dcrat | aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6

Analysis

max time kernel
119s
max time network
116s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
Size

2.9MB
MD5

c417e0907ae7dc4abf1909739e415470
SHA1

0c03481d34a1d4c48ab816395b180c741033b9f8
SHA256

aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6
SHA512

4c766dcc28ff26e9523bc349ca23e425affe171a76969b7a7e98d21adf4e447f77959f9aba733c5e88305146c74b52e7c360fc0ea3c50dbd8eb6a5fb3c44ab66
SSDEEP

49152:lfTBVuy0VtNUBslYt04P0GliFkO6Uo67iX0bCLuI9+E8D:l7nL0jCB6q0goyUonuI998D

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2892	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2892	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1288-1-0x0000000000A00000-0x0000000000CF2000-memory.dmp	dcrat
behavioral1/files/0x00050000000194e1-35.dat	dcrat
behavioral1/files/0x00060000000194e1-113.dat	dcrat
behavioral1/files/0x0007000000019510-124.dat	dcrat
behavioral1/files/0x000700000001952e-135.dat	dcrat
behavioral1/memory/3036-149-0x0000000000850000-0x0000000000B42000-memory.dmp	dcrat
behavioral1/memory/2616-309-0x0000000000260000-0x0000000000552000-memory.dmp	dcrat
behavioral1/memory/2804-428-0x0000000000B60000-0x0000000000E52000-memory.dmp	dcrat
behavioral1/memory/2260-665-0x0000000000F50000-0x0000000001242000-memory.dmp	dcrat
behavioral1/memory/960-902-0x0000000001380000-0x0000000001672000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
772	powershell.exe
1636	powershell.exe
2168	powershell.exe
2548	powershell.exe
2040	powershell.exe
2472	powershell.exe
2220	powershell.exe
1820	powershell.exe
2992	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
3036	lsm.exe
2616	lsm.exe
2804	lsm.exe
3016	lsm.exe
2260	lsm.exe
2028	lsm.exe
960	lsm.exe
1284	lsm.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\RCXB31C.tmp	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Theme\RCXB85D.tmp	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File opened for modification	C:\Windows\Offline Web Pages\explorer.exe	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File created	C:\Windows\Globalization\MCT\MCT-GB\Theme\Idle.exe	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File created	C:\Windows\Globalization\MCT\MCT-GB\Theme\6ccacd8608530f	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File created	C:\Windows\Offline Web Pages\7a0fd90576e088	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Theme\RCXB85E.tmp	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File opened for modification	C:\Windows\assembly\services.exe	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File created	C:\Windows\Offline Web Pages\explorer.exe	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File opened for modification	C:\Windows\assembly\RCXB31B.tmp	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Theme\Idle.exe	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File created	C:\Windows\assembly\services.exe	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File created	C:\Windows\assembly\c5b4cb5e9653cc	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXC1A8.tmp	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXC216.tmp	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2984	schtasks.exe
2920	schtasks.exe
2736	schtasks.exe
2876	schtasks.exe
708	schtasks.exe
2672	schtasks.exe
2660	schtasks.exe
2268	schtasks.exe
3060	schtasks.exe
476	schtasks.exe
332	schtasks.exe
596	schtasks.exe
816	schtasks.exe
1244	schtasks.exe
1336	schtasks.exe
2956	schtasks.exe
2740	schtasks.exe
2608	schtasks.exe
2724	schtasks.exe
2808	schtasks.exe
1188	schtasks.exe
2096	schtasks.exe
2432	schtasks.exe
2492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
1636	powershell.exe
2168	powershell.exe
1820	powershell.exe
2992	powershell.exe
2548	powershell.exe
772	powershell.exe
2472	powershell.exe
2040	powershell.exe
2220	powershell.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe
3036	lsm.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	3036	lsm.exe
Token: SeDebugPrivilege	2616	lsm.exe
Token: SeDebugPrivilege	2804	lsm.exe
Token: SeDebugPrivilege	3016	lsm.exe
Token: SeDebugPrivilege	2260	lsm.exe
Token: SeDebugPrivilege	2028	lsm.exe
Token: SeDebugPrivilege	960	lsm.exe
Token: SeDebugPrivilege	1284	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 772	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	55
PID 1288 wrote to memory of 772	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	55
PID 1288 wrote to memory of 772	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	55
PID 1288 wrote to memory of 1636	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	56
PID 1288 wrote to memory of 1636	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	56
PID 1288 wrote to memory of 1636	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	56
PID 1288 wrote to memory of 2472	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	57
PID 1288 wrote to memory of 2472	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	57
PID 1288 wrote to memory of 2472	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	57
PID 1288 wrote to memory of 2040	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	59
PID 1288 wrote to memory of 2040	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	59
PID 1288 wrote to memory of 2040	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	59
PID 1288 wrote to memory of 2548	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	62
PID 1288 wrote to memory of 2548	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	62
PID 1288 wrote to memory of 2548	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	62
PID 1288 wrote to memory of 2992	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	64
PID 1288 wrote to memory of 2992	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	64
PID 1288 wrote to memory of 2992	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	64
PID 1288 wrote to memory of 2168	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	65
PID 1288 wrote to memory of 2168	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	65
PID 1288 wrote to memory of 2168	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	65
PID 1288 wrote to memory of 1820	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	66
PID 1288 wrote to memory of 1820	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	66
PID 1288 wrote to memory of 1820	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	66
PID 1288 wrote to memory of 2220	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	67
PID 1288 wrote to memory of 2220	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	67
PID 1288 wrote to memory of 2220	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	67
PID 1288 wrote to memory of 3036	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	73
PID 1288 wrote to memory of 3036	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	73
PID 1288 wrote to memory of 3036	1288	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe	73
PID 3036 wrote to memory of 2396	3036	lsm.exe	75
PID 3036 wrote to memory of 2396	3036	lsm.exe	75
PID 3036 wrote to memory of 2396	3036	lsm.exe	75
PID 3036 wrote to memory of 2700	3036	lsm.exe	76
PID 3036 wrote to memory of 2700	3036	lsm.exe	76
PID 3036 wrote to memory of 2700	3036	lsm.exe	76
PID 2396 wrote to memory of 2616	2396	WScript.exe	77
PID 2396 wrote to memory of 2616	2396	WScript.exe	77
PID 2396 wrote to memory of 2616	2396	WScript.exe	77
PID 2616 wrote to memory of 1636	2616	lsm.exe	78
PID 2616 wrote to memory of 1636	2616	lsm.exe	78
PID 2616 wrote to memory of 1636	2616	lsm.exe	78
PID 2616 wrote to memory of 2504	2616	lsm.exe	79
PID 2616 wrote to memory of 2504	2616	lsm.exe	79
PID 2616 wrote to memory of 2504	2616	lsm.exe	79
PID 1636 wrote to memory of 2804	1636	WScript.exe	80
PID 1636 wrote to memory of 2804	1636	WScript.exe	80
PID 1636 wrote to memory of 2804	1636	WScript.exe	80
PID 2804 wrote to memory of 556	2804	lsm.exe	81
PID 2804 wrote to memory of 556	2804	lsm.exe	81
PID 2804 wrote to memory of 556	2804	lsm.exe	81
PID 2804 wrote to memory of 1752	2804	lsm.exe	82
PID 2804 wrote to memory of 1752	2804	lsm.exe	82
PID 2804 wrote to memory of 1752	2804	lsm.exe	82
PID 556 wrote to memory of 3016	556	WScript.exe	83
PID 556 wrote to memory of 3016	556	WScript.exe	83
PID 556 wrote to memory of 3016	556	WScript.exe	83
PID 3016 wrote to memory of 2940	3016	lsm.exe	84
PID 3016 wrote to memory of 2940	3016	lsm.exe	84
PID 3016 wrote to memory of 2940	3016	lsm.exe	84
PID 3016 wrote to memory of 1000	3016	lsm.exe	85
PID 3016 wrote to memory of 1000	3016	lsm.exe	85
PID 3016 wrote to memory of 1000	3016	lsm.exe	85
PID 2940 wrote to memory of 2260	2940	WScript.exe	86

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe
"C:\Users\Admin\AppData\Local\Temp\aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\MCT\MCT-GB\Theme\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Users\Public\Libraries\lsm.exe
  "C:\Users\Public\Libraries\lsm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2b9d723-3bce-40b6-8076-58b92fe48dc2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Public\Libraries\lsm.exe
      C:\Users\Public\Libraries\lsm.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2616
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6055960-ce26-4ecf-bcb4-05e23b324348.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Users\Public\Libraries\lsm.exe
        
        C:\Users\Public\Libraries\lsm.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10b53f4d-4024-48f4-83b9-4f9a06031e81.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Users\Public\Libraries\lsm.exe
        
        C:\Users\Public\Libraries\lsm.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b363d6a9-67da-452f-8504-aa9347cdfc58.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Users\Public\Libraries\lsm.exe
        
        C:\Users\Public\Libraries\lsm.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef944789-4055-4837-b5a4-8b4e2b062d9a.vbs"
        11⤵
        
        PID:2648
        
        C:\Users\Public\Libraries\lsm.exe
        
        C:\Users\Public\Libraries\lsm.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edc952cb-977a-469f-bd4f-5eaa46b635b9.vbs"
        13⤵
        
        PID:1672
        
        C:\Users\Public\Libraries\lsm.exe
        
        C:\Users\Public\Libraries\lsm.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e773ea4-bb38-42de-886e-3b4701c7d1c3.vbs"
        15⤵
        
        PID:1692
        
        C:\Users\Public\Libraries\lsm.exe
        
        C:\Users\Public\Libraries\lsm.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e76b421-e6a6-40ed-861e-4bcff07a94a4.vbs"
        17⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc218c65-0ec3-4e5b-ab88-f74e9dda8628.vbs"
        17⤵
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e9a2466-32d1-4aaf-8acd-52ccb5d13c5b.vbs"
        15⤵
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a138d3a3-e9c8-45cf-834d-ebb6645ac846.vbs"
        13⤵
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f25d4c12-14df-42ca-8d3a-1aac57031c7e.vbs"
        11⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e22ea3d4-65eb-4ecb-a325-373443cbacb4.vbs"
        9⤵
        
        PID:1000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\decc2241-642b-42d2-941f-32d76ca954a6.vbs"
        7⤵
        
        PID:1752
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03e76b43-d4c3-4aaf-bed3-565ce7f0745f.vbs"
        5⤵
        
        PID:2504
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8314a804-807d-4ce9-9dbb-a4d8c4cefb66.vbs"
    3⤵
    PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\assembly\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\MCT\MCT-GB\Theme\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-GB\Theme\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\MCT\MCT-GB\Theme\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6Na" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6Na" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe

Filesize
2.9MB

MD5
f92bceca46071b03ff2812fc43fd1c16

SHA1
8ebc0721c924f0b5ce0572cae95e59c545d69a4d

SHA256
ddc8c553ee2de9a0eb03f91bc3e30348655ea26eb4d668d6519eab53619c324f

SHA512
d1157491ce9e497fb448638f1f41d7d2c4b1595abc0b5e497c51408b6042dab8e41ff745efcbe59aec31561c996865977c4cec69a5bd6b1e7c9650900544bbcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65075cecf78bb87c8be1812b48e0bcdd

SHA1
eb405da26433788e6cd0630269094ed8bd04c31b

SHA256
755777acbf4b3b4f5a84adf3ad55375da054f28d1efac04a6420f1594ea4744b

SHA512
efe01282dbf6facbbf47c34fe1c47c43e0049572dadb56247ff7f0c28bc7b7f7f27ae287b8af2576f9baff421c7460c27f57fd6c39c9ccb3a71b051fff6cd23b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0104237925ac89bf428746f73a0d1136

SHA1
0d61ac2144e7c2e65c74cf983e01d9dbdf9ffbbc

SHA256
4490eb73958394156f6a4e2f02988c008f499b5070213658ff359115e433f9c9

SHA512
2989006ede12984f26f42df267317e7f3a2aa2db1da506ba6986de3cc39b6b4723fd7e12752a1ad84e69230981e580ff59654cb1fe708977028be6c4b9b6b9ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a90e7f70ecf83041e29eb1e4ef9b4094

SHA1
c0760c4a788dfa0de51b1ebceef467df7446c3b3

SHA256
7c7f0e467b44c2455d9a6897168de6e33c47ba2814d8f1886ad367790c98dc4d

SHA512
519bdbbd8c216b2c6a8cd540a12bd4696d43b1bc9a861e4cf6b52c8e2dfc9b99b9928867af6733b5f416756a6727dc932e9a19772336e208c144cce10f62aa24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c59ae06c40df41e6183f25ba2c1bcb0

SHA1
1d4501e0b3a4479721ef5dad120044b1f92bbb0c

SHA256
386f281966032dd6f8bc17463fff15e20366b086d1e7283376b5817fe89f0a61

SHA512
611c27eb38b3e0765e2391e061f616daaf6bfa5ca512063286b832902ad0647094df80207419b5af3c413614bbb0c0075a7c9f4e15197a828599fad81a25aa1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
156f3c813520b6b8fa176c4d78000a54

SHA1
fd8c66e4389a95ef584bd7a80b395988c8e94caa

SHA256
d576a7ac291ec345878ff8f338db8c6ea07d8e065e4311763eb72888d9c374ef

SHA512
3b3b437149cb19626f4f0e5a5e1c9d1330c365df8aa3796fca0b94ad8db6a8a859f979c1ca192ac5b0c0da227222a39aaa721cd0e4c8122b0d7921275d401aa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fc92439d9f8307b14ee931546fbe645

SHA1
efbbb56fdfbd4cf3d831ce7e31089cc5d3939145

SHA256
086820c9dadd09be96be190016481e0fd1d0b9451d6b8cd84c94aa67d9775c7d

SHA512
1da9b1687a6b1c10079ec9884eff2667f6d93d611652267003cafb4cf1aeedce4bb7268ed5690dd6fc8af211312b1f46326eaa8fa95080dc5e947d147b420205

Download Submit
C:\Users\Admin\AppData\Local\Temp\10b53f4d-4024-48f4-83b9-4f9a06031e81.vbs

Filesize
709B

MD5
78099731e03013f8195db568b9ee7f2e

SHA1
f3a7be57c3cfb58f09d237bb0eeaed7c56154e7d

SHA256
6a419b3eb3d4754d85d7008bc71ed0a061e01db329298e6a73bf7682f0358836

SHA512
5956909f797c3ddaccba2c9278c4f63c63fbcd43f1ee10e32629c86f2598ccb3bd66c2e253ba35e52ff258275f3ff13a48c6d3d67447fff5bb0d98d64aa2d534

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e773ea4-bb38-42de-886e-3b4701c7d1c3.vbs

Filesize
708B

MD5
8a7ac76974c0be3bff18dae776cc8967

SHA1
ffcd66cea6e3aa86e93a194fb67c3924b893f3b7

SHA256
b5d1ddad726007a9cda3529d934746105e469ee7b5a63ef1a6a4f33e736ec01f

SHA512
6f14429ca3c5dd329aaf039353266c59078bb3773020007ce63d6cc33008dc6e00b0a3540306d62e26003afb10c371cd342f3f8af05eba1d0a4572b6537920d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\56aced5f346e8ae2cab0d1cc01909a8d48354195.exe

Filesize
2.9MB

MD5
22d43b313a8ae43d4dfc25dd622cf8ee

SHA1
7d016876ce499b127370a92e39a9b7169b935909

SHA256
ae4a97431b68c68fdc7639973cf76cfe43dde6ebc87eda411d0afbc020cbcffa

SHA512
0ed1e6fa2ca0ecaaaadbfcdcb486e3c66d99a741d829f8208b209cd295db91b21a6e5302d49928f87be091608e30a0d947c16d3b42d46632f3149e8599ddc40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8314a804-807d-4ce9-9dbb-a4d8c4cefb66.vbs

Filesize
485B

MD5
94393991bda2841451650347f963115d

SHA1
53981729fb02a240ca4f9e7044de6db11d3f1127

SHA256
0c8cfc58fad74caf495055f6619da0ffc6fd0e7742fd446e415270ca8f3bedc5

SHA512
c3a2421e4419292ceef4327bc96da443e88c9703142ce9fc32b22836e4163a18ce35c51a1c94db10db0d4dc13f326b5f38596d8571b864987c9dceb62bec8ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e76b421-e6a6-40ed-861e-4bcff07a94a4.vbs

Filesize
709B

MD5
98b155b82eeea18f231b0d9c354e1139

SHA1
9887c7f3e4129a13723a06578f2d2c7695b87f82

SHA256
404f9063fb7ba716f75d0dc081ce8214d21ec6dfc56aa61a4d66c5e1130ba6c1

SHA512
6e5ba4950d124a22fba44e9bd511e8a8c2e1074d07abbe7b72878519f9b5b77ff43ff9ec78702958b955a034981a91f8359a6eb78c3a8698b03d37a11ae4bd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b363d6a9-67da-452f-8504-aa9347cdfc58.vbs

Filesize
709B

MD5
50040cc4b6d5e8d9ad21ce63595fab3b

SHA1
82bffcf6ab186794d73d0641259fff58d08ef557

SHA256
dd0d2818be6cc5936ed4981f1c084c510b4018c9e9c159ea3c55fc5c983ab55a

SHA512
ba6c19a065684e220bdbb1db256b70c289c4d7e6331e4124f0762e8973e804837817875f7d20baecbd26aa282123672d8f12e50adb5aaacbfe66ca4525e4ed06

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2b9d723-3bce-40b6-8076-58b92fe48dc2.vbs

Filesize
709B

MD5
2ab0aab07c82ab68d901d97ea75b6569

SHA1
1b99c33897c162b4b19502153a78a46ec8c9097a

SHA256
7b1ff507a478e0a1bb26294b87407d0f2089c5451e421e180033fe995e5b4191

SHA512
386fdf7e7ea3c6a14e3bdd51394b2b5b17b59065363ccc3f944eb1275668671e61ba7c85830367377b59a6b6455160532858f1c9019ffa51701d7198a777c04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6055960-ce26-4ecf-bcb4-05e23b324348.vbs

Filesize
709B

MD5
57daa4634cd99fc07640292ba188aea8

SHA1
e54e4a97ff07fd3ad55dbfed6d07059f93bb17ce

SHA256
679d99e753e25e481063b8fb7e84a3ed0a2c6c0c1bde9672b69b581a27736d76

SHA512
b8a643451ed23cf617966179dea34f46982548c593c6a9f5534952302ab6cc97dc3fefa88fde4bac71d739b20b57d60a972ec84c6d8ddff08e86459e6c68358b

Download Submit
C:\Users\Admin\AppData\Local\Temp\edc952cb-977a-469f-bd4f-5eaa46b635b9.vbs

Filesize
709B

MD5
15a672399964a150020a695f3ab22255

SHA1
5699435a43967e90d60081e906207a9850705bb7

SHA256
30e42f31d02b78132aca24ebb7bf3e311e8fd8678879bda9eadca41e8e467db2

SHA512
14a70415490da2f3c0cd2a98673d986f467258d3153b1443849f81574c99b97e308dca5a0d7a047b7ecd646b6479b25ad656879dc9610126853a8c5fff2a851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef944789-4055-4837-b5a4-8b4e2b062d9a.vbs

Filesize
709B

MD5
84fb2b17d352f3e9e3eeb737191d9085

SHA1
8ffb89d52cbdb3323f64160154dc5bdd1c77ccdf

SHA256
c8d5de87396a9e047dce868c846df4c359e52a8c8f4916fe94b382b423fbc6a2

SHA512
a87a138726093382c35f16eb0886a4370206ed5dd63b195611e276ca014478f9caed347ef179603f4b9f8e0cea526d0ce650884a7e8d4a66a65ab378033fa2f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b6a4912d7660b982847ba6824238c157

SHA1
34404176ba89e022413833b47a69a986aa219618

SHA256
be2e2bea42877247d21ae7c229f0fad958715d7617935877f48749f05342f502

SHA512
c0ca591eb89304f2ecb6b139350931ec8962ce09966625937c9f663cf576d9ca0a8bd2c11c3f374948c53be52dabb0f486d7acf218695a9fe9ea14b46311f553

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\winlogon.exe

Filesize
2.9MB

MD5
7457ada28929860bd05497a68bb1825c

SHA1
54041a136dc3118ac1c39818b9994aca9ca096fd

SHA256
fb9a68f340835d4b6305229dd7262e0baba1a1ddce7ba1689c690599c8c822d5

SHA512
d65b7fbf511c8db59f1c1b3a9a546e0dcbee243719571916edf9c8a3a96ef5d88509590cd4eb429dbe2a9159e62fa01424b46741d68783e93f1ea9bc713a0b87

Download Submit
C:\Users\Public\Libraries\lsm.exe

Filesize
2.9MB

MD5
c417e0907ae7dc4abf1909739e415470

SHA1
0c03481d34a1d4c48ab816395b180c741033b9f8

SHA256
aa2108fe86426295731eb3694298cbc94ae8afda23dbe0360e2f2031b8bb11d6

SHA512
4c766dcc28ff26e9523bc349ca23e425affe171a76969b7a7e98d21adf4e447f77959f9aba733c5e88305146c74b52e7c360fc0ea3c50dbd8eb6a5fb3c44ab66

Download Submit
C:\Windows\Offline Web Pages\explorer.exe

Filesize
2.9MB

MD5
a6e9b9db3dbbded479199f7d3384672d

SHA1
4d77a27fdf2372e3bae45baf492be80fdb13887e

SHA256
23d9c30c2c9e3effe57572fee228e4ee8e4da61fc84c85b085b309495f832010

SHA512
e2ee3b087ba0e314ee26b3bad315ff109389d72f7b236260501d9484b0467d270ad4e84e0d468fe18ed4f34c165e830f1490f14eba4e1555d43add2d5ef493dd

Download Submit
memory/960-902-0x0000000001380000-0x0000000001672000-memory.dmp

Filesize
2.9MB

Download
memory/1288-16-0x0000000002530000-0x0000000002538000-memory.dmp

Filesize
32KB

Download
memory/1288-26-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

Filesize
48KB

Download
memory/1288-15-0x0000000002390000-0x000000000239C000-memory.dmp

Filesize
48KB

Download
memory/1288-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/1288-20-0x0000000002570000-0x000000000257A000-memory.dmp

Filesize
40KB

Download
memory/1288-24-0x000000001A9B0000-0x000000001A9B8000-memory.dmp

Filesize
32KB

Download
memory/1288-21-0x0000000002580000-0x000000000258E000-memory.dmp

Filesize
56KB

Download
memory/1288-23-0x000000001A9A0000-0x000000001A9AC000-memory.dmp

Filesize
48KB

Download
memory/1288-19-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/1288-1-0x0000000000A00000-0x0000000000CF2000-memory.dmp

Filesize
2.9MB

Download
memory/1288-161-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1288-5-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/1288-18-0x0000000002550000-0x000000000255C000-memory.dmp

Filesize
48KB

Download
memory/1288-17-0x0000000002540000-0x000000000254C000-memory.dmp

Filesize
48KB

Download
memory/1288-4-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/1288-25-0x000000001A9C0000-0x000000001A9CA000-memory.dmp

Filesize
40KB

Download
memory/1288-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/1288-14-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/1288-13-0x0000000002370000-0x000000000237C000-memory.dmp

Filesize
48KB

Download
memory/1288-3-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/1288-12-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/1288-11-0x0000000002220000-0x0000000002276000-memory.dmp

Filesize
344KB

Download
memory/1288-10-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/1288-9-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1288-8-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/1288-22-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/1288-7-0x00000000009C0000-0x00000000009D6000-memory.dmp

Filesize
88KB

Download
memory/1288-6-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/1636-162-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2168-160-0x000000001B840000-0x000000001BB22000-memory.dmp

Filesize
2.9MB

Download
memory/2260-665-0x0000000000F50000-0x0000000001242000-memory.dmp

Filesize
2.9MB

Download
memory/2616-309-0x0000000000260000-0x0000000000552000-memory.dmp

Filesize
2.9MB

Download
memory/2804-428-0x0000000000B60000-0x0000000000E52000-memory.dmp

Filesize
2.9MB

Download
memory/3036-149-0x0000000000850000-0x0000000000B42000-memory.dmp

Filesize
2.9MB

Download