-188-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/2640-185-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/2640-161-0x0000000000000000-mapping.dmp

Download
memory/2640-208-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/2680-217-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/2680-162-0x0000000000000000-mapping.dmp

Download
memory/2680-194-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3004-216-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3004-186-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3004-163-0x0000000000000000-mapping.dmp

Download
memory/3032-198-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3032-154-0x0000000000000000-mapping.dmp

Download
memory/3032-174-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3328-143-0x0000000000000000-mapping.dmp

Download
memory/3428-205-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3428-181-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3428-156-0x0000000000000000-mapping.dmp

Download
memory/3516-139-0x0000000000000000-mapping.dmp

Download
memory/3800-150-0x0000000000E50000-0x0000000001012000-memory.dmp

Filesize
1.8MB

Download
memory/3800-153-0x000000001DF30000-0x000000001E458000-memory.dmp

Filesize
5.2MB

Download
memory/3800-180-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3800-151-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3800-147-0x0000000000000000-mapping.dmp

Download
memory/3800-152-0x000000001D130000-0x000000001D180000-memory.dmp

Filesize
320KB

Download
memory/3848-132-0x0000000000000000-mapping.dmp

Download
memory/3880-171-0x0000000000000000-mapping.dmp

Download
memory/3880-192-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3880-229-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3916-187-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3916-219-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/3916-164-0x0000000000000000-mapping.dmp

Download
memory/4384-167-0x0000000000000000-mapping.dmp

Download
memory/4384-224-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/4384-189-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/4544-158-0x0000000000000000-mapping.dmp

Download
memory/4544-211-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/4544-182-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/4560-160-0x0000000000000000-mapping.dmp

Download
memory/4560-215-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/4560-184-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/4732-138-0x0000000000000000-mapping.dmp

Download
memory/4940-173-0x0000000000000000-mapping.dmp

Download
memory/4940-197-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/4940-232-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/4948-170-0x000001BA757F0000-0x000001BA75812000-memory.dmp

Filesize
136KB

Download
memory/4948-175-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/4948-202-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/4948-155-0x0000000000000000-mapping.dmp

Download
memory/5000-172-0x0000000000000000-mapping.dmp

Download
memory/5000-230-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download
memory/5000-193-0x00007FFD83180000-0x00007FFD83C41000-memory.dmp

Filesize
10.8MB

Download