dcrat | 70bba6e748b04c937188f113389a3c90bf30806add70222b920886a57b0bdd98

Analysis

max time kernel
140s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11a186984a7cc6c1fd4317dffed3a78e.exe
Size

5.9MB
MD5

11a186984a7cc6c1fd4317dffed3a78e
SHA1

d31fb2b589d256066864e0440a89016b1faf1ef6
SHA256

4d29cffe0e740e46838c1497e7988b857b5b124b64d9788fffcd8ae35b36d23b
SHA512

b624b6326300e95dc2fb6867ac8cc3614fddcadfabb5dcc7949546bd4454b1df1be15b468c5e8e208d74e3b7ad69e4f7a820e942f1683fc012535d8edc23a1fc
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4m:hyeU11Rvqmu8TWKnF6N/1wb

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5548	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5420	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6012	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5736	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5552	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6112	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5608	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5976	4928	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4928	schtasks.exe	89

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4348	powershell.exe
1684	powershell.exe
5020	powershell.exe
4864	powershell.exe
4112	powershell.exe
5800	powershell.exe
3028	powershell.exe
3240	powershell.exe
1500	powershell.exe
2884	powershell.exe
4508	powershell.exe
2452	powershell.exe
5748	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	11a186984a7cc6c1fd4317dffed3a78e.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	11a186984a7cc6c1fd4317dffed3a78e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 3 IoCs

pid	Process
1092	SppExtComObj.exe
2112	SppExtComObj.exe
548	SppExtComObj.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
1092	SppExtComObj.exe
1092	SppExtComObj.exe
2112	SppExtComObj.exe
2112	SppExtComObj.exe
548	SppExtComObj.exe
548	SppExtComObj.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\upfc.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\edge_BITS_4636_334171237\RCX7F26.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX83CB.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX920F.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX9B8E.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\unsecapp.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\edge_BITS_4636_334171237\6cb0b6c459d5d3	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ee2ad38f3d4382	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\eddb19405b7ce1	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\upfc.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\Windows Portable Devices\unsecapp.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX9FC7.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\edge_BITS_4636_334171237\dwm.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\edge_BITS_4636_334171237\dwm.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX833E.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCX8B05.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\unsecapp.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCX8B04.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\backgroundTaskHost.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\Windows Portable Devices\29c1c3cc0f7685	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX9B7D.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX9FD7.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Internet Explorer\ea1d8f6d871115	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\backgroundTaskHost.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX921F.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\29c1c3cc0f7685	11a186984a7cc6c1fd4317dffed3a78e.exe
File opened for modification	C:\Program Files\edge_BITS_4636_334171237\RCX7E98.tmp	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe	11a186984a7cc6c1fd4317dffed3a78e.exe
File created	C:\Program Files\Windows Portable Devices\unsecapp.exe	11a186984a7cc6c1fd4317dffed3a78e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	11a186984a7cc6c1fd4317dffed3a78e.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4984	schtasks.exe
5496	schtasks.exe
4792	schtasks.exe
676	schtasks.exe
4516	schtasks.exe
3344	schtasks.exe
6012	schtasks.exe
5044	schtasks.exe
4876	schtasks.exe
3824	schtasks.exe
5736	schtasks.exe
4132	schtasks.exe
4856	schtasks.exe
5608	schtasks.exe
4936	schtasks.exe
6020	schtasks.exe
5548	schtasks.exe
996	schtasks.exe
5900	schtasks.exe
4992	schtasks.exe
2112	schtasks.exe
4872	schtasks.exe
4952	schtasks.exe
4636	schtasks.exe
1028	schtasks.exe
5552	schtasks.exe
6112	schtasks.exe
4180	schtasks.exe
2148	schtasks.exe
3500	schtasks.exe
884	schtasks.exe
4836	schtasks.exe
1008	schtasks.exe
468	schtasks.exe
1068	schtasks.exe
3416	schtasks.exe
5420	schtasks.exe
464	schtasks.exe
2268	schtasks.exe
4488	schtasks.exe
5976	schtasks.exe
5064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe
4484	11a186984a7cc6c1fd4317dffed3a78e.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	11a186984a7cc6c1fd4317dffed3a78e.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	5800	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1092	SppExtComObj.exe
Token: SeDebugPrivilege	2112	SppExtComObj.exe
Token: SeDebugPrivilege	548	SppExtComObj.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 3028	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	132
PID 4484 wrote to memory of 3028	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	132
PID 4484 wrote to memory of 5748	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	133
PID 4484 wrote to memory of 5748	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	133
PID 4484 wrote to memory of 5800	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	134
PID 4484 wrote to memory of 5800	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	134
PID 4484 wrote to memory of 4348	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	136
PID 4484 wrote to memory of 4348	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	136
PID 4484 wrote to memory of 4112	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	137
PID 4484 wrote to memory of 4112	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	137
PID 4484 wrote to memory of 2452	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	139
PID 4484 wrote to memory of 2452	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	139
PID 4484 wrote to memory of 4864	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	140
PID 4484 wrote to memory of 4864	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	140
PID 4484 wrote to memory of 5020	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	141
PID 4484 wrote to memory of 5020	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	141
PID 4484 wrote to memory of 4508	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	142
PID 4484 wrote to memory of 4508	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	142
PID 4484 wrote to memory of 2884	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	143
PID 4484 wrote to memory of 2884	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	143
PID 4484 wrote to memory of 1500	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	145
PID 4484 wrote to memory of 1500	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	145
PID 4484 wrote to memory of 3240	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	146
PID 4484 wrote to memory of 3240	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	146
PID 4484 wrote to memory of 1684	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	147
PID 4484 wrote to memory of 1684	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	147
PID 4484 wrote to memory of 4828	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	158
PID 4484 wrote to memory of 4828	4484	11a186984a7cc6c1fd4317dffed3a78e.exe	158
PID 4828 wrote to memory of 440	4828	cmd.exe	160
PID 4828 wrote to memory of 440	4828	cmd.exe	160
PID 4828 wrote to memory of 1092	4828	cmd.exe	164
PID 4828 wrote to memory of 1092	4828	cmd.exe	164
PID 1092 wrote to memory of 5520	1092	SppExtComObj.exe	166
PID 1092 wrote to memory of 5520	1092	SppExtComObj.exe	166
PID 1092 wrote to memory of 3188	1092	SppExtComObj.exe	167
PID 1092 wrote to memory of 3188	1092	SppExtComObj.exe	167
PID 5520 wrote to memory of 2112	5520	WScript.exe	173
PID 5520 wrote to memory of 2112	5520	WScript.exe	173
PID 2112 wrote to memory of 4056	2112	SppExtComObj.exe	174
PID 2112 wrote to memory of 4056	2112	SppExtComObj.exe	174
PID 2112 wrote to memory of 4132	2112	SppExtComObj.exe	175
PID 2112 wrote to memory of 4132	2112	SppExtComObj.exe	175
PID 4056 wrote to memory of 548	4056	WScript.exe	176
PID 4056 wrote to memory of 548	4056	WScript.exe	176
PID 548 wrote to memory of 4148	548	SppExtComObj.exe	177
PID 548 wrote to memory of 4148	548	SppExtComObj.exe	177
PID 548 wrote to memory of 4964	548	SppExtComObj.exe	178
PID 548 wrote to memory of 4964	548	SppExtComObj.exe	178

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11a186984a7cc6c1fd4317dffed3a78e.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\11a186984a7cc6c1fd4317dffed3a78e.exe
"C:\Users\Admin\AppData\Local\Temp\11a186984a7cc6c1fd4317dffed3a78e.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7330c8a20692d0b35002ea5a/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/f170d29a37c9c9775251/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CmPbD9mhub.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:440
- - C:\Recovery\WindowsRE\SppExtComObj.exe
    "C:\Recovery\WindowsRE\SppExtComObj.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1092
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\543b2ad8-8766-4595-8afd-15f617b33fa8.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5520
    - - C:\Recovery\WindowsRE\SppExtComObj.exe
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2112
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\207f0b50-aabe-4791-93ed-5e8bcf2ce31b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc7adb8-2c6c-4c44-b399-50b730c46d93.vbs"
        8⤵
        
        PID:4148
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        9⤵
        
        PID:5420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d74b7505-c335-4a02-8dc3-ef596fdaf57e.vbs"
        10⤵
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe067c64-327e-4cc8-bbaf-0a069cd9845e.vbs"
        10⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb16522b-03e5-4616-b325-fa4ac8fe40a7.vbs"
        8⤵
        
        PID:4964
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86b57c93-8faa-40dc-bf2c-8ca0df8e4edf.vbs"
        6⤵
        
        PID:4132
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9b9a790-0555-481f-9248-cfb6fe70f0f1.vbs"
      4⤵
      PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4636_334171237\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4636_334171237\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4636_334171237\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\f170d29a37c9c9775251\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\f170d29a37c9c9775251\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\f170d29a37c9c9775251\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\f170d29a37c9c9775251\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Documents\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Documents\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\f170d29a37c9c9775251\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\f170d29a37c9c9775251\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe

Filesize
5.9MB

MD5
10af1893107f91c62bfcb943cfa8fbd4

SHA1
de740068cf8701c0e471e0ec329f358d27342983

SHA256
ed4b9839c7c59d980841439474af8f045734891fa70c273921c717119f14c213

SHA512
0bb491547ff2179e6014e6c498303d02d58fe993dc6dabcb9cd93b22dabc28db4eff414f0567bfb6b47046018c9c534978fd7ccbf15dd81f8fa4b8397b1af5b8

Download Submit
C:\Program Files (x86)\Windows Media Player\es-ES\backgroundTaskHost.exe

Filesize
5.9MB

MD5
11a186984a7cc6c1fd4317dffed3a78e

SHA1
d31fb2b589d256066864e0440a89016b1faf1ef6

SHA256
4d29cffe0e740e46838c1497e7988b857b5b124b64d9788fffcd8ae35b36d23b

SHA512
b624b6326300e95dc2fb6867ac8cc3614fddcadfabb5dcc7949546bd4454b1df1be15b468c5e8e208d74e3b7ad69e4f7a820e942f1683fc012535d8edc23a1fc

Download Submit
C:\Program Files\edge_BITS_4636_334171237\dwm.exe

Filesize
5.9MB

MD5
47ce560a66cf50af8647344dd74bb6d6

SHA1
a59cd1f5960624ecbe2d8537a21b91682e8ea1c7

SHA256
d1e12608440425d5b79bc54d1f216e969ccfc0f8aa03a31fe8c922797c9bb4fa

SHA512
7cafd86c28277caf5ae9f8e32a301b11f7e07896a91b438b761990e3053e3ab65c88c52a8d1054b0dd3dbe300fa51f901a722d8811a63fd31766e37fa9615cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4021b258cd26ad91b3208444aca2f1

SHA1
617431aae43c616ecb3680101f01939d427479ef

SHA256
64edd4e5aafb2dd9117768e239f4368bc2a224de1ec5103a13d80f68ae74c00e

SHA512
5ede51408ee2b94b3d5e9cb192f59bff2ce7521d1f6704141ca40ff1d09b39700bf70b0e482ab55f45e206e0f73b215a2a6bff5e455e5916d2e35aa5122a3af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f68785608a60c0961b2926f9c4d4ff87

SHA1
e90357d9a679b851acf30e5e7aa6f76f2e6d3bb4

SHA256
edeed8daa6363551c6ffe770dc95fc9a767da6a020004c61c8e3d81eccb9d673

SHA512
fa369a235b3d4375e7856e39f42b17fb118fadb0b48fbe71074fa47354d0713662b950142ab5083c01cc850f79bbb0abe154eefe0e754b9b76e8d3b330daf652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a5d93882341ce023d4569907c3bb0def

SHA1
db0998ab671abb543a7ac78596c0b95743a9a2c8

SHA256
c3ea7d8d4ac21adbe8c93e10729367b0b7c3477e7758596609c8e25e45baaa78

SHA512
7bf5716c96d93da7d37bbedb9623c9ae2860ac7b1a0e9310cbee0962556705f8876aebdabb9820f1f1ed37e504e002f24507a23db302d0e180bb45092520cc7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f3d606f9a5f1201bfc1f01c54e842c4

SHA1
f1917e50b557b135953ecbe63e1fc1e675b541f1

SHA256
dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

SHA512
d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5d7d84a994df407b45490027d1612f49

SHA1
9f22036fe3c9358da3eabd190a220bfa08f62718

SHA256
e607522b5d77da294a31952705d11b5695fea11106565684616582659d8af895

SHA512
d04684f622730856b67800acf437ad16db02505f0c42f8d7439cf2855a7a294160a7b77691582eb22971bf286041d869eda3fe7d0f3aca3d40fa29be8b6046b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
566ef902c25833fe5f7f4484509fe364

SHA1
f8ba6651e7e4c64270e95aac690ad758fa3fc7f8

SHA256
28265aaf259c60ae208b025f4c6b317c0799154b5d40d650bf44ef09f4805514

SHA512
b2c696820b775c0705884f606b4ac464d75d8d5e415bee2fb1e68d07ca288c953936d9286f277082fc11fbae24748c6a872f0be540be37190f0383c7b16820a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\207f0b50-aabe-4791-93ed-5e8bcf2ce31b.vbs

Filesize
714B

MD5
d8195fb34803f7114440c8a5b76d4b98

SHA1
b9eb4b78cc0462a4bb4066a254cd083406194dda

SHA256
76b95a6922aa14e3d172307091840c82c568611033530cfd61ac65a6b916b550

SHA512
2ccf9a39fbb32ed17e9b93692fcc14a009aae8dc6d5c1cc206413b6f243f7cdd22ac4de675683f9c19f2fa7ed9df3502a792eb3f235b9d157392d62f882f6860

Download Submit
C:\Users\Admin\AppData\Local\Temp\543b2ad8-8766-4595-8afd-15f617b33fa8.vbs

Filesize
714B

MD5
f4d6455b85d90056da9adefde9922db0

SHA1
6d8bfbb5842aaf0a7fdaefe32bfff9a1cec35469

SHA256
dbd5b4152c5557cce37887a0e592d94ad9884fad81c3f490ca24da93f234da17

SHA512
c1e15ec4659a69e8e5c496ec703ef58e9c64bf1a9ce4f8eb1430b6ad989d13abccecfe2683e1d7bbf6f519a9c9ec7083b83cfca166f1541a3d14d82d7f724db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CmPbD9mhub.bat

Filesize
203B

MD5
36ef0939f6c416a4ff1b1b3712f45afc

SHA1
0256e86c1f0af9ec8c013edd0786bbec9350aca3

SHA256
be127a38059c0a76b381abe5a28eca94130a7da35f4549004a6e6e57e0524743

SHA512
8299086a3140a90e003c7ed7743cec2405200d950d05a4e3de8bc591974a42de00bab96d840211bb6ac21fb73de5d3f91ef4fb7c397fc9ea69629352166aeb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jsgztabl.twx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9b9a790-0555-481f-9248-cfb6fe70f0f1.vbs

Filesize
490B

MD5
c86d1979f04e2cbbe29a9079699d9761

SHA1
1fb9add663132e1a879d8e8ea6b77f04e5616e93

SHA256
a3cd23bc3f45f961e5919ee7d92274eaa78bd505a01d5631a08371d10abdf98e

SHA512
7be87d78d0d1714a6281c7c026918b0a6ad67d34d47d8b760a49857da8185ed6ecee093e364eaa60f86fe134a830ab2a924073aded95ad60b516c22cc1c30d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\d74b7505-c335-4a02-8dc3-ef596fdaf57e.vbs

Filesize
714B

MD5
7cd022f734b9b138ed1f922011e8c75d

SHA1
c3da6ca18b503b983d2d4844e23a3c3b7e6d35fd

SHA256
69b3bcd4a70f3fe65353f9a54b84a4eb66f24ebd7d550d773b92caaa3b2733ad

SHA512
827780270e15d3e3fce410f327695122a69e903d28650c1c2d9875c593bb0eeb49a22a101a85af8104d623a64139883e71e476133b2bc66f3ab7637c1cb05554

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfc7adb8-2c6c-4c44-b399-50b730c46d93.vbs

Filesize
713B

MD5
e6dd8a58e42b599b2662f7c247cb1fe5

SHA1
0da5ecbdf443cb627874f6f59a604e3bfc6552c3

SHA256
c954e69896f13653c677d11b169e3eb4f00f416b22acad41c50519902eae583f

SHA512
1a30ecfeb95175ae083c937e8d7bc433f6e586d5793b91ce3bdc305ed71a8cd04c104fe01a07b815cd99c36680561837729ddf59f5411332bcfc15e10b8f1287

Download Submit
C:\Users\Default\Documents\Registry.exe

Filesize
5.9MB

MD5
fa5981323fd411ee7ac70c2053f8fcf0

SHA1
83fa2853667c46421db8a9c5f50b72b3a6158747

SHA256
d0c5a3cfd2094024f85b7579fea243a8e27265cec2ba72c7c661027fc3b40045

SHA512
27588b9b1ccfe83277f8099c54db05009a47c8e5e71e1a62695907acf2fe18fb366aa9e1e2bd20632f4b0b0b018ad667cf403eb12691097021c9ffb19110a04e

Download Submit
C:\f170d29a37c9c9775251\RuntimeBroker.exe

Filesize
5.9MB

MD5
35436f3be4f710af9d97e4d64fbfd406

SHA1
0c45318f9820692915658526bb5f2e320c15bd3d

SHA256
f36636b5c758f9283c55129fc3efb093e1115812ac09884befc53d8c021597ff

SHA512
d46c7c9167c187de111186f4ab90923c9a591404a85ecd830111f75f7593301d2d4a5697e5f7375ec2d59dcba59d5d86eb68781a3792825b81c0e47bf5be4a14

Download Submit
C:\f170d29a37c9c9775251\sihost.exe

Filesize
5.9MB

MD5
6d16bda2d9db3225562e00700632f966

SHA1
721f3ed66f47bbd8a4eee01097d026b57bcb7b76

SHA256
b620e650faf91af7853d805eccc2e31fad5186291d2f93d6646a79d743c3f7c6

SHA512
0a5d7ccfc8695726f132041fe1deddf6ed64b35d3251eb7fdbd54f68bdeefe67eb3ef95226467df01304e80345a0e9673cf6a936f7199c9e4bff4e2a940858b7

Download Submit
memory/2452-260-0x000001F06FA60000-0x000001F06FA82000-memory.dmp

Filesize
136KB

Download
memory/4484-26-0x000000001D280000-0x000000001D28C000-memory.dmp

Filesize
48KB

Download
memory/4484-30-0x000000001D2C0000-0x000000001D2CC000-memory.dmp

Filesize
48KB

Download
memory/4484-41-0x000000001D580000-0x000000001D58C000-memory.dmp

Filesize
48KB

Download
memory/4484-38-0x000000001D330000-0x000000001D33C000-memory.dmp

Filesize
48KB

Download
memory/4484-37-0x000000001D320000-0x000000001D328000-memory.dmp

Filesize
32KB

Download
memory/4484-36-0x000000001D310000-0x000000001D31E000-memory.dmp

Filesize
56KB

Download
memory/4484-35-0x000000001D300000-0x000000001D308000-memory.dmp

Filesize
32KB

Download
memory/4484-39-0x000000001D560000-0x000000001D568000-memory.dmp

Filesize
32KB

Download
memory/4484-31-0x000000001D550000-0x000000001D558000-memory.dmp

Filesize
32KB

Download
memory/4484-34-0x000000001D2F0000-0x000000001D2FE000-memory.dmp

Filesize
56KB

Download
memory/4484-33-0x000000001D2E0000-0x000000001D2EA000-memory.dmp

Filesize
40KB

Download
memory/4484-25-0x000000001D880000-0x000000001DDA8000-memory.dmp

Filesize
5.2MB

Download
memory/4484-21-0x000000001D340000-0x000000001D34C000-memory.dmp

Filesize
48KB

Download
memory/4484-20-0x000000001D230000-0x000000001D238000-memory.dmp

Filesize
32KB

Download
memory/4484-19-0x000000001D220000-0x000000001D22C000-memory.dmp

Filesize
48KB

Download
memory/4484-14-0x000000001D1A0000-0x000000001D1AC000-memory.dmp

Filesize
48KB

Download
memory/4484-12-0x000000001D020000-0x000000001D028000-memory.dmp

Filesize
32KB

Download
memory/4484-11-0x000000001D000000-0x000000001D016000-memory.dmp

Filesize
88KB

Download
memory/4484-10-0x000000001CFF0000-0x000000001D000000-memory.dmp

Filesize
64KB

Download
memory/4484-9-0x000000001CFE0000-0x000000001CFE8000-memory.dmp

Filesize
32KB

Download
memory/4484-8-0x000000001D030000-0x000000001D080000-memory.dmp

Filesize
320KB

Download
memory/4484-32-0x000000001D2D0000-0x000000001D2DC000-memory.dmp

Filesize
48KB

Download
memory/4484-28-0x000000001D2A0000-0x000000001D2A8000-memory.dmp

Filesize
32KB

Download
memory/4484-40-0x000000001D570000-0x000000001D57A000-memory.dmp

Filesize
40KB

Download
memory/4484-190-0x00007FFBEE303000-0x00007FFBEE305000-memory.dmp

Filesize
8KB

Download
memory/4484-29-0x000000001D2B0000-0x000000001D2BC000-memory.dmp

Filesize
48KB

Download
memory/4484-202-0x00007FFBEE300000-0x00007FFBEEDC1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-0-0x00007FFBEE303000-0x00007FFBEE305000-memory.dmp

Filesize
8KB

Download
memory/4484-27-0x000000001D290000-0x000000001D29C000-memory.dmp

Filesize
48KB

Download
memory/4484-301-0x00007FFBEE300000-0x00007FFBEEDC1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-22-0x000000001D240000-0x000000001D248000-memory.dmp

Filesize
32KB

Download
memory/4484-24-0x000000001D250000-0x000000001D262000-memory.dmp

Filesize
72KB

Download
memory/4484-15-0x000000001D190000-0x000000001D198000-memory.dmp

Filesize
32KB

Download
memory/4484-18-0x000000001D1D0000-0x000000001D226000-memory.dmp

Filesize
344KB

Download
memory/4484-17-0x000000001D1C0000-0x000000001D1CA000-memory.dmp

Filesize
40KB

Download
memory/4484-16-0x000000001D1B0000-0x000000001D1C0000-memory.dmp

Filesize
64KB

Download
memory/4484-13-0x000000001D080000-0x000000001D092000-memory.dmp

Filesize
72KB

Download
memory/4484-6-0x000000001CFB0000-0x000000001CFB8000-memory.dmp

Filesize
32KB

Download
memory/4484-7-0x000000001CFC0000-0x000000001CFDC000-memory.dmp

Filesize
112KB

Download
memory/4484-5-0x000000001CFA0000-0x000000001CFAE000-memory.dmp

Filesize
56KB

Download
memory/4484-4-0x000000001CF90000-0x000000001CF9E000-memory.dmp

Filesize
56KB

Download
memory/4484-3-0x00007FFBEE300000-0x00007FFBEEDC1000-memory.dmp

Filesize
10.8MB

Download
memory/4484-2-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/4484-1-0x00000000002D0000-0x0000000000BC8000-memory.dmp

Filesize
9.0MB

Download
memory/5420-433-0x000000001C3D0000-0x000000001C3E2000-memory.dmp

Filesize
72KB

Download