dcrat | 08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/10/2023, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Size

1.1MB
MD5

0a58202c976291d628df312bcd090e5e
SHA1

d8b5759fde291c74e38a405c1dcc1f6cfa22fa63
SHA256

08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7
SHA512

e98f581fa1e22538dd4b271480319f6d9fe7ef7544f9d5b508d18c202329f0d63805a3fe476d97d249b370f7ea3e4353de2d2099b64c5a707af229c86cf512fd
SSDEEP

12288:El+4Tcyct/JWT7yckBlepmbMsBXYHOWyAh5+djVyKDGpiRe7FaS+ug82qGeJ3btU:Zyc5JWackYm7dZ1Oq2nn2qPJ3btV3+f

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1768	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1768	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2952-0-0x0000000000350000-0x0000000000470000-memory.dmp	dcrat
behavioral1/files/0x0005000000019496-17.dat	dcrat
behavioral1/files/0x000600000001a463-60.dat	dcrat
behavioral1/files/0x000e000000019496-166.dat	dcrat
behavioral1/files/0x00090000000195bf-191.dat	dcrat
behavioral1/memory/1732-325-0x00000000002E0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/files/0x000500000001a408-318.dat	dcrat
behavioral1/files/0x000500000001a408-314.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1732	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX719D.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Program Files\Windows Media Player\wininit.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX81C1.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Program Files\Windows Media Player\wininit.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Program Files\Windows Media Player\56085415360792	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\80bb64fac9ba4b	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX712F.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX81C0.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\ehome\886983d96e3d3e	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\ehome\RCX78A5.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Windows\assembly\80bb64fac9ba4b	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Windows\Boot\PCAT\tr-TR\explorer.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\assembly\RCX5FF0.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\ehome\RCX78A4.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Windows\IME\fr-FR\csrss.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\assembly\RCX5FE0.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\Web\Wallpaper\RCX5D6E.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\Web\Wallpaper\RCX5DDC.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\assembly\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\IME\fr-FR\RCX7622.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\IME\fr-FR\RCX76A0.tmp	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Windows\Web\Wallpaper\69ddcba757bf72	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Windows\assembly\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Windows\IME\fr-FR\886983d96e3d3e	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Windows\ehome\csrss.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\IME\fr-FR\csrss.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\ehome\csrss.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File created	C:\Windows\Web\Wallpaper\smss.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
File opened for modification	C:\Windows\Web\Wallpaper\smss.exe	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2904	schtasks.exe
1320	schtasks.exe
2588	schtasks.exe
1712	schtasks.exe
2544	schtasks.exe
2568	schtasks.exe
2520	schtasks.exe
2724	schtasks.exe
436	schtasks.exe
2296	schtasks.exe
1732	schtasks.exe
2872	schtasks.exe
1924	schtasks.exe
2220	schtasks.exe
1520	schtasks.exe
2756	schtasks.exe
2528	schtasks.exe
1164	schtasks.exe
1660	schtasks.exe
2692	schtasks.exe
1720	schtasks.exe
2488	schtasks.exe
2828	schtasks.exe
2076	schtasks.exe
1068	schtasks.exe
2060	schtasks.exe
2624	schtasks.exe
2688	schtasks.exe
656	schtasks.exe
2936	schtasks.exe
1628	schtasks.exe
2824	schtasks.exe
2876	schtasks.exe
2120	schtasks.exe
2380	schtasks.exe
592	schtasks.exe
1000	schtasks.exe
1092	schtasks.exe
2716	schtasks.exe
3020	schtasks.exe
2788	schtasks.exe
2924	schtasks.exe
1340	schtasks.exe
1304	schtasks.exe
1956	schtasks.exe
2592	schtasks.exe
1624	schtasks.exe
2008	schtasks.exe
1180	schtasks.exe
2288	schtasks.exe
2512	schtasks.exe
3060	schtasks.exe
1724	schtasks.exe
840	schtasks.exe
1252	schtasks.exe
2068	schtasks.exe
536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
2824	powershell.exe
2084	powershell.exe
2796	powershell.exe
1596	powershell.exe
2416	powershell.exe
1384	powershell.exe
1560	powershell.exe
1812	powershell.exe
2536	powershell.exe
1592	powershell.exe
1912	powershell.exe
2444	powershell.exe
1732	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1732	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2084	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	86
PID 2952 wrote to memory of 2084	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	86
PID 2952 wrote to memory of 2084	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	86
PID 2952 wrote to memory of 2416	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	87
PID 2952 wrote to memory of 2416	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	87
PID 2952 wrote to memory of 2416	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	87
PID 2952 wrote to memory of 1812	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	88
PID 2952 wrote to memory of 1812	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	88
PID 2952 wrote to memory of 1812	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	88
PID 2952 wrote to memory of 1384	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	107
PID 2952 wrote to memory of 1384	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	107
PID 2952 wrote to memory of 1384	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	107
PID 2952 wrote to memory of 1912	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	89
PID 2952 wrote to memory of 1912	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	89
PID 2952 wrote to memory of 1912	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	89
PID 2952 wrote to memory of 2796	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	106
PID 2952 wrote to memory of 2796	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	106
PID 2952 wrote to memory of 2796	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	106
PID 2952 wrote to memory of 2824	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	105
PID 2952 wrote to memory of 2824	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	105
PID 2952 wrote to memory of 2824	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	105
PID 2952 wrote to memory of 2444	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	103
PID 2952 wrote to memory of 2444	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	103
PID 2952 wrote to memory of 2444	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	103
PID 2952 wrote to memory of 1560	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	102
PID 2952 wrote to memory of 1560	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	102
PID 2952 wrote to memory of 1560	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	102
PID 2952 wrote to memory of 1592	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	100
PID 2952 wrote to memory of 1592	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	100
PID 2952 wrote to memory of 1592	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	100
PID 2952 wrote to memory of 1596	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	90
PID 2952 wrote to memory of 1596	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	90
PID 2952 wrote to memory of 1596	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	90
PID 2952 wrote to memory of 2536	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	98
PID 2952 wrote to memory of 2536	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	98
PID 2952 wrote to memory of 2536	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	98
PID 2952 wrote to memory of 1732	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	110
PID 2952 wrote to memory of 1732	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	110
PID 2952 wrote to memory of 1732	2952	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe	110

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
"C:\Users\Admin\AppData\Local\Temp\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe
  "C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC0" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC" /sc ONLOGON /tr "'C:\Windows\assembly\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC0" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\IME\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ehome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC0" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC0" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC0" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC0" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC0" /sc MINUTE /mo 5 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC" /sc ONLOGON /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC0" /sc MINUTE /mo 6 /tr "'C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
1.1MB

MD5
0a58202c976291d628df312bcd090e5e

SHA1
d8b5759fde291c74e38a405c1dcc1f6cfa22fa63

SHA256
08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7

SHA512
e98f581fa1e22538dd4b271480319f6d9fe7ef7544f9d5b508d18c202329f0d63805a3fe476d97d249b370f7ea3e4353de2d2099b64c5a707af229c86cf512fd

Download Submit
C:\Program Files\Windows Media Player\wininit.exe

Filesize
1.1MB

MD5
b92b7c9d2853cd94c5e88258adcad0a9

SHA1
5eaff331adc8448e89cf812d2427ec0be54a9291

SHA256
a7bb0d65a492ca393d3d84a15bae93c3e77da3ddc21764bc64387d70d22fe175

SHA512
74cce482ddb2770e05d6af9122a5d26c2ff0a626da2d78041a7ef5a98769f139fd26d576380718d6182de58243826f0b2b0133ee4a3562259f793bee0feefd70

Download Submit
C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe

Filesize
1.1MB

MD5
0a58202c976291d628df312bcd090e5e

SHA1
d8b5759fde291c74e38a405c1dcc1f6cfa22fa63

SHA256
08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7

SHA512
e98f581fa1e22538dd4b271480319f6d9fe7ef7544f9d5b508d18c202329f0d63805a3fe476d97d249b370f7ea3e4353de2d2099b64c5a707af229c86cf512fd

Download Submit
C:\Recovery\daa88f22-4899-11ee-869c-62b3d3f2749b\08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7_JC.exe

Filesize
1.1MB

MD5
0a58202c976291d628df312bcd090e5e

SHA1
d8b5759fde291c74e38a405c1dcc1f6cfa22fa63

SHA256
08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7

SHA512
e98f581fa1e22538dd4b271480319f6d9fe7ef7544f9d5b508d18c202329f0d63805a3fe476d97d249b370f7ea3e4353de2d2099b64c5a707af229c86cf512fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFA96.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFAC8.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LMZ9RDSSUTG5ZVHHJQQP.temp

Filesize
7KB

MD5
e5b80a4ca8eacd503f585d208c8afd49

SHA1
0248a31e9232bd136d041b8dcd19b81867868c4f

SHA256
c3db0abddf647cb14ff4219bdd46134dabaa58081b5cc80f3d1c4876db41d496

SHA512
c8a7a95448a6ec7805b3877f8029d609d06dd035f088cf11d1d0d0cbeacf7ec7c2cf197fffac3f2ff269609bd2fcc939adf8345e4eb61fd406247b414c2834e0

Download Submit
C:\Windows\IME\fr-FR\csrss.exe

Filesize
1.1MB

MD5
6380f0bccc91b1a0c13499d085c28127

SHA1
782d893c4a64f6396ac5edb9e704a39437302b68

SHA256
4c589fd426f3532b16a6ce66c1c7b5fcae1b23f709029673b86e4bf351100485

SHA512
93977518cc36b09f2422f3c5518dd8080fee93c840d4776d4f8c80ef1d6fd2685d770a955196548e62ef82dbe74d772232e634800d71f85850fc0814c8146620

Download Submit
C:\Windows\Web\Wallpaper\smss.exe

Filesize
1.1MB

MD5
30a0d655396938a1239ae6f4eac98003

SHA1
80233af293f211ef37d90f34abcabd9448212982

SHA256
e927f6d1be75c91a238599633542c87894fd9345a83b9267411ad5ddac5c1b04

SHA512
3f0884218ec7d8008fffbebfbffa315cff0d1b4aff143d66819cfc3857dc548e0050554f23ed7700142c4777654455ab40d02bbe9204322bc2aa875523917393

Download Submit
memory/1384-365-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1384-362-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1384-366-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1384-372-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1384-363-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1560-378-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/1560-377-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/1560-374-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1560-375-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/1592-361-0x000000000254B000-0x00000000025B2000-memory.dmp

Filesize
412KB

Download
memory/1592-376-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/1592-367-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1596-394-0x00000000027FB000-0x0000000002862000-memory.dmp

Filesize
412KB

Download
memory/1596-351-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/1596-393-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1596-359-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/1596-349-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/1596-348-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1732-325-0x00000000002E0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/1812-380-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1812-390-0x000000000297B000-0x00000000029E2000-memory.dmp

Filesize
412KB

Download
memory/1812-382-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1812-381-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1812-379-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1912-384-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/1912-383-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1912-385-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2084-355-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2084-358-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2084-356-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2416-371-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2416-370-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2416-368-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-369-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2444-387-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-389-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2444-386-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2536-388-0x000000000295B000-0x00000000029C2000-memory.dmp

Filesize
412KB

Download
memory/2536-373-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/2536-364-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-309-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2796-360-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2796-350-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2796-301-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2796-341-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-391-0x00000000024AB000-0x0000000002512000-memory.dmp

Filesize
412KB

Download
memory/2824-357-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2824-392-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-302-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/2824-353-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/2824-352-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2824-354-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2952-0-0x0000000000350000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2952-6-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2952-7-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2952-8-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2952-169-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2952-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2952-189-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/2952-4-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2952-342-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2952-3-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/2952-2-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/2952-1-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download