dcrat | 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Size

4.9MB
MD5

bc6d8c1824fbce3832a86042be6ce8ec
SHA1

5c750a20d9ddeb5be64ba89d220a8657adbce18b
SHA256

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30
SHA512

abdc44b1d6694dea890128229b6bab2dbddd8bbf34d4413afefa84147f91b8dc855b6797d41505842fc181fa09b08cb79abaa720c23ceb1f06dd36a3e7676292
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	652	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	652	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exe456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2260-3-0x000000001B520000-0x000000001B64E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2960	powershell.exe
2708	powershell.exe
1288	powershell.exe
3000	powershell.exe
1816	powershell.exe
3020	powershell.exe
2936	powershell.exe
2996	powershell.exe
1380	powershell.exe
2352	powershell.exe
2948	powershell.exe
1996	powershell.exe

Executes dropped EXE 12 IoCs

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	Process
2716	dwm.exe
3028	dwm.exe
2292	dwm.exe
2532	dwm.exe
1852	dwm.exe
2340	dwm.exe
2112	dwm.exe
1344	dwm.exe
2676	dwm.exe
2544	dwm.exe
2500	dwm.exe
2624	dwm.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exedwm.exedwm.exedwm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Drops file in Program Files directory 8 IoCs

Processes:

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\886983d96e3d3e	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Program Files (x86)\Windows Media Player\lsm.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Program Files (x86)\Windows Media Player\101b941d020240	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\RCXC9D5.tmp	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXCF24.tmp	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\lsm.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2756	schtasks.exe
2832	schtasks.exe
2880	schtasks.exe
2768	schtasks.exe
2628	schtasks.exe
2316	schtasks.exe
2716	schtasks.exe
2812	schtasks.exe
2744	schtasks.exe
2644	schtasks.exe
2620	schtasks.exe
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	Process
2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
2936	powershell.exe
1996	powershell.exe
1816	powershell.exe
3020	powershell.exe
2960	powershell.exe
1380	powershell.exe
3000	powershell.exe
2996	powershell.exe
1288	powershell.exe
2708	powershell.exe
2352	powershell.exe
2948	powershell.exe
2716	dwm.exe
3028	dwm.exe
2292	dwm.exe
2532	dwm.exe
1852	dwm.exe
2340	dwm.exe
2112	dwm.exe
1344	dwm.exe
2676	dwm.exe
2544	dwm.exe
2500	dwm.exe
2624	dwm.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2716	dwm.exe
Token: SeDebugPrivilege	3028	dwm.exe
Token: SeDebugPrivilege	2292	dwm.exe
Token: SeDebugPrivilege	2532	dwm.exe
Token: SeDebugPrivilege	1852	dwm.exe
Token: SeDebugPrivilege	2340	dwm.exe
Token: SeDebugPrivilege	2112	dwm.exe
Token: SeDebugPrivilege	1344	dwm.exe
Token: SeDebugPrivilege	2676	dwm.exe
Token: SeDebugPrivilege	2544	dwm.exe
Token: SeDebugPrivilege	2500	dwm.exe
Token: SeDebugPrivilege	2624	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.execmd.exedwm.exeWScript.exedwm.exeWScript.exedwm.exe

description	pid	Process	procid_target
PID 2260 wrote to memory of 2936	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	44
PID 2260 wrote to memory of 2936	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	44
PID 2260 wrote to memory of 2936	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	44
PID 2260 wrote to memory of 2960	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	45
PID 2260 wrote to memory of 2960	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	45
PID 2260 wrote to memory of 2960	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	45
PID 2260 wrote to memory of 2996	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	46
PID 2260 wrote to memory of 2996	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	46
PID 2260 wrote to memory of 2996	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	46
PID 2260 wrote to memory of 2708	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	47
PID 2260 wrote to memory of 2708	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	47
PID 2260 wrote to memory of 2708	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	47
PID 2260 wrote to memory of 1380	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	48
PID 2260 wrote to memory of 1380	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	48
PID 2260 wrote to memory of 1380	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	48
PID 2260 wrote to memory of 1288	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	49
PID 2260 wrote to memory of 1288	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	49
PID 2260 wrote to memory of 1288	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	49
PID 2260 wrote to memory of 2352	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	50
PID 2260 wrote to memory of 2352	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	50
PID 2260 wrote to memory of 2352	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	50
PID 2260 wrote to memory of 2948	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	51
PID 2260 wrote to memory of 2948	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	51
PID 2260 wrote to memory of 2948	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	51
PID 2260 wrote to memory of 3000	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	52
PID 2260 wrote to memory of 3000	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	52
PID 2260 wrote to memory of 3000	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	52
PID 2260 wrote to memory of 1996	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	53
PID 2260 wrote to memory of 1996	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	53
PID 2260 wrote to memory of 1996	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	53
PID 2260 wrote to memory of 1816	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	54
PID 2260 wrote to memory of 1816	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	54
PID 2260 wrote to memory of 1816	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	54
PID 2260 wrote to memory of 3020	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	55
PID 2260 wrote to memory of 3020	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	55
PID 2260 wrote to memory of 3020	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	55
PID 2260 wrote to memory of 1044	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	60
PID 2260 wrote to memory of 1044	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	60
PID 2260 wrote to memory of 1044	2260	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	60
PID 1044 wrote to memory of 1800	1044	cmd.exe	65
PID 1044 wrote to memory of 1800	1044	cmd.exe	65
PID 1044 wrote to memory of 1800	1044	cmd.exe	65
PID 1044 wrote to memory of 2716	1044	cmd.exe	71
PID 1044 wrote to memory of 2716	1044	cmd.exe	71
PID 1044 wrote to memory of 2716	1044	cmd.exe	71
PID 2716 wrote to memory of 2004	2716	dwm.exe	72
PID 2716 wrote to memory of 2004	2716	dwm.exe	72
PID 2716 wrote to memory of 2004	2716	dwm.exe	72
PID 2716 wrote to memory of 844	2716	dwm.exe	73
PID 2716 wrote to memory of 844	2716	dwm.exe	73
PID 2716 wrote to memory of 844	2716	dwm.exe	73
PID 2004 wrote to memory of 3028	2004	WScript.exe	74
PID 2004 wrote to memory of 3028	2004	WScript.exe	74
PID 2004 wrote to memory of 3028	2004	WScript.exe	74
PID 3028 wrote to memory of 2184	3028	dwm.exe	75
PID 3028 wrote to memory of 2184	3028	dwm.exe	75
PID 3028 wrote to memory of 2184	3028	dwm.exe	75
PID 3028 wrote to memory of 1000	3028	dwm.exe	76
PID 3028 wrote to memory of 1000	3028	dwm.exe	76
PID 3028 wrote to memory of 1000	3028	dwm.exe	76
PID 2184 wrote to memory of 2292	2184	WScript.exe	77
PID 2184 wrote to memory of 2292	2184	WScript.exe	77
PID 2184 wrote to memory of 2292	2184	WScript.exe	77
PID 2292 wrote to memory of 1580	2292	dwm.exe	78

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
"C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4kaJnY8jMt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1800
- - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
    "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2716
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95d63378-9cfc-4998-9676-1b44e488db9c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3028
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c45eee4b-a038-4dbb-bddd-c2da29c3f78d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38a8c54f-b5cc-4c92-a9b3-c479b402d6c0.vbs"
        8⤵
        
        PID:1580
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fd81af9-c736-4715-83b8-48687bd73ea3.vbs"
        10⤵
        
        PID:1288
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c0b593b-ace6-4980-9103-3cddd694b3f2.vbs"
        12⤵
        
        PID:1692
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfb09761-97f9-437e-a471-cef2ddafbd45.vbs"
        14⤵
        
        PID:2212
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fccc17c7-6303-412e-a9c7-f2b6aaa2b546.vbs"
        16⤵
        
        PID:2404
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39566980-ec0f-4125-8db1-3707d1d757ce.vbs"
        18⤵
        
        PID:2008
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b1d0d9f-14e4-4633-a0c1-a5351ed46147.vbs"
        20⤵
        
        PID:2032
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1ea651c-9889-4ee1-a4ac-6e03a4b91978.vbs"
        22⤵
        
        PID:1728
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed624a60-b724-4c70-a459-6af4b4966778.vbs"
        24⤵
        
        PID:2092
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64031352-573b-45f4-9423-dac908b6b96e.vbs"
        26⤵
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb83a45b-cede-4fbe-a665-92b3296a120f.vbs"
        26⤵
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d474daab-ca8f-40c9-b9a9-4a2caa46ec63.vbs"
        24⤵
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0efa779-d726-4611-bc4a-f38a6a42b49d.vbs"
        22⤵
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\287fe0c2-547d-4b43-9c36-588d41eaa603.vbs"
        20⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a851b8f-1555-4fdc-804d-5db9b9c8b5bf.vbs"
        18⤵
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\295329c3-7c6b-468d-baac-416aa27c69f1.vbs"
        16⤵
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53389c18-07a1-4b9a-858b-cd9fd931a6c7.vbs"
        14⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bec97b3-c8e4-4dc0-a198-9e984facd33d.vbs"
        12⤵
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89479fac-b02e-442f-926c-a7fb470f2feb.vbs"
        10⤵
        
        PID:644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecbe00df-cc34-4c42-adbe-44ac7504e830.vbs"
        8⤵
        
        PID:2788
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\936fd611-1974-4a28-b3a8-517bd59b1c10.vbs"
        6⤵
        
        PID:1000
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a2a4ec-c47b-41bf-a88a-4590852ac2ea.vbs"
      4⤵
      PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\csrss.exe

Filesize
4.9MB

MD5
bc6d8c1824fbce3832a86042be6ce8ec

SHA1
5c750a20d9ddeb5be64ba89d220a8657adbce18b

SHA256
456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30

SHA512
abdc44b1d6694dea890128229b6bab2dbddd8bbf34d4413afefa84147f91b8dc855b6797d41505842fc181fa09b08cb79abaa720c23ceb1f06dd36a3e7676292

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe

Filesize
4.9MB

MD5
9493c36b369ea94a1c38c6a7d15bc6f0

SHA1
36bff44cdcb4ebffb8d373765654c1329d901f70

SHA256
329a1aab29230e397d3f6bd8d2d3ab148fdd7a791f5c4194f7cfd65b29a2cb1a

SHA512
49e1c0845bdd5961eeb7f67543d8d58c9c468091fa2f47db4c3c136f9439217ff40fa2121e6e6dcea6cce4caee27b35699372af4d790d84e93777e4dcf2bde44

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b1d0d9f-14e4-4633-a0c1-a5351ed46147.vbs

Filesize
732B

MD5
e4c9f262c303ea877e534de7a78b7feb

SHA1
0fac7579da0b4e2495ba60fe45efb8d40991590e

SHA256
f0ef37af03cdc3a6fade6b93d4c7e8806c99b51a0859b71cff3bef00db7ba47b

SHA512
9968662ccfdb3b6637e9b1288613c4a09cf1ec32bd904184090a9439fe62d040a420eb75ac7ce359773f3377466e96750d6320a06d749f163801295d954e306b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fd81af9-c736-4715-83b8-48687bd73ea3.vbs

Filesize
732B

MD5
168306928b8c3a722eab8cc6dd40274c

SHA1
bee8a23db8d8325c708366c3fb557b4273745b72

SHA256
904c095d2bebb49eaad539d89fbf9a676841396ae800170af781cd3f463adb92

SHA512
9a47ca000238539fe9c7af6b8e42214059e1f779eef44ef775d813d3e088a2382741a63182fe4cc0d4af07e135f9cd9538bd9f4f825a65bbccc599cd6a8d8a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c0b593b-ace6-4980-9103-3cddd694b3f2.vbs

Filesize
732B

MD5
99fb7cc0f445764415a22d73326db00a

SHA1
1233f16617338d4beb7935e13dcf8a9a0675c7be

SHA256
b8f85a08f0d0c7c9c9f8b56e29a0b55d3d88bc9d3450c87c3ffe75c7de6fa370

SHA512
520b6b117aadb8e73eb0279aedade13218d1e56e1cd202579dbde9d38981e9590a16b5a105dea667fe5b321d582c58863de7ef4cd88a43140f36b0340b520ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\38a8c54f-b5cc-4c92-a9b3-c479b402d6c0.vbs

Filesize
732B

MD5
36475b775971bd2fdaa81ef49f1ad86b

SHA1
95a6c09978d691499ab113e04fd27b0a52863884

SHA256
127b6a279fa730d2b7838e1c541fb21628d6baf8c82363e4b2601805cf7414df

SHA512
9b417e88618bca8723ac9c02e7f041c6189abdf4766cafc2602ec26f85221cde6e98b47b43292627455331ee545afb7b6637534272c0cea87e08e13d3112cc24

Download Submit
C:\Users\Admin\AppData\Local\Temp\39566980-ec0f-4125-8db1-3707d1d757ce.vbs

Filesize
732B

MD5
b773cdcc384ef4682fbd0ea002013d8e

SHA1
d18723d5d76bed3d4ccdac53e0afab0c62b5e31b

SHA256
304adea36bab568153d42052693934137c0063b97bf12ade3c7c319e3729f703

SHA512
d9412a204b776bcaaa9a652665511adeb5f6b01c4192fa3a137952460077b8aa035ffe96f9519cb40276c882c0d7c57de363638c51c0c488313e1c338b55143b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kaJnY8jMt.bat

Filesize
221B

MD5
1b60946396ec486ab289f34ce6d18a58

SHA1
22b2f4586d22c4e2e92cb63624dcf0ee52fc78dd

SHA256
e390571e5e79404c7cbd9ba2b094b1f08c90564dfc04be1e88a5b9215c3ea2f5

SHA512
3e3a8031d062b05834f7d5416a0b67c5996cbf76c2787d6a367a666422149dbcbc9d95511956e2dcc2e86aeeb42d003c24ab2b3393812bca53399f4fc2037472

Download Submit
C:\Users\Admin\AppData\Local\Temp\64031352-573b-45f4-9423-dac908b6b96e.vbs

Filesize
732B

MD5
875905de32a11bac39f8d90f27bf060b

SHA1
abf828b2db1036a4e6cb708b8f44e734cec5a153

SHA256
200a7007e274991973625b9a9c37e167af25dce1e5ac8e3b42a526e4ad164239

SHA512
4ba58b14c8fbbc31caceee642184648a07b492e864e03312e6e987a99b1dca0295bb8d406a20954598c7881e7f454953c22fa83ed848719d12edca15c6713ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\68a2a4ec-c47b-41bf-a88a-4590852ac2ea.vbs

Filesize
508B

MD5
3f60dbec814cb7c0c054a76ba9f78eb2

SHA1
8577acc9d787b3c5123fe8437b96a5a5051f635f

SHA256
bab79af745a953f637988442fe83895a22df83f6ba8dce5d99624a7dbf507e98

SHA512
0e049b4974ab1292295848c6be8980c8a4e54d4324ad3b091d038e8a54470aa1a6653d981513a1d879d718a3d289290e1ab774496e49aab16443ce67fdb36304

Download Submit
C:\Users\Admin\AppData\Local\Temp\95d63378-9cfc-4998-9676-1b44e488db9c.vbs

Filesize
732B

MD5
fe7924e63f48cac372e25ab63cb3de1d

SHA1
32d42966ff6d955d70add7219cf827c65741e046

SHA256
d310989ea70864a15774660dbcb3fabd0dcc106d533be2ee073a1e6c37df55e6

SHA512
03c23f92afc3c6b18cacb2d50de65f13db9d1b482c2fc55ad9574280647703a62282ba17e44d1c727703ec33677f331223bf690eeb40ee21625ff44b4a5cbff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1ea651c-9889-4ee1-a4ac-6e03a4b91978.vbs

Filesize
732B

MD5
23fe56dac9e444aa61dae2e434481366

SHA1
2dbb0ae9dc193024568d556ad640d3bfb8c08ce0

SHA256
0c666a67d115d9602dd7785c59d47c7c4abe0779161bade5f390266fc6a83e9b

SHA512
333af2b8d80b0b55bb3e8ce5043bd6349395af29781e07e957da45fccfce95359f3ab3b41d88e5ef0113fde82bdd5ad165b0bd2441f082bf14ac794b0775b299

Download Submit
C:\Users\Admin\AppData\Local\Temp\c45eee4b-a038-4dbb-bddd-c2da29c3f78d.vbs

Filesize
732B

MD5
1222dfa4046a322f045bcc62d71657ea

SHA1
ee114ac6a933071abdb3c9e45d515fbccdeba4c9

SHA256
7dc18283a1eefa0d636a503add8d5deae1ab4f6c9c5153d39abcc0402e1e1fae

SHA512
6f520e05b621b006fd5f37a2a16e11c6177295c34ecb2778bbd83d6ad4bebbf4335116fa5d0f7bc38bda5d4a99b263870a65bf408a31a861b967c2a834e7c841

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfb09761-97f9-437e-a471-cef2ddafbd45.vbs

Filesize
732B

MD5
13f6d8e7f9e5c96f2efb6d1762320ac4

SHA1
7755a16471603c0825770c853d6e616cc06b1a27

SHA256
99b0ce27818c3158a19ebb5ac8a2bf34a22463671f0b73b6dceec5a5ff2a11b5

SHA512
6f106ae0b2d422cb53fe4a43e565ca63659efb1f64652e12992ae43af29ae1373ab905e39b09bf8d3893d4f5139921582623e0a227c85dfc9acbab7d05b08636

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed624a60-b724-4c70-a459-6af4b4966778.vbs

Filesize
732B

MD5
902efe25a5f1b65233c7e3656871116a

SHA1
806ebb101274f83157ef59d203e22fe2dd8f1265

SHA256
bfa31a349f44fff73e81e6e9cccdd0de0cc83be50937e7e13f5079aa9ca8677b

SHA512
84d74a70fd52be223fda95942d7c68e2ae75a94282b162667d54ed0ec79b89000a8786e51f54a151e9da95c695eac840dffdb72118a2b23812babb8c96d7ec2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fccc17c7-6303-412e-a9c7-f2b6aaa2b546.vbs

Filesize
732B

MD5
65fc33375b4a60e841d7335ff847ab50

SHA1
5b46c54bdb8e3a21f053f0ecb5459c986baa8292

SHA256
c8c01761cbaf5dcad75540d6a8afbf63e9863db5aeefa09d29c32cde5c2e3b04

SHA512
fde8916eb6ab3b87f20c56070490f2657409d3f83fc22a3970e95fb568977848c8e4c2bdecf7e2e36c8ab002316345880ca20fdea5bc7130c4cf6cd40ebce39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF509.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b526d71073bacf222569f6a1655dd5d

SHA1
d85c887aa3b9efc76d7a530fb73c67d8724a0123

SHA256
4d63343260f85d6fe2a5fc34e841b13b72930d831af713a3a412a6880cc37dac

SHA512
f62c6cc73c60c428d4d4ac992bab9a53ad4777d16b92640e4c8a1892ef87a9780fe3f0dc04961a57f868815e382428bdf357d99d0efa87c533ada55eb024a112

Download Submit
memory/1852-185-0x0000000000B10000-0x0000000001004000-memory.dmp

Filesize
5.0MB

Download
memory/1996-111-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2112-216-0x0000000001110000-0x0000000001604000-memory.dmp

Filesize
5.0MB

Download
memory/2260-12-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/2260-5-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2260-62-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-1-0x0000000000B70000-0x0000000001064000-memory.dmp

Filesize
5.0MB

Download
memory/2260-2-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-16-0x0000000002670000-0x000000000267C000-memory.dmp

Filesize
48KB

Download
memory/2260-15-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/2260-14-0x0000000002650000-0x0000000002658000-memory.dmp

Filesize
32KB

Download
memory/2260-3-0x000000001B520000-0x000000001B64E000-memory.dmp

Filesize
1.2MB

Download
memory/2260-4-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2260-13-0x0000000002470000-0x000000000247E000-memory.dmp

Filesize
56KB

Download
memory/2260-6-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2260-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

Filesize
4KB

Download
memory/2260-7-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/2260-11-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2260-10-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2260-9-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/2260-8-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2292-155-0x0000000000CE0000-0x00000000011D4000-memory.dmp

Filesize
5.0MB

Download
memory/2340-201-0x0000000002480000-0x0000000002492000-memory.dmp

Filesize
72KB

Download
memory/2340-200-0x0000000000180000-0x0000000000674000-memory.dmp

Filesize
5.0MB

Download
memory/2532-170-0x0000000000090000-0x0000000000584000-memory.dmp

Filesize
5.0MB

Download
memory/2624-288-0x00000000012E0000-0x00000000017D4000-memory.dmp

Filesize
5.0MB

Download
memory/2676-245-0x0000000001120000-0x0000000001614000-memory.dmp

Filesize
5.0MB

Download
memory/2716-125-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2716-124-0x0000000000D40000-0x0000000001234000-memory.dmp

Filesize
5.0MB

Download
memory/2936-102-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/3028-140-0x000000001ABD0000-0x000000001ABE2000-memory.dmp

Filesize
72KB

Download
memory/3028-139-0x0000000000330000-0x0000000000824000-memory.dmp

Filesize
5.0MB

Download