dcrat | 67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Size

4.9MB
MD5

a87a3e93eb8f7ee1a70c9b6204930910
SHA1

d5540d781ad24f6ebd68773fc6581a519d8c44a9
SHA256

67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227
SHA512

d8c2ea8d31db9e5f96113057fd1a43d042ca7988081c8f31ba69aef10af91098eaaa6837504c91886452dba5f4c94ba9d6054375b6044409b1ccc1b74907e19d
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2544	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2544	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2688-3-0x000000001BBA0000-0x000000001BCCE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1928	powershell.exe
2032	powershell.exe
2592	powershell.exe
784	powershell.exe
1028	powershell.exe
2436	powershell.exe
2244	powershell.exe
2416	powershell.exe
2292	powershell.exe
1204	powershell.exe
2432	powershell.exe
1548	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
264	WmiPrvSE.exe
1948	WmiPrvSE.exe
1036	WmiPrvSE.exe
2344	WmiPrvSE.exe
1976	WmiPrvSE.exe
1512	WmiPrvSE.exe
2240	WmiPrvSE.exe
2720	WmiPrvSE.exe
2460	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\fr-FR\explorer.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX1937.tmp	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\smss.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Program Files\Windows Defender\fr-FR\explorer.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Program Files\Windows Defender\fr-FR\7a0fd90576e088	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Program Files\7-Zip\Lang\smss.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Program Files\7-Zip\Lang\69ddcba757bf72	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX6E6.tmp	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\RCXFA1.tmp	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Windows\Downloaded Program Files\WmiPrvSE.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX1222.tmp	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\csrss.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Windows\Downloaded Program Files\WmiPrvSE.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Windows\Downloaded Program Files\24dbde2999530e	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Windows\Performance\WinSAT\DataStore\csrss.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Windows\Performance\WinSAT\DataStore\886983d96e3d3e	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2964	schtasks.exe
2012	schtasks.exe
492	schtasks.exe
916	schtasks.exe
2672	schtasks.exe
2056	schtasks.exe
2496	schtasks.exe
2004	schtasks.exe
2400	schtasks.exe
1828	schtasks.exe
2812	schtasks.exe
1060	schtasks.exe
1416	schtasks.exe
864	schtasks.exe
2552	schtasks.exe
704	schtasks.exe
2808	schtasks.exe
2840	schtasks.exe
3068	schtasks.exe
2992	schtasks.exe
2760	schtasks.exe
2976	schtasks.exe
1500	schtasks.exe
2232	schtasks.exe
2488	schtasks.exe
532	schtasks.exe
2492	schtasks.exe
2036	schtasks.exe
1392	schtasks.exe
2196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
2432	powershell.exe
1548	powershell.exe
2244	powershell.exe
2436	powershell.exe
264	WmiPrvSE.exe
1204	powershell.exe
2032	powershell.exe
1028	powershell.exe
784	powershell.exe
2292	powershell.exe
2416	powershell.exe
1928	powershell.exe
2592	powershell.exe
1948	WmiPrvSE.exe
1036	WmiPrvSE.exe
2344	WmiPrvSE.exe
1976	WmiPrvSE.exe
1512	WmiPrvSE.exe
2240	WmiPrvSE.exe
2720	WmiPrvSE.exe
2460	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Token: SeDebugPrivilege	264	WmiPrvSE.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1948	WmiPrvSE.exe
Token: SeDebugPrivilege	1036	WmiPrvSE.exe
Token: SeDebugPrivilege	2344	WmiPrvSE.exe
Token: SeDebugPrivilege	1976	WmiPrvSE.exe
Token: SeDebugPrivilege	1512	WmiPrvSE.exe
Token: SeDebugPrivilege	2240	WmiPrvSE.exe
Token: SeDebugPrivilege	2720	WmiPrvSE.exe
Token: SeDebugPrivilege	2460	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 1028	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	61
PID 2688 wrote to memory of 1028	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	61
PID 2688 wrote to memory of 1028	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	61
PID 2688 wrote to memory of 1548	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	62
PID 2688 wrote to memory of 1548	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	62
PID 2688 wrote to memory of 1548	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	62
PID 2688 wrote to memory of 2432	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	64
PID 2688 wrote to memory of 2432	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	64
PID 2688 wrote to memory of 2432	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	64
PID 2688 wrote to memory of 784	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	65
PID 2688 wrote to memory of 784	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	65
PID 2688 wrote to memory of 784	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	65
PID 2688 wrote to memory of 2592	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	67
PID 2688 wrote to memory of 2592	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	67
PID 2688 wrote to memory of 2592	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	67
PID 2688 wrote to memory of 1204	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	69
PID 2688 wrote to memory of 1204	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	69
PID 2688 wrote to memory of 1204	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	69
PID 2688 wrote to memory of 2436	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	70
PID 2688 wrote to memory of 2436	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	70
PID 2688 wrote to memory of 2436	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	70
PID 2688 wrote to memory of 1928	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	71
PID 2688 wrote to memory of 1928	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	71
PID 2688 wrote to memory of 1928	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	71
PID 2688 wrote to memory of 2244	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	72
PID 2688 wrote to memory of 2244	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	72
PID 2688 wrote to memory of 2244	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	72
PID 2688 wrote to memory of 2416	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	73
PID 2688 wrote to memory of 2416	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	73
PID 2688 wrote to memory of 2416	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	73
PID 2688 wrote to memory of 2032	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	74
PID 2688 wrote to memory of 2032	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	74
PID 2688 wrote to memory of 2032	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	74
PID 2688 wrote to memory of 2292	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	75
PID 2688 wrote to memory of 2292	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	75
PID 2688 wrote to memory of 2292	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	75
PID 2688 wrote to memory of 264	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	85
PID 2688 wrote to memory of 264	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	85
PID 2688 wrote to memory of 264	2688	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	85
PID 264 wrote to memory of 2280	264	WmiPrvSE.exe	86
PID 264 wrote to memory of 2280	264	WmiPrvSE.exe	86
PID 264 wrote to memory of 2280	264	WmiPrvSE.exe	86
PID 264 wrote to memory of 564	264	WmiPrvSE.exe	87
PID 264 wrote to memory of 564	264	WmiPrvSE.exe	87
PID 264 wrote to memory of 564	264	WmiPrvSE.exe	87
PID 2280 wrote to memory of 1948	2280	WScript.exe	88
PID 2280 wrote to memory of 1948	2280	WScript.exe	88
PID 2280 wrote to memory of 1948	2280	WScript.exe	88
PID 1948 wrote to memory of 1964	1948	WmiPrvSE.exe	89
PID 1948 wrote to memory of 1964	1948	WmiPrvSE.exe	89
PID 1948 wrote to memory of 1964	1948	WmiPrvSE.exe	89
PID 1948 wrote to memory of 1960	1948	WmiPrvSE.exe	90
PID 1948 wrote to memory of 1960	1948	WmiPrvSE.exe	90
PID 1948 wrote to memory of 1960	1948	WmiPrvSE.exe	90
PID 1964 wrote to memory of 1036	1964	WScript.exe	91
PID 1964 wrote to memory of 1036	1964	WScript.exe	91
PID 1964 wrote to memory of 1036	1964	WScript.exe	91
PID 1036 wrote to memory of 1700	1036	WmiPrvSE.exe	92
PID 1036 wrote to memory of 1700	1036	WmiPrvSE.exe	92
PID 1036 wrote to memory of 1700	1036	WmiPrvSE.exe	92
PID 1036 wrote to memory of 2788	1036	WmiPrvSE.exe	93
PID 1036 wrote to memory of 2788	1036	WmiPrvSE.exe	93
PID 1036 wrote to memory of 2788	1036	WmiPrvSE.exe	93
PID 1700 wrote to memory of 2344	1700	WScript.exe	94

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
"C:\Users\Admin\AppData\Local\Temp\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\Downloaded Program Files\WmiPrvSE.exe
  "C:\Windows\Downloaded Program Files\WmiPrvSE.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:264
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73fd11fa-adad-4f8e-98a3-50acd3654439.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\Downloaded Program Files\WmiPrvSE.exe
      "C:\Windows\Downloaded Program Files\WmiPrvSE.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1948
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d8738a9-aed9-4fe2-8b1a-9f21de8f4fc1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\Downloaded Program Files\WmiPrvSE.exe
        
        "C:\Windows\Downloaded Program Files\WmiPrvSE.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acb178a8-125f-474e-8f3a-b8da5e878d4b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\Downloaded Program Files\WmiPrvSE.exe
        
        "C:\Windows\Downloaded Program Files\WmiPrvSE.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f708a09-b399-4ce1-a3e0-e34f7a275dd6.vbs"
        9⤵
        
        PID:1560
        
        C:\Windows\Downloaded Program Files\WmiPrvSE.exe
        
        "C:\Windows\Downloaded Program Files\WmiPrvSE.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45c9f062-f5ae-4623-afa4-1779caefc92c.vbs"
        11⤵
        
        PID:840
        
        C:\Windows\Downloaded Program Files\WmiPrvSE.exe
        
        "C:\Windows\Downloaded Program Files\WmiPrvSE.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69568675-3da2-43ce-b7db-a9f5f9beaa2d.vbs"
        13⤵
        
        PID:2388
        
        C:\Windows\Downloaded Program Files\WmiPrvSE.exe
        
        "C:\Windows\Downloaded Program Files\WmiPrvSE.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955ce225-430d-4bad-81c9-413fed2362e9.vbs"
        15⤵
        
        PID:1684
        
        C:\Windows\Downloaded Program Files\WmiPrvSE.exe
        
        "C:\Windows\Downloaded Program Files\WmiPrvSE.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e670c215-5d6e-467a-9755-1f94b884f60b.vbs"
        17⤵
        
        PID:1648
        
        C:\Windows\Downloaded Program Files\WmiPrvSE.exe
        
        "C:\Windows\Downloaded Program Files\WmiPrvSE.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e3f348c-39f4-4326-8df2-3018e7560ba1.vbs"
        19⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae65c879-80de-4559-8f6d-254f75fb0e00.vbs"
        19⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2edc6d54-6437-4bb5-81df-eec72fe86886.vbs"
        17⤵
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f330b775-d506-45d4-956b-b1e206ed9cce.vbs"
        15⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75088d9b-6c6b-4f57-96fc-632d047a1bc1.vbs"
        13⤵
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cb175e8-73a0-4dd0-8c09-5df8c3bae5d1.vbs"
        11⤵
        
        PID:1344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33fbad09-7093-427f-85bf-e68cf8013c27.vbs"
        9⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39b1dec5-7768-4019-af74-fc5cdb3fe4c1.vbs"
        7⤵
        
        PID:2788
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db199ed0-be0b-4ad4-96a6-cfd881ef7f9a.vbs"
        5⤵
        
        PID:1960
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0edd76d-b254-4d75-b03f-5ea2f4883ecc.vbs"
    3⤵
    PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N6" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N6" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N6" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N6" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe

Filesize
4.9MB

MD5
a87a3e93eb8f7ee1a70c9b6204930910

SHA1
d5540d781ad24f6ebd68773fc6581a519d8c44a9

SHA256
67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227

SHA512
d8c2ea8d31db9e5f96113057fd1a43d042ca7988081c8f31ba69aef10af91098eaaa6837504c91886452dba5f4c94ba9d6054375b6044409b1ccc1b74907e19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e5b2fa84a2497a5b430844da60a911465139fb2.exe

Filesize
4.9MB

MD5
97a731ef2f694ba0b5f4e0a1baf1722b

SHA1
f0213af00f0db1579bf4fd4088c15ef6b6c9051c

SHA256
ff3c159f98cc45dd5c03686d9b241286ea2e0885fca7180ea4f08ae0b9a3f82d

SHA512
abb010efd676b5a6f0a9c200fd5f32113ef8891e6c0c43141984eaa0666ca7e0f93fed1c4c6e234ceabd72a1f7073907dc61d378308cde20458386f8f7270f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\45c9f062-f5ae-4623-afa4-1779caefc92c.vbs

Filesize
724B

MD5
a322869af92eadf31b3c979612a9bb02

SHA1
f7e56396b6f7e3a83725539b6c278b5dea5cb5ce

SHA256
69e6cedef63ca283aefdfae38f79bb2bd0c06c56af85c55e80014158986c811b

SHA512
ce4398f9a7bf3b98a4ce9d27137adb48ff1e8185b0bf2e6f7832809577a8a6e09d6c62ccba4bd5750d35668f9b4acea83b29f3195030d90912e543f20dc7daf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e3f348c-39f4-4326-8df2-3018e7560ba1.vbs

Filesize
724B

MD5
b326186d6eb54ac0a86857ad1b249b29

SHA1
996ff8dd7360e3a0003b916211d68b8014a9d14e

SHA256
d18dbd897ee58af33d02ed5ff6319c1a68e6e75408e5c43884076c07dd8154a2

SHA512
193fceeb30dc49c0c4047a371fc19a7798c7897184a8b1ee4ef0630ae33da4465aef001c13c96e2304c4d23ae39028be7450e10f406f0ea6a35edd643f1bd5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f708a09-b399-4ce1-a3e0-e34f7a275dd6.vbs

Filesize
724B

MD5
9ccab30f762ca902d0c78ed6fadad7f7

SHA1
0dfb5974e8ed2b52c82d3b6651d16018bda378d8

SHA256
1247b3f6bd53894ec2c4b147964a656e5133026a4282a45a4038c16d37f387fd

SHA512
f0816d5db7079be75d6e42f7f2035e7d9e874f5eb35ab5a007966649e1fcf5edca0bc4ab5044de1844e2437f7b67c0bcebf314a33301b863bdf12a4e65d8ab31

Download Submit
C:\Users\Admin\AppData\Local\Temp\69568675-3da2-43ce-b7db-a9f5f9beaa2d.vbs

Filesize
724B

MD5
4d2ef240aaa49816bd3bbca1819eb38f

SHA1
9154e993eff255b6cdd0b8c21124d73def4d2306

SHA256
0870faeb2650792eedaae294d19bf94bfe7c0ff524b3b277d8aeb267083e1333

SHA512
50d34739ad9c5d645ee765a5e789d29b37bd80717c83d96990d5a3197d3c026f2b76e5a6fa078c8c368ed0920969e0ba9587fc218bc494ee7f6c3d1fa0b792b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\73fd11fa-adad-4f8e-98a3-50acd3654439.vbs

Filesize
723B

MD5
e107358e98f544f0b3ad62be19d42c1f

SHA1
22a191cb769f99c325210e445221683516c342cc

SHA256
d65ced5bf43df5297b8f7b43c38dad1e497509c9cfd579d61caf735be38adfce

SHA512
9cd87b05f7eb5d7e7e1ee728d118a3215cc2886c1f9af4955e191856263c19eece7fa8f393577acd00ac4b0a423fffb814bbf42669feafded7dc62175788ee3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\955ce225-430d-4bad-81c9-413fed2362e9.vbs

Filesize
724B

MD5
bdefca81b9305bda93abb36be748d121

SHA1
67992f3526e032897b409f6f8564511ca39ff6d4

SHA256
5921b68b63198d50014e2bf5d193c55412a6d5c00905cc0384d4e0abe490bcb2

SHA512
8001092a0da1d86072ae2eb8aa3c1e597618746369ab26c4bf0028a339308863c13754afac791e57504cde27f4bab8c2f63d15fa54533e4602a025ddda02c3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d8738a9-aed9-4fe2-8b1a-9f21de8f4fc1.vbs

Filesize
724B

MD5
17395feebf296ab7154d0fdbae42d633

SHA1
e9949e837bddaf9c06b2886fd9035159e38f4811

SHA256
334676e928b50286a577db2bcc7484a2a5e5f8d562f96135a453aa905892dd20

SHA512
5bcf6cbf9967271a9c2eb12dbc39d4900954dfd2a47e7e6b6f7eff22993642bafd691785829c646aed9d3bd7e818099c11bb3b5ec070b7542d16961646ee80cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0edd76d-b254-4d75-b03f-5ea2f4883ecc.vbs

Filesize
500B

MD5
4581c7147fb9976127b797f61404a8cd

SHA1
4d31dc36b0db47ba8833500c477bcc5bd8adfd6a

SHA256
cf61aa3f3160b1c4da3df7688a35ff25ebf4786f253aef24723034ab2b4a60c1

SHA512
ecb204ac1289c4d0da940c646fe33c2b48e1849dd264223f1f976335a8b4b9fdd268f935c5f9553f6c7dd501ac60632c55a17d149253824edd1bbedaaff01646

Download Submit
C:\Users\Admin\AppData\Local\Temp\acb178a8-125f-474e-8f3a-b8da5e878d4b.vbs

Filesize
724B

MD5
eacc00ba88c1ac29fb0a83b07374cf70

SHA1
58143bbc555f32b04fd25daef409ed344f03c500

SHA256
fa44867b7d21b88b7a3d23d131be6444f6c54a3d79c7298476ec708aa01b6e75

SHA512
5fec83717c277348efa491c03cff26513d02591cf04b6f3a4e39ac6d741ceaa5978c0342f9eeea14d230ec28a9beaf7f0512f7838579f4ccaf3221b8385144e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e670c215-5d6e-467a-9755-1f94b884f60b.vbs

Filesize
724B

MD5
6e16ccdc39cb9e5dd270e83e987cdde3

SHA1
7d2f1e56132488b7624520d9c70c7f8ea4bc6023

SHA256
2de0b99de652eef3101b3d7765eecdc5e7bda77452e4e6cf131b1beac331f045

SHA512
1a03f2005888f565e7ae87b5c863b1cb213be9e432c9f0be649ecd28eb8b43eb1c5b4e6298965f330b9fea92bc870c37bb9fcda9378405dcf6e3776e3dca3419

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A3C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
319234c7ffe312bad4ec932ddc2ab8b5

SHA1
5cd95f19524ee9f969ae7b559b455dddc0f441db

SHA256
050e560fa63e4f090163340f8269d853db952e41affb51f02d12fd09289f2d0d

SHA512
b31f9fa72704e7d9098fd7bade8006ac653547118371f4ace239fef23b767814e516f76977a48083fb785718a620295741de220e428202bc2d587ca0237743d6

Download Submit
C:\Windows\Downloaded Program Files\WmiPrvSE.exe

Filesize
4.9MB

MD5
42c99fbaf8f4ae290c94d1717ea105cf

SHA1
b2785d6526feceff7ac242c0df8593552d7c3ca0

SHA256
20a37e930c03671a837b5e182695328d35fb5bfe4fc034e43c7551123dab26fb

SHA512
70224ef85534aee4da6aecf5b936a571ea36f3f513da87a8d787928267ebef1d0ee14498e209f4997ee192fd9aa5ebb2698e242312b7e211ea2576c0f7c93e94

Download Submit
memory/264-170-0x0000000001040000-0x0000000001534000-memory.dmp

Filesize
5.0MB

Download
memory/1036-200-0x00000000000E0000-0x00000000005D4000-memory.dmp

Filesize
5.0MB

Download
memory/1036-201-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2240-259-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/2244-167-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2244-172-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2344-216-0x0000000001310000-0x0000000001804000-memory.dmp

Filesize
5.0MB

Download
memory/2688-9-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2688-7-0x0000000000660000-0x0000000000676000-memory.dmp

Filesize
88KB

Download
memory/2688-15-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2688-14-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/2688-13-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/2688-12-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/2688-11-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/2688-10-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2688-0-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

Filesize
4KB

Download
memory/2688-16-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/2688-171-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-8-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2688-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2688-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2688-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2688-3-0x000000001BBA0000-0x000000001BCCE000-memory.dmp

Filesize
1.2MB

Download
memory/2688-1-0x0000000001000000-0x00000000014F4000-memory.dmp

Filesize
5.0MB

Download
memory/2688-2-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-275-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2720-274-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download