dcrat | 9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9

Analysis

max time kernel
116s
max time network
109s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
Size

4.9MB
MD5

1104e32eb6157e6798d194f9a6d29e90
SHA1

178fca5fa8a5b0977c812bd58bd8912393f33591
SHA256

9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9
SHA512

184de1c9150cea1ead9be483b46d80a6053d81760884ed935b7a9ef657c3286034a78b55ade810f5da9817e78516140356d401cbc68ba442ee13fabd44d9a35f
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2504	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2504	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2112-3-0x000000001B270000-0x000000001B39E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1856	powershell.exe
1576	powershell.exe
1424	powershell.exe
904	powershell.exe
1436	powershell.exe
1132	powershell.exe
2248	powershell.exe
1020	powershell.exe
1992	powershell.exe
2644	powershell.exe
2036	powershell.exe
2060	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2552	dwm.exe
1848	dwm.exe
2012	dwm.exe
2872	dwm.exe
2592	dwm.exe
2020	dwm.exe
900	dwm.exe
3012	dwm.exe
2620	dwm.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\dwm.exe	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\RCXF52B.tmp	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\fr-FR\OSPPSVC.exe	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXFE44.tmp	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File opened for modification	C:\Program Files\Windows Sidebar\dwm.exe	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\OSPPSVC.exe	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\1610b97d3ab4a7	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File created	C:\Program Files\Windows Sidebar\6cb0b6c459d5d3	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\886983d96e3d3e	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\RCX2B9.tmp	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\CSC\winlogon.exe	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File created	C:\Windows\CSC\cc11b995f2a76d	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File opened for modification	C:\Windows\CSC\RCXF730.tmp	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
File opened for modification	C:\Windows\CSC\winlogon.exe	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
2416	schtasks.exe
1968	schtasks.exe
2768	schtasks.exe
1508	schtasks.exe
2168	schtasks.exe
784	schtasks.exe
3008	schtasks.exe
2932	schtasks.exe
1900	schtasks.exe
2236	schtasks.exe
2260	schtasks.exe
600	schtasks.exe
1644	schtasks.exe
444	schtasks.exe
956	schtasks.exe
2552	schtasks.exe
2608	schtasks.exe
2884	schtasks.exe
2152	schtasks.exe
2196	schtasks.exe
2144	schtasks.exe
2156	schtasks.exe
1736	schtasks.exe
1860	schtasks.exe
2092	schtasks.exe
2044	schtasks.exe
1448	schtasks.exe
2732	schtasks.exe
1252	schtasks.exe
2536	schtasks.exe
576	schtasks.exe
2104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
1424	powershell.exe
1132	powershell.exe
1436	powershell.exe
1992	powershell.exe
904	powershell.exe
2248	powershell.exe
1576	powershell.exe
2060	powershell.exe
2036	powershell.exe
1020	powershell.exe
2644	powershell.exe
1856	powershell.exe
2552	dwm.exe
1848	dwm.exe
2012	dwm.exe
2872	dwm.exe
2592	dwm.exe
2020	dwm.exe
900	dwm.exe
3012	dwm.exe
2620	dwm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2552	dwm.exe
Token: SeDebugPrivilege	1848	dwm.exe
Token: SeDebugPrivilege	2012	dwm.exe
Token: SeDebugPrivilege	2872	dwm.exe
Token: SeDebugPrivilege	2592	dwm.exe
Token: SeDebugPrivilege	2020	dwm.exe
Token: SeDebugPrivilege	900	dwm.exe
Token: SeDebugPrivilege	3012	dwm.exe
Token: SeDebugPrivilege	2620	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1856	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	65
PID 2112 wrote to memory of 1856	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	65
PID 2112 wrote to memory of 1856	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	65
PID 2112 wrote to memory of 1576	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	66
PID 2112 wrote to memory of 1576	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	66
PID 2112 wrote to memory of 1576	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	66
PID 2112 wrote to memory of 1132	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	67
PID 2112 wrote to memory of 1132	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	67
PID 2112 wrote to memory of 1132	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	67
PID 2112 wrote to memory of 2248	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	68
PID 2112 wrote to memory of 2248	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	68
PID 2112 wrote to memory of 2248	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	68
PID 2112 wrote to memory of 1020	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	69
PID 2112 wrote to memory of 1020	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	69
PID 2112 wrote to memory of 1020	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	69
PID 2112 wrote to memory of 1992	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	70
PID 2112 wrote to memory of 1992	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	70
PID 2112 wrote to memory of 1992	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	70
PID 2112 wrote to memory of 1424	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	71
PID 2112 wrote to memory of 1424	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	71
PID 2112 wrote to memory of 1424	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	71
PID 2112 wrote to memory of 904	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	72
PID 2112 wrote to memory of 904	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	72
PID 2112 wrote to memory of 904	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	72
PID 2112 wrote to memory of 2644	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	73
PID 2112 wrote to memory of 2644	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	73
PID 2112 wrote to memory of 2644	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	73
PID 2112 wrote to memory of 2036	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	74
PID 2112 wrote to memory of 2036	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	74
PID 2112 wrote to memory of 2036	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	74
PID 2112 wrote to memory of 1436	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	75
PID 2112 wrote to memory of 1436	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	75
PID 2112 wrote to memory of 1436	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	75
PID 2112 wrote to memory of 2060	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	76
PID 2112 wrote to memory of 2060	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	76
PID 2112 wrote to memory of 2060	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	76
PID 2112 wrote to memory of 2552	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	89
PID 2112 wrote to memory of 2552	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	89
PID 2112 wrote to memory of 2552	2112	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe	89
PID 2552 wrote to memory of 2272	2552	dwm.exe	90
PID 2552 wrote to memory of 2272	2552	dwm.exe	90
PID 2552 wrote to memory of 2272	2552	dwm.exe	90
PID 2552 wrote to memory of 660	2552	dwm.exe	91
PID 2552 wrote to memory of 660	2552	dwm.exe	91
PID 2552 wrote to memory of 660	2552	dwm.exe	91
PID 2272 wrote to memory of 1848	2272	WScript.exe	92
PID 2272 wrote to memory of 1848	2272	WScript.exe	92
PID 2272 wrote to memory of 1848	2272	WScript.exe	92
PID 1848 wrote to memory of 320	1848	dwm.exe	93
PID 1848 wrote to memory of 320	1848	dwm.exe	93
PID 1848 wrote to memory of 320	1848	dwm.exe	93
PID 1848 wrote to memory of 640	1848	dwm.exe	94
PID 1848 wrote to memory of 640	1848	dwm.exe	94
PID 1848 wrote to memory of 640	1848	dwm.exe	94
PID 320 wrote to memory of 2012	320	WScript.exe	95
PID 320 wrote to memory of 2012	320	WScript.exe	95
PID 320 wrote to memory of 2012	320	WScript.exe	95
PID 2012 wrote to memory of 1632	2012	dwm.exe	96
PID 2012 wrote to memory of 1632	2012	dwm.exe	96
PID 2012 wrote to memory of 1632	2012	dwm.exe	96
PID 2012 wrote to memory of 2368	2012	dwm.exe	97
PID 2012 wrote to memory of 2368	2012	dwm.exe	97
PID 2012 wrote to memory of 2368	2012	dwm.exe	97
PID 1632 wrote to memory of 2872	1632	WScript.exe	98

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe
"C:\Users\Admin\AppData\Local\Temp\9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Program Files\Windows Sidebar\dwm.exe
  "C:\Program Files\Windows Sidebar\dwm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2552
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e03a7bee-7ae3-4cb5-bda8-559bdc782dbc.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Program Files\Windows Sidebar\dwm.exe
      "C:\Program Files\Windows Sidebar\dwm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1848
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b639ff7d-fa45-494e-8bd1-b5a50cb6cc06.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Program Files\Windows Sidebar\dwm.exe
        
        "C:\Program Files\Windows Sidebar\dwm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\644e14f1-5f6c-4de4-a2cf-a2f2bb5882c8.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Program Files\Windows Sidebar\dwm.exe
        
        "C:\Program Files\Windows Sidebar\dwm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e760b04-10a0-4cd0-bc73-814ee45e2517.vbs"
        9⤵
        
        PID:700
        
        C:\Program Files\Windows Sidebar\dwm.exe
        
        "C:\Program Files\Windows Sidebar\dwm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fbaa70f-3f7b-4036-b035-e27fa77e7025.vbs"
        11⤵
        
        PID:2924
        
        C:\Program Files\Windows Sidebar\dwm.exe
        
        "C:\Program Files\Windows Sidebar\dwm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730ff372-9c92-4076-aafd-851c0ef5d101.vbs"
        13⤵
        
        PID:1420
        
        C:\Program Files\Windows Sidebar\dwm.exe
        
        "C:\Program Files\Windows Sidebar\dwm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11070305-f913-416e-aaba-0b5a9584ec97.vbs"
        15⤵
        
        PID:2928
        
        C:\Program Files\Windows Sidebar\dwm.exe
        
        "C:\Program Files\Windows Sidebar\dwm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1e0e7a5-3ac6-4f10-ac34-74520a3e1ea5.vbs"
        17⤵
        
        PID:1632
        
        C:\Program Files\Windows Sidebar\dwm.exe
        
        "C:\Program Files\Windows Sidebar\dwm.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70d89475-e389-4725-8d76-31a601c05079.vbs"
        19⤵
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c614f858-380c-4dc3-8bd3-39e3fa5cbe97.vbs"
        19⤵
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67d4201a-80cc-4ba8-bee9-382bc4d2697b.vbs"
        17⤵
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a99da6d0-48cf-4b2f-b964-5cd5358fe652.vbs"
        15⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d97b0e76-dd7a-4c0c-b41b-84aca958340f.vbs"
        13⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d84e37d-b88c-4626-8cc7-af7dcfc5da29.vbs"
        11⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\168ba69e-a5b4-4162-a90d-291205b21cb4.vbs"
        9⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fc4a99a-ab64-40b4-86d5-6b2cdfea7444.vbs"
        7⤵
        
        PID:2368
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e875494-8964-409b-956e-b1007d18e4df.vbs"
        5⤵
        
        PID:640
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e3f7d5e-3b4a-4a6c-b8f7-52f2563615f9.vbs"
    3⤵
    PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\CSC\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\CSC\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe

Filesize
4.9MB

MD5
809714227b07a307d5fbe38348fcb0e1

SHA1
0b2a5aafd1d90b42eac4ae4311940170c200e5bd

SHA256
82c2c2646bc931a69fa7b406968c170beeb8ad85db7a1792c6284b9bf6941804

SHA512
b4e6ba96bfefb615b5ef31d6a0b658df00983df381bf74c678fc01675d91e4f50405cbd49cd91a9e315e01fbe5d6f5a3b0071128cb51c14ed06d9a075d48cb2a

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe

Filesize
4.9MB

MD5
1104e32eb6157e6798d194f9a6d29e90

SHA1
178fca5fa8a5b0977c812bd58bd8912393f33591

SHA256
9cdd1eac65b15a8e517f52b07c095ea7de43469b77943c4f57f20dfdaf0e05b9

SHA512
184de1c9150cea1ead9be483b46d80a6053d81760884ed935b7a9ef657c3286034a78b55ade810f5da9817e78516140356d401cbc68ba442ee13fabd44d9a35f

Download Submit
C:\Program Files\Windows Sidebar\dwm.exe

Filesize
4.9MB

MD5
d2a2026bcc6b5a4534de1aed97c66383

SHA1
d9b91084499e6a71ddfe3010a67882d16e5ba9ad

SHA256
cdbe78e5ebb5d0cc43df04b22f427dc172f1efbd7c978b0f4b8968365c6aa2e9

SHA512
db6e7a6c33f8ed43b56c15eea97cc831662305042070fdf8b2f4f70613d95a6452310cee11286cfcddeb0fd0331fad91b8642bcfe81101da28eefe048f522271

Download Submit
C:\Users\Admin\AppData\Local\Temp\11070305-f913-416e-aaba-0b5a9584ec97.vbs

Filesize
715B

MD5
964c9a3b19315e14281af0b463d7216b

SHA1
11fc2a306bf95d2fbd77753e182771fc70dce5e6

SHA256
30707a662ca5658f0b5f5a1385170369972ea25653b87e98be69ee9f37f3e8a8

SHA512
cad720e43661ed619a92357f15b5564f692fe96e0ca652ae1952b66fd7d55e27478e835c0b9a70446853d0c335438a67728e5bc3399e55654151e739b70af2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fbaa70f-3f7b-4036-b035-e27fa77e7025.vbs

Filesize
716B

MD5
42ada6ed2a7ad7898a2529777e84c842

SHA1
d6d4efd5e3083d8d94545d6ad6f2275da0cd6123

SHA256
8b79e4ac3289bbe6bcd02036f29c63ec4a8944088b402e99731a588f9b04a12f

SHA512
0257999b985bf646ff98a8b011f027f38bbe4e3e08f114151a2d1c104d83f431dd1057d8650af48ecae629b6a61ef9c83463b3d45ac49f05e0e99b2b41ad6269

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e760b04-10a0-4cd0-bc73-814ee45e2517.vbs

Filesize
716B

MD5
4b5829658b87419eeef818be35c7945a

SHA1
4c7ffda7c50b7ae6965f7c8795eadd2cd8fb095b

SHA256
31ab376131886f7c6b5acedcf8e895af226015efbd89308e8af95b0daf6d88db

SHA512
84c647030c583b2d705658e3e1eabd7467bf0b4b6cde035084ceae0fcfbabdb5974198b7c39cbcdbac85c936b84b1f825c10cff67144adc241187f9770f7e6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e3f7d5e-3b4a-4a6c-b8f7-52f2563615f9.vbs

Filesize
492B

MD5
663a36fc75d6cdbf68dae6a837cf7167

SHA1
e36de17a475339e5c54170a8f9636f6be8a6f735

SHA256
bd209c7e9cefe46041280f1e779d130287a1ab9ad66f0ca22f0ca4146464d3e4

SHA512
e6c38faaf35396c571ecdd55e64cd2cc02f7bbcd372519af86bd2fc0a9c0590ed8c4a1cddb42e15f712157f9346ee5c4ce941ea634570b9581ddd3c00feb7d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\644e14f1-5f6c-4de4-a2cf-a2f2bb5882c8.vbs

Filesize
716B

MD5
75177285606e4c06a275debe85df4c93

SHA1
768027095c07f151985e42959ea286d469441c87

SHA256
0b9c02625c4bfb4c3cc714dc8da67b2f017d9757d3c908d55879aad672691048

SHA512
341246c58edf28aa35803f4e4270fc83372c65224aa4b57a59f5bf9c8f1f4d4f999bc0d43de4cea1cead96c77072d4f6c6bd0e09995f34b16ee2c5464bf9880e

Download Submit
C:\Users\Admin\AppData\Local\Temp\70d89475-e389-4725-8d76-31a601c05079.vbs

Filesize
716B

MD5
f52460dceb8420cd712a10e0f91354a6

SHA1
c3963d34152c8f0b5a1f64c2246e9a45d824b02c

SHA256
022a55c2e3a74a3a9e601ae87698bf9fc0c0d5414fe62a5ea5b21fe125c0a679

SHA512
1525827fa771a069055dd68170a05b88f2fca13044c4b96a8cd6cf4b6e339eeba0532e52e597cda23b901b599f05b90c37e6daca2cd2835ca4d597aa9c5528f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\730ff372-9c92-4076-aafd-851c0ef5d101.vbs

Filesize
716B

MD5
44cb3940c7822ede882aff590bf41451

SHA1
302da8cca3a360646313e0a7c5ae3ebe4405dbf2

SHA256
81179272ae19bcc8f9ce61461b57f7c448e4449491fa50e9995674c79742ad8f

SHA512
4b3192589268f1c44f271d1f0a9807467f0bf768343b4bcd3b68d1f3ddf88009de002bf0235de9d1ad3e1f35453a94235294de0022a9bdb55d6fc6e351478f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\a940f8f375994a9f03dfb89e46df162bce50b524.exe

Filesize
4.9MB

MD5
b736e3c7b41afa1e0b7e738328b5ad37

SHA1
538d597bb18d4600f52fe0e71f6dbfc99c4e3ee0

SHA256
b6f3b647fee7ed568a186e323831e0548ff298122a24dde21decee6d71e485ac

SHA512
18f9dd59541bc79f12179929df60c758ae9c9c529685c3ad5aa424c0cf677bf3ee114ada33c8eaf132b3877ce20d93a24f536750019424846fc04c28ff3060df

Download Submit
C:\Users\Admin\AppData\Local\Temp\b639ff7d-fa45-494e-8bd1-b5a50cb6cc06.vbs

Filesize
716B

MD5
8d6f353cf253aa8952d66cc2dd4df5b3

SHA1
b1f86e3551eea5a98adef617653564b6fdae9e84

SHA256
951e9d62d7caadab2908f575d48b3879cca1cc4f104dc6636791f56a6d755fa9

SHA512
b029d941a303dbfd210548b130a187ac6692b5a07c44d8ea87daf17beb604c987a8e1ff59b7dd192afc3240784cee2a1774ab5b0210af20eb8372b8951d10af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e03a7bee-7ae3-4cb5-bda8-559bdc782dbc.vbs

Filesize
716B

MD5
0171a52fe63adc06f41fcef305b875a9

SHA1
95359800b16a22c6ff02704cae826f79ddf8b227

SHA256
c327a7b79f631aef5e1295fbeadef3c9eb05ab617ef5519787a4fd106d111ab8

SHA512
d19f66228f5bfd4c5882e5eb89d5f07734a383320c3b275529592fbd66956e887865545715138c94a88ae855a9fb534ce0b011b022da93b4bfd6f22ba3c51797

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1e0e7a5-3ac6-4f10-ac34-74520a3e1ea5.vbs

Filesize
716B

MD5
eeadecd5ae7b828db2eb76d0ac34345b

SHA1
59787e9fbb99b7f14023a47afd1fa507da08c335

SHA256
e4209bfb21bd7c6043706ebe49842aa2fee92ca11dd8f3fc61293ae6fd1828de

SHA512
0eeddb45d59216b8f3d1d5a5ef94a2c337c1af876677e9dfda899de4bcbbd7d75ab86b17c7ade1a4f8d22500f64ed33f2d3390790988eb9e54e588d78f9fb128

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B2E.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
25c2804bdcb19b53a6c3cf19bff528ab

SHA1
85a9f5beee398a7f335726b2c51dbbe66c721579

SHA256
d579996b27322ba514e480e9dbf91b0b131fd45318ea5bd0c7192186721e21a4

SHA512
93179439a106ee11246c6c3c79c778d19ce5f23f86f32554a7aee309d15ac7f80de7de2bb68f2b75f5a0c8ff7dcc2fd0b99a5722d369a86500b92a556745d4db

Download Submit
memory/900-274-0x0000000000200000-0x00000000006F4000-memory.dmp

Filesize
5.0MB

Download
memory/1132-136-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/1424-130-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2012-214-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download
memory/2012-215-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2112-11-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2112-9-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/2112-1-0x00000000011C0000-0x00000000016B4000-memory.dmp

Filesize
5.0MB

Download
memory/2112-184-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-2-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-15-0x0000000001000000-0x0000000001008000-memory.dmp

Filesize
32KB

Download
memory/2112-14-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/2112-13-0x0000000000FE0000-0x0000000000FEE000-memory.dmp

Filesize
56KB

Download
memory/2112-12-0x0000000000FD0000-0x0000000000FDE000-memory.dmp

Filesize
56KB

Download
memory/2112-0-0x000007FEF6623000-0x000007FEF6624000-memory.dmp

Filesize
4KB

Download
memory/2112-10-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2112-16-0x0000000001010000-0x000000000101C000-memory.dmp

Filesize
48KB

Download
memory/2112-3-0x000000001B270000-0x000000001B39E000-memory.dmp

Filesize
1.2MB

Download
memory/2112-8-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2112-4-0x0000000000600000-0x000000000061C000-memory.dmp

Filesize
112KB

Download
memory/2112-7-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

Filesize
88KB

Download
memory/2112-6-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/2112-5-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/2552-186-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/2552-159-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download
memory/2592-245-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download
memory/2620-304-0x00000000000A0000-0x0000000000594000-memory.dmp

Filesize
5.0MB

Download
memory/2872-230-0x0000000000D10000-0x0000000001204000-memory.dmp

Filesize
5.0MB

Download
memory/3012-289-0x0000000000100000-0x00000000005F4000-memory.dmp

Filesize
5.0MB

Download