dcrat | 2cff51e97b61784f02110140f5e30ad8787dff2014ca7640ee2a7ead24ce06ce

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44854b7cb963dbbf3f94b460d361d790N.exe
Size

4.9MB
MD5

44854b7cb963dbbf3f94b460d361d790
SHA1

70c03c7172ee5086aa3cc63aa195c19169156758
SHA256

2cff51e97b61784f02110140f5e30ad8787dff2014ca7640ee2a7ead24ce06ce
SHA512

b26719d0506f2346de3f7f8af01cd0a6339272e759705e331ea195c172a176daa29e29b4c5918ccb92170ca1a7b790b23a26c1536b850c99a43c508a38e9c5ec
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2200	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2200	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	44854b7cb963dbbf3f94b460d361d790N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	44854b7cb963dbbf3f94b460d361d790N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	44854b7cb963dbbf3f94b460d361d790N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2128-2-0x000000001BA60000-0x000000001BB8E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1980	powershell.exe
1284	powershell.exe
2444	powershell.exe
2948	powershell.exe
1624	powershell.exe
816	powershell.exe
1492	powershell.exe
1384	powershell.exe
1880	powershell.exe
1544	powershell.exe
1160	powershell.exe
2496	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1156	wininit.exe
2396	wininit.exe
2472	wininit.exe
1972	wininit.exe
544	wininit.exe
1364	wininit.exe
2652	wininit.exe
2676	wininit.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	44854b7cb963dbbf3f94b460d361d790N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	44854b7cb963dbbf3f94b460d361d790N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\fr-FR\6ccacd8608530f	44854b7cb963dbbf3f94b460d361d790N.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\5940a34987c991	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCXDF36.tmp	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCXD68B.tmp	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\Idle.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\24dbde2999530e	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXC86F.tmp	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\Idle.exe	44854b7cb963dbbf3f94b460d361d790N.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\sppsvc.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Windows\Media\Garden\RCXE13A.tmp	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Windows\de-DE\RCXE33E.tmp	44854b7cb963dbbf3f94b460d361d790N.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\886983d96e3d3e	44854b7cb963dbbf3f94b460d361d790N.exe
File created	C:\Windows\de-DE\0a1fd5f707cd16	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXDB2F.tmp	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Windows\Media\Garden\lsass.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File opened for modification	C:\Windows\de-DE\sppsvc.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File created	C:\Windows\Media\Garden\lsass.exe	44854b7cb963dbbf3f94b460d361d790N.exe
File created	C:\Windows\Media\Garden\6203df4a6bafc7	44854b7cb963dbbf3f94b460d361d790N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1364	schtasks.exe
1956	schtasks.exe
2880	schtasks.exe
2256	schtasks.exe
596	schtasks.exe
760	schtasks.exe
2652	schtasks.exe
2732	schtasks.exe
536	schtasks.exe
1948	schtasks.exe
2108	schtasks.exe
3052	schtasks.exe
2372	schtasks.exe
2024	schtasks.exe
1988	schtasks.exe
2956	schtasks.exe
2232	schtasks.exe
2488	schtasks.exe
2756	schtasks.exe
1392	schtasks.exe
660	schtasks.exe
1284	schtasks.exe
1840	schtasks.exe
1336	schtasks.exe
2856	schtasks.exe
2612	schtasks.exe
2692	schtasks.exe
812	schtasks.exe
1960	schtasks.exe
2600	schtasks.exe
940	schtasks.exe
1204	schtasks.exe
2768	schtasks.exe
2896	schtasks.exe
1876	schtasks.exe
2260	schtasks.exe
288	schtasks.exe
592	schtasks.exe
2952	schtasks.exe
2452	schtasks.exe
376	schtasks.exe
1824	schtasks.exe
1856	schtasks.exe
2728	schtasks.exe
2596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2128	44854b7cb963dbbf3f94b460d361d790N.exe
2128	44854b7cb963dbbf3f94b460d361d790N.exe
2128	44854b7cb963dbbf3f94b460d361d790N.exe
1492	powershell.exe
2496	powershell.exe
1284	powershell.exe
2444	powershell.exe
1544	powershell.exe
1384	powershell.exe
1880	powershell.exe
1980	powershell.exe
1160	powershell.exe
1624	powershell.exe
2948	powershell.exe
816	powershell.exe
1156	wininit.exe
2396	wininit.exe
2472	wininit.exe
1972	wininit.exe
544	wininit.exe
1364	wininit.exe
2652	wininit.exe
2676	wininit.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	44854b7cb963dbbf3f94b460d361d790N.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	1156	wininit.exe
Token: SeDebugPrivilege	2396	wininit.exe
Token: SeDebugPrivilege	2472	wininit.exe
Token: SeDebugPrivilege	1972	wininit.exe
Token: SeDebugPrivilege	544	wininit.exe
Token: SeDebugPrivilege	1364	wininit.exe
Token: SeDebugPrivilege	2652	wininit.exe
Token: SeDebugPrivilege	2676	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1980	2128	44854b7cb963dbbf3f94b460d361d790N.exe	77
PID 2128 wrote to memory of 1980	2128	44854b7cb963dbbf3f94b460d361d790N.exe	77
PID 2128 wrote to memory of 1980	2128	44854b7cb963dbbf3f94b460d361d790N.exe	77
PID 2128 wrote to memory of 1492	2128	44854b7cb963dbbf3f94b460d361d790N.exe	78
PID 2128 wrote to memory of 1492	2128	44854b7cb963dbbf3f94b460d361d790N.exe	78
PID 2128 wrote to memory of 1492	2128	44854b7cb963dbbf3f94b460d361d790N.exe	78
PID 2128 wrote to memory of 1284	2128	44854b7cb963dbbf3f94b460d361d790N.exe	79
PID 2128 wrote to memory of 1284	2128	44854b7cb963dbbf3f94b460d361d790N.exe	79
PID 2128 wrote to memory of 1284	2128	44854b7cb963dbbf3f94b460d361d790N.exe	79
PID 2128 wrote to memory of 1384	2128	44854b7cb963dbbf3f94b460d361d790N.exe	80
PID 2128 wrote to memory of 1384	2128	44854b7cb963dbbf3f94b460d361d790N.exe	80
PID 2128 wrote to memory of 1384	2128	44854b7cb963dbbf3f94b460d361d790N.exe	80
PID 2128 wrote to memory of 2444	2128	44854b7cb963dbbf3f94b460d361d790N.exe	81
PID 2128 wrote to memory of 2444	2128	44854b7cb963dbbf3f94b460d361d790N.exe	81
PID 2128 wrote to memory of 2444	2128	44854b7cb963dbbf3f94b460d361d790N.exe	81
PID 2128 wrote to memory of 1880	2128	44854b7cb963dbbf3f94b460d361d790N.exe	82
PID 2128 wrote to memory of 1880	2128	44854b7cb963dbbf3f94b460d361d790N.exe	82
PID 2128 wrote to memory of 1880	2128	44854b7cb963dbbf3f94b460d361d790N.exe	82
PID 2128 wrote to memory of 1544	2128	44854b7cb963dbbf3f94b460d361d790N.exe	83
PID 2128 wrote to memory of 1544	2128	44854b7cb963dbbf3f94b460d361d790N.exe	83
PID 2128 wrote to memory of 1544	2128	44854b7cb963dbbf3f94b460d361d790N.exe	83
PID 2128 wrote to memory of 2948	2128	44854b7cb963dbbf3f94b460d361d790N.exe	84
PID 2128 wrote to memory of 2948	2128	44854b7cb963dbbf3f94b460d361d790N.exe	84
PID 2128 wrote to memory of 2948	2128	44854b7cb963dbbf3f94b460d361d790N.exe	84
PID 2128 wrote to memory of 1624	2128	44854b7cb963dbbf3f94b460d361d790N.exe	85
PID 2128 wrote to memory of 1624	2128	44854b7cb963dbbf3f94b460d361d790N.exe	85
PID 2128 wrote to memory of 1624	2128	44854b7cb963dbbf3f94b460d361d790N.exe	85
PID 2128 wrote to memory of 816	2128	44854b7cb963dbbf3f94b460d361d790N.exe	86
PID 2128 wrote to memory of 816	2128	44854b7cb963dbbf3f94b460d361d790N.exe	86
PID 2128 wrote to memory of 816	2128	44854b7cb963dbbf3f94b460d361d790N.exe	86
PID 2128 wrote to memory of 1160	2128	44854b7cb963dbbf3f94b460d361d790N.exe	87
PID 2128 wrote to memory of 1160	2128	44854b7cb963dbbf3f94b460d361d790N.exe	87
PID 2128 wrote to memory of 1160	2128	44854b7cb963dbbf3f94b460d361d790N.exe	87
PID 2128 wrote to memory of 2496	2128	44854b7cb963dbbf3f94b460d361d790N.exe	88
PID 2128 wrote to memory of 2496	2128	44854b7cb963dbbf3f94b460d361d790N.exe	88
PID 2128 wrote to memory of 2496	2128	44854b7cb963dbbf3f94b460d361d790N.exe	88
PID 2128 wrote to memory of 2140	2128	44854b7cb963dbbf3f94b460d361d790N.exe	100
PID 2128 wrote to memory of 2140	2128	44854b7cb963dbbf3f94b460d361d790N.exe	100
PID 2128 wrote to memory of 2140	2128	44854b7cb963dbbf3f94b460d361d790N.exe	100
PID 2140 wrote to memory of 1152	2140	cmd.exe	103
PID 2140 wrote to memory of 1152	2140	cmd.exe	103
PID 2140 wrote to memory of 1152	2140	cmd.exe	103
PID 2140 wrote to memory of 1156	2140	cmd.exe	104
PID 2140 wrote to memory of 1156	2140	cmd.exe	104
PID 2140 wrote to memory of 1156	2140	cmd.exe	104
PID 1156 wrote to memory of 1668	1156	wininit.exe	105
PID 1156 wrote to memory of 1668	1156	wininit.exe	105
PID 1156 wrote to memory of 1668	1156	wininit.exe	105
PID 1156 wrote to memory of 2228	1156	wininit.exe	106
PID 1156 wrote to memory of 2228	1156	wininit.exe	106
PID 1156 wrote to memory of 2228	1156	wininit.exe	106
PID 1668 wrote to memory of 2396	1668	WScript.exe	107
PID 1668 wrote to memory of 2396	1668	WScript.exe	107
PID 1668 wrote to memory of 2396	1668	WScript.exe	107
PID 2396 wrote to memory of 596	2396	wininit.exe	108
PID 2396 wrote to memory of 596	2396	wininit.exe	108
PID 2396 wrote to memory of 596	2396	wininit.exe	108
PID 2396 wrote to memory of 1736	2396	wininit.exe	109
PID 2396 wrote to memory of 1736	2396	wininit.exe	109
PID 2396 wrote to memory of 1736	2396	wininit.exe	109
PID 596 wrote to memory of 2472	596	WScript.exe	110
PID 596 wrote to memory of 2472	596	WScript.exe	110
PID 596 wrote to memory of 2472	596	WScript.exe	110
PID 2472 wrote to memory of 2784	2472	wininit.exe	111

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	44854b7cb963dbbf3f94b460d361d790N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	44854b7cb963dbbf3f94b460d361d790N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	44854b7cb963dbbf3f94b460d361d790N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\44854b7cb963dbbf3f94b460d361d790N.exe
"C:\Users\Admin\AppData\Local\Temp\44854b7cb963dbbf3f94b460d361d790N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H8oguQ3dQx.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1152
- - C:\Users\Default\Videos\wininit.exe
    "C:\Users\Default\Videos\wininit.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1156
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d08c2dd1-d4a9-40eb-a2f3-46eca4617b58.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2396
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86bc443e-c91c-4836-a167-78def6b77750.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\940523d1-1964-41de-9507-49f9e72b1601.vbs"
        8⤵
        
        PID:2784
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eb2073c-f358-4766-b931-192e471753c5.vbs"
        10⤵
        
        PID:2180
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd3f3030-3c2b-43d3-a6f2-2543cc7c8adc.vbs"
        12⤵
        
        PID:2780
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86ec3281-008d-467a-8757-bdc10f59b8f7.vbs"
        14⤵
        
        PID:1388
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4453e35-779d-47e9-b4e4-f5dd0939356d.vbs"
        16⤵
        
        PID:2828
        
        C:\Users\Default\Videos\wininit.exe
        
        C:\Users\Default\Videos\wininit.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8435a61d-4d3a-4ef9-8638-7327d2a935ac.vbs"
        18⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee263e8d-c487-4fbf-9362-053a4b606c30.vbs"
        18⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b730419-32d4-43ee-a831-d355103eb72f.vbs"
        16⤵
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\466e2738-dc47-44c2-9f4f-607be4e14795.vbs"
        14⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bffec881-44f2-4ce9-b904-a52a25d44796.vbs"
        12⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c65c1cc4-5f61-4eaf-b198-48a452a8d8bd.vbs"
        10⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5039475-537f-4306-bea0-90a2096a1ec9.vbs"
        8⤵
        
        PID:1244
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1970f8e-a001-4a06-bb44-48d6e8ddc733.vbs"
        6⤵
        
        PID:1736
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc450a8b-869b-4619-9869-7b75f8eb5fd6.vbs"
      4⤵
      PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Downloads\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Garden\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Media\Garden\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Garden\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe

Filesize
4.9MB

MD5
61efdf1874099c400c32d80da10a1936

SHA1
00388a66f08c9b8efbbb59314ce46903f25a27ac

SHA256
26949672d4c619290ef05f078e529dc57f9f06d5f17c26e1f3186a02d9dcebbc

SHA512
ec62ff08d5fa70568e6bf71dec41487738d649f2e1c73416b944ecf5d65175096a928d0e0a08e79adc5eb25ea4ce808593e732990d46a75774f5e84e5eadb0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4eb2073c-f358-4766-b931-192e471753c5.vbs

Filesize
711B

MD5
625f29c7711c466ae35cc38592234a1b

SHA1
2e813e2a711844724633603b6a4d4dfd1241700b

SHA256
a212a9f43605122a9b2d34f3c9a273b704bb98b8f4acd6cdc57ae53ef45ab7f6

SHA512
3c4b3b673dd1889dc6923b0b1ec7477ba05731321183f55702376245084fbc18c7c84642241e09e00a8853a35230bc138a153913b9e1ff19cc6f9fad9918381a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8435a61d-4d3a-4ef9-8638-7327d2a935ac.vbs

Filesize
711B

MD5
31877d76ce0f9263bbca94be8e39b7ac

SHA1
5911cfce72bc492e7558710120b36f08423d96ec

SHA256
76e18e44b000eb85539465ac3767f1fc1f4e8999eacde774b650fe7dc506811c

SHA512
8cdeb393156f8b43fc8fbcda19c90e1bd81323718a1e9f755fff74568ca754ae2557fa962d61532dcc6834aab8b90f77c3bad655db32fd3989950b416f4af0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\86bc443e-c91c-4836-a167-78def6b77750.vbs

Filesize
711B

MD5
9feca8eb78bd9f24e137ea803a13e957

SHA1
6a2d1df10eae17a6af8e9866585a8abc40d586c0

SHA256
31c45ce7fec71327ebf5158e508851614d92003ac9e7dfd89c315c0eebdededc

SHA512
8013c77991ee648bc9b097beedd1322e7738f1eb7896c912cc11a407818e87c5197285c7cfb40166b21854e42bba6fb5418774d21a4c5fcf5cbd57d43ed7f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\86ec3281-008d-467a-8757-bdc10f59b8f7.vbs

Filesize
711B

MD5
173eca7816839c193c2b341bc64c8fe1

SHA1
678033d5c5cce20a6902eaefd87379538256d20f

SHA256
b33967dae058c2b9256190f7ce1bd6343d6a64b8a8411778e184e1ff7cd7ef21

SHA512
f9241bf95d3fd05ac1f943623b88cb49dbea218bbe22d720292b95319c93a244dae658631eb85995785e94fb1c5411c862f4f51fb798d61f4dc3ab2edb35e299

Download Submit
C:\Users\Admin\AppData\Local\Temp\940523d1-1964-41de-9507-49f9e72b1601.vbs

Filesize
711B

MD5
6191f3a92d5ac526ccd9d6c02f764020

SHA1
fcc76413f0a3a813e381bcd8a05d71254ff29d66

SHA256
1ab5ef6ee40931dd90a78c7a8936df135f360733305bbfde0c882fc70a10ab41

SHA512
0aa3dd95ba5345230ebb96b55a626b12b563c667b7732bf6707bd7191b094c83f3dd04053df433fb18354ebc2e3e694cf7e36be3a0b98eb7c622d1689dbc99eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\H8oguQ3dQx.bat

Filesize
200B

MD5
19a9eb044743b4061e94641b0532a80b

SHA1
c98f8a2916db45716e1f78368eb9111bd828027a

SHA256
c11850ce104e76ad00d50676f9d45ce0ef5447a2f5ae938b56e06398081de8a0

SHA512
52d96d16c106491f22a093966fdacdbf985ce059ac5dbe0919c7830d0993e2f8fdd9ceeea62b7ac0b77265eb8899c76c9aadaa29d33dc231c9c16eb5a74edf84

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4453e35-779d-47e9-b4e4-f5dd0939356d.vbs

Filesize
711B

MD5
76a32f1f17811ca78180b4a3a545a09a

SHA1
39b38ea5176da912174387bca1f08bbba7df02bd

SHA256
32f32f9de78a437d7f65d2b6c68de6bc1ed3882de96c1e65b28d53889fc1e941

SHA512
ccaaf7e777706837f5ab2ae7393f8bc4dfd8031dc1bc1b8a4e475784aafe7c64d8bc459f32bc9c3d3b91da4d0e09d0ad73b44b19068a4b5537f2d83ff29edd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc450a8b-869b-4619-9869-7b75f8eb5fd6.vbs

Filesize
487B

MD5
b5ccfad00f8d620dd342f3057d06df8d

SHA1
259acfc252badfaad29213a77e102f82a975e81e

SHA256
9625b29b29a2203a7e599ebc3b8ea7a2b6eb7bc222ead0fcd36e58edd947347a

SHA512
8dedcd53d93a896f5125f4f6852a57f86f1073b37629f427b483b74d7c1b27a9b7aa10ecbe806b4fa8d462cc3d31a559d03a819e31f67ff1488a25e47917b229

Download Submit
C:\Users\Admin\AppData\Local\Temp\d08c2dd1-d4a9-40eb-a2f3-46eca4617b58.vbs

Filesize
711B

MD5
f178f69a138b4cf187f85e6ef204f61f

SHA1
adcbf2d46a8cfcb40694bf648b2e8e74173fe3cf

SHA256
daef37bba7394a59cd4cb7ac9ffcfcbf6d610eeb35e90a83adabf96b212b60a9

SHA512
0d3f76cfa512b89036a50817a1ab95fae2e2ff607d608c673fa034f51fe97415ee1071a4f6e7a7650270ea576e8af39d8a46ef23671b2023eb1207ca56b544fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd3f3030-3c2b-43d3-a6f2-2543cc7c8adc.vbs

Filesize
710B

MD5
90619d8f9787cb2bba578b80f5a397c5

SHA1
3f2d641ce6dbdcde4fa5b9c1bc3dc08712684f2d

SHA256
4daa03ca09a84212a7bd075de973764f9b7487d433d431c00e08dda0841a6d3c

SHA512
e3408efe23e53a741c9ac169a7386776c462df36c2313365011f3af530174c846d464b766be763a72e2c88cccbe1045914cae89e799b82b92122e1016da860d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9D0.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1351bf30ad540ca6c502291691e539c4

SHA1
84bb5c021853df11944cc2eff94d1cd071f48265

SHA256
4c9693e6576a38b945dc0119cd9331647e56386041784735054e3112e570d6fc

SHA512
8bf0c2bd5e58a94d91a9c0f93ceb2e801695a17f04e7cd2b953101df65164bf331f4efaa6a4e1198c545bc3066d2508720086fdeb03fd05dc9e21cc20b1f4a44

Download Submit
C:\Users\Default\OSPPSVC.exe

Filesize
4.9MB

MD5
44854b7cb963dbbf3f94b460d361d790

SHA1
70c03c7172ee5086aa3cc63aa195c19169156758

SHA256
2cff51e97b61784f02110140f5e30ad8787dff2014ca7640ee2a7ead24ce06ce

SHA512
b26719d0506f2346de3f7f8af01cd0a6339272e759705e331ea195c172a176daa29e29b4c5918ccb92170ca1a7b790b23a26c1536b850c99a43c508a38e9c5ec

Download Submit
memory/1156-228-0x00000000010D0000-0x00000000015C4000-memory.dmp

Filesize
5.0MB

Download
memory/1492-178-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/1492-168-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2128-16-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2128-12-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2128-149-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

Filesize
4KB

Download
memory/2128-162-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-9-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2128-15-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2128-14-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/2128-8-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2128-13-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/2128-7-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/2128-0-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

Filesize
4KB

Download
memory/2128-11-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2128-1-0x0000000001330000-0x0000000001824000-memory.dmp

Filesize
5.0MB

Download
memory/2128-6-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2128-5-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2128-4-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/2128-10-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2128-3-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-2-0x000000001BA60000-0x000000001BB8E000-memory.dmp

Filesize
1.2MB

Download
memory/2396-242-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download