dcrat | b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667

Analysis

max time kernel
147s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Size

4.9MB
MD5

736efb699e6c98e7714ac5c408182dcb
SHA1

5365421b2342d1e05d742affab93c76e7bc155e5
SHA256

b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667
SHA512

a9293424da54d3457c7a754b5f66324ed271ce066412b9690b8f1ed502a33501e680731c1818d2836eb68724d3236794534bc0f6fb2d75fb283d9033df3bcb98
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8n:n

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2936	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2936	schtasks.exe	28

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1820-3-0x000000001B660000-0x000000001B78E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
948	powershell.exe
648	powershell.exe
916	powershell.exe
2592	powershell.exe
1088	powershell.exe
1108	powershell.exe
1500	powershell.exe
2492	powershell.exe
900	powershell.exe
112	powershell.exe
2008	powershell.exe
1032	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2600	winlogon.exe
2396	winlogon.exe
376	winlogon.exe
2156	winlogon.exe
2772	winlogon.exe
2032	winlogon.exe
932	winlogon.exe
2172	winlogon.exe
1272	winlogon.exe
1280	winlogon.exe
2396	winlogon.exe
872	winlogon.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\taskhost.exe	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\taskhost.exe	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File created	C:\Program Files (x86)\Google\Temp\b75386f1303e64	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\dllhost.exe	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\5940a34987c991	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXEE46.tmp	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXF0B7.tmp	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\dllhost.exe	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Migration\WTR\winlogon.exe	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File created	C:\Windows\rescache\rc0001\dwm.exe	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File created	C:\Windows\Migration\WTR\winlogon.exe	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File created	C:\Windows\Migration\WTR\cc11b995f2a76d	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
File opened for modification	C:\Windows\Migration\WTR\RCXF935.tmp	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2596	schtasks.exe
2716	schtasks.exe
2752	schtasks.exe
2640	schtasks.exe
2972	schtasks.exe
2192	schtasks.exe
2636	schtasks.exe
2856	schtasks.exe
2520	schtasks.exe
2624	schtasks.exe
2976	schtasks.exe
2412	schtasks.exe
2812	schtasks.exe
2632	schtasks.exe
2336	schtasks.exe
2780	schtasks.exe
2724	schtasks.exe
1136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
900	powershell.exe
2492	powershell.exe
1500	powershell.exe
2008	powershell.exe
2592	powershell.exe
948	powershell.exe
916	powershell.exe
2600	winlogon.exe
1088	powershell.exe
112	powershell.exe
648	powershell.exe
1108	powershell.exe
1032	powershell.exe
2396	winlogon.exe
376	winlogon.exe
2156	winlogon.exe
2772	winlogon.exe
2032	winlogon.exe
932	winlogon.exe
2172	winlogon.exe
1272	winlogon.exe
1280	winlogon.exe
2396	winlogon.exe
872	winlogon.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2600	winlogon.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2396	winlogon.exe
Token: SeDebugPrivilege	376	winlogon.exe
Token: SeDebugPrivilege	2156	winlogon.exe
Token: SeDebugPrivilege	2772	winlogon.exe
Token: SeDebugPrivilege	2032	winlogon.exe
Token: SeDebugPrivilege	932	winlogon.exe
Token: SeDebugPrivilege	2172	winlogon.exe
Token: SeDebugPrivilege	1272	winlogon.exe
Token: SeDebugPrivilege	1280	winlogon.exe
Token: SeDebugPrivilege	2396	winlogon.exe
Token: SeDebugPrivilege	872	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2492	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	47
PID 1820 wrote to memory of 2492	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	47
PID 1820 wrote to memory of 2492	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	47
PID 1820 wrote to memory of 900	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	48
PID 1820 wrote to memory of 900	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	48
PID 1820 wrote to memory of 900	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	48
PID 1820 wrote to memory of 948	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	49
PID 1820 wrote to memory of 948	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	49
PID 1820 wrote to memory of 948	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	49
PID 1820 wrote to memory of 112	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	50
PID 1820 wrote to memory of 112	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	50
PID 1820 wrote to memory of 112	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	50
PID 1820 wrote to memory of 2008	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	51
PID 1820 wrote to memory of 2008	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	51
PID 1820 wrote to memory of 2008	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	51
PID 1820 wrote to memory of 2592	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	52
PID 1820 wrote to memory of 2592	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	52
PID 1820 wrote to memory of 2592	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	52
PID 1820 wrote to memory of 1088	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	53
PID 1820 wrote to memory of 1088	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	53
PID 1820 wrote to memory of 1088	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	53
PID 1820 wrote to memory of 1108	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	54
PID 1820 wrote to memory of 1108	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	54
PID 1820 wrote to memory of 1108	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	54
PID 1820 wrote to memory of 1500	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	55
PID 1820 wrote to memory of 1500	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	55
PID 1820 wrote to memory of 1500	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	55
PID 1820 wrote to memory of 648	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	56
PID 1820 wrote to memory of 648	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	56
PID 1820 wrote to memory of 648	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	56
PID 1820 wrote to memory of 1032	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	57
PID 1820 wrote to memory of 1032	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	57
PID 1820 wrote to memory of 1032	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	57
PID 1820 wrote to memory of 916	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	58
PID 1820 wrote to memory of 916	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	58
PID 1820 wrote to memory of 916	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	58
PID 1820 wrote to memory of 2600	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	71
PID 1820 wrote to memory of 2600	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	71
PID 1820 wrote to memory of 2600	1820	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe	71
PID 2600 wrote to memory of 2856	2600	winlogon.exe	72
PID 2600 wrote to memory of 2856	2600	winlogon.exe	72
PID 2600 wrote to memory of 2856	2600	winlogon.exe	72
PID 2600 wrote to memory of 1460	2600	winlogon.exe	73
PID 2600 wrote to memory of 1460	2600	winlogon.exe	73
PID 2600 wrote to memory of 1460	2600	winlogon.exe	73
PID 2856 wrote to memory of 2396	2856	WScript.exe	74
PID 2856 wrote to memory of 2396	2856	WScript.exe	74
PID 2856 wrote to memory of 2396	2856	WScript.exe	74
PID 2396 wrote to memory of 2288	2396	winlogon.exe	75
PID 2396 wrote to memory of 2288	2396	winlogon.exe	75
PID 2396 wrote to memory of 2288	2396	winlogon.exe	75
PID 2396 wrote to memory of 2132	2396	winlogon.exe	76
PID 2396 wrote to memory of 2132	2396	winlogon.exe	76
PID 2396 wrote to memory of 2132	2396	winlogon.exe	76
PID 2288 wrote to memory of 376	2288	WScript.exe	77
PID 2288 wrote to memory of 376	2288	WScript.exe	77
PID 2288 wrote to memory of 376	2288	WScript.exe	77
PID 376 wrote to memory of 2712	376	winlogon.exe	78
PID 376 wrote to memory of 2712	376	winlogon.exe	78
PID 376 wrote to memory of 2712	376	winlogon.exe	78
PID 376 wrote to memory of 2840	376	winlogon.exe	79
PID 376 wrote to memory of 2840	376	winlogon.exe	79
PID 376 wrote to memory of 2840	376	winlogon.exe	79
PID 2712 wrote to memory of 2156	2712	WScript.exe	80

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
"C:\Users\Admin\AppData\Local\Temp\b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Users\Default\Desktop\winlogon.exe
  "C:\Users\Default\Desktop\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2600
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b2527e9-e3cf-4186-b0a8-25bdbaea84b9.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Default\Desktop\winlogon.exe
      C:\Users\Default\Desktop\winlogon.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2396
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3da0dfa5-94be-422b-916d-384c67e774f6.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Users\Default\Desktop\winlogon.exe
        
        C:\Users\Default\Desktop\winlogon.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\660498c0-218e-4a18-8c27-9c6e78fd9cf5.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Users\Default\Desktop\winlogon.exe
        
        C:\Users\Default\Desktop\winlogon.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35273e65-18f0-4a4e-b12c-4be31c0b5739.vbs"
        9⤵
        
        PID:2244
        
        C:\Users\Default\Desktop\winlogon.exe
        
        C:\Users\Default\Desktop\winlogon.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3979401-7530-4b8c-9ae9-24f61acb9235.vbs"
        11⤵
        
        PID:1136
        
        C:\Users\Default\Desktop\winlogon.exe
        
        C:\Users\Default\Desktop\winlogon.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5435232f-5c6a-4c12-b9d8-cb05307746f8.vbs"
        13⤵
        
        PID:2076
        
        C:\Users\Default\Desktop\winlogon.exe
        
        C:\Users\Default\Desktop\winlogon.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8bdceb5-d622-45e2-b979-37397f508cb9.vbs"
        15⤵
        
        PID:1608
        
        C:\Users\Default\Desktop\winlogon.exe
        
        C:\Users\Default\Desktop\winlogon.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0cb9d00-777e-4721-9551-9125f6f12803.vbs"
        17⤵
        
        PID:2664
        
        C:\Users\Default\Desktop\winlogon.exe
        
        C:\Users\Default\Desktop\winlogon.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b18c9b9-c1ba-4d7b-b735-7205e9e63237.vbs"
        19⤵
        
        PID:2836
        
        C:\Users\Default\Desktop\winlogon.exe
        
        C:\Users\Default\Desktop\winlogon.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad01a7a3-0520-4f64-8cf9-10a0287aa432.vbs"
        21⤵
        
        PID:2328
        
        C:\Users\Default\Desktop\winlogon.exe
        
        C:\Users\Default\Desktop\winlogon.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eb34c9a-44ca-479a-858f-8346668de40d.vbs"
        23⤵
        
        PID:960
        
        C:\Users\Default\Desktop\winlogon.exe
        
        C:\Users\Default\Desktop\winlogon.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\619e7e73-7cac-4bbf-94c4-9e0ca4de4eb5.vbs"
        25⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b0ce36-c585-4eef-8a19-4b8a543b27c1.vbs"
        25⤵
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68c27a0e-0c91-4c23-b292-8b10d5d017e0.vbs"
        23⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bab78d3e-a282-44ad-8f7c-281a294944fe.vbs"
        21⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67bf9879-353a-44ca-b397-b96eb79cb4da.vbs"
        19⤵
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05315f54-dd1f-489c-8936-b179965b69c0.vbs"
        17⤵
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1881c705-503f-4b8b-88e4-05aca5ffdcb5.vbs"
        15⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f011e4c4-e7c4-481d-86b4-d7fa14b764a7.vbs"
        13⤵
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8b4aa92-a373-4e7f-be57-003714a15e3b.vbs"
        11⤵
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dc82aa2-36bb-4de6-a5da-fb6798e201e3.vbs"
        9⤵
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36372b68-30b5-4730-93fb-a668b8cb7300.vbs"
        7⤵
        
        PID:2840
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24925d6e-17c4-4e3c-b9c2-daab60783560.vbs"
        5⤵
        
        PID:2132
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af58ad1e-d14d-41de-be16-307f0fe4ff5e.vbs"
    3⤵
    PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe

Filesize
4.9MB

MD5
736efb699e6c98e7714ac5c408182dcb

SHA1
5365421b2342d1e05d742affab93c76e7bc155e5

SHA256
b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667

SHA512
a9293424da54d3457c7a754b5f66324ed271ce066412b9690b8f1ed502a33501e680731c1818d2836eb68724d3236794534bc0f6fb2d75fb283d9033df3bcb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b18c9b9-c1ba-4d7b-b735-7205e9e63237.vbs

Filesize
713B

MD5
511ed5bb5afec2027595af6a6e5d9aaf

SHA1
bc167f623c0de591bb0f41323b2d41f52163da80

SHA256
d8a2e845a48040ffef4c61ef34e8bed6d9a541eef55cd5b29d3668a60ed3b54e

SHA512
52b166d19a9e4ea1d6d47b0e15528972f49b6d8a1a3261b7af5747496bb1ab3d82e378d50c4aa0853b254d4d7dd44e0030db02f4cea707e41897c4afe770b3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\35273e65-18f0-4a4e-b12c-4be31c0b5739.vbs

Filesize
713B

MD5
7f49087cbb12255a82efbe2125ba750a

SHA1
69908a510b8ab05ba1ac5cc61b135fbf010636f4

SHA256
81444e85b4ac72c244c52b59ad3f5bdc47cbbf82ce14d1a560809f1fd8932c91

SHA512
78d44925c0d187477c4525ce0798fa43825407cfda93e80adcd2aa0beb06a939a4343d9810628f93068044fa63eab119dc734940a85b3245f9a8d82023f89d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\3da0dfa5-94be-422b-916d-384c67e774f6.vbs

Filesize
713B

MD5
e16fbb6f842344c98a294b13b7cef81e

SHA1
32030519b1bb5fc1f7e5cbef1103c56e82870c37

SHA256
c08721acce96ce9755120476d7852a180a9fd48da3bf7bcdde687c76d43ea29f

SHA512
3304dacf748f9399b25e39565bd571719b2538650972ca3348e6d75861169c534008619b916b21dfcb13032658c58f613a18fbf3601b75492233542bdf6262ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\5435232f-5c6a-4c12-b9d8-cb05307746f8.vbs

Filesize
713B

MD5
881c267f5dfca10337be4ff9a6d6b197

SHA1
67eddf5668b6593d81d3a774b8f0546ddde3960a

SHA256
cb9eb31df6aa82593682b565519f661dfc0b134da07940eccfe2167d4744935e

SHA512
383da49e4e66f302c42cb0fd2362eabd80a5a493fc68c1a01fe35b095483ad9484fb9dc20baddcddd6251af5e3928dac8c954d59fba951509af7175d29b7df6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\619e7e73-7cac-4bbf-94c4-9e0ca4de4eb5.vbs

Filesize
712B

MD5
e01b5c33a3f3e10bb335eff3a1960a61

SHA1
a3f0b2d64541ea5429c96b998f57271d58d3a35f

SHA256
91017803e673fd9a2f41eef33243bf1b8f7cdb8fefbba5ad70b79f9aa3d14a96

SHA512
fc06b1c4b07cb41346585065734bb0d335e4e91c0172f54b62d77e46ef380cf0c91e897d54a137cc04302684e38363bca08d5ec47ae542a2ac23d7717ff8b676

Download Submit
C:\Users\Admin\AppData\Local\Temp\660498c0-218e-4a18-8c27-9c6e78fd9cf5.vbs

Filesize
712B

MD5
f04b62654c3cba523610ffa3da709ccf

SHA1
e9e01aa50218b205a79fc7665e146aaa69be011f

SHA256
c5693cd234b10e106256152fed50c25b72359104c0689c2509344ad0a6b38424

SHA512
6a09cc78a5f5bcc96cbb3e0d8c1641cd602894ea56493277c32efdb985e315e22e52f205eef189112cedd6bd45b5f0f171b0c6bfe6c335192d59b106c7b8096c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b2527e9-e3cf-4186-b0a8-25bdbaea84b9.vbs

Filesize
713B

MD5
cc5b41e0342ed7ee6f56bfb18d4e5c0e

SHA1
7c078a3def605ac1a34deea4243ed5f595b64d61

SHA256
bb9670939cd4265a8023283d7d9ed1294afaa23d8a61278479a3b3c64eb32816

SHA512
36fa115267dd53392db3080522d05df9b252412ddb75f53537b38c280b95478eede6de81ed67aa31dd0b2ec2b36752749e3b8d7bf70efcd6ab36dd7abd8f88ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad01a7a3-0520-4f64-8cf9-10a0287aa432.vbs

Filesize
713B

MD5
16f7d536651d3b0a388f46a7f4025f58

SHA1
e5c5cfa9f381c424bba47008cab95c61ec93598a

SHA256
a987a1b900c0f4fa4dda90d065420d2afd8a51e0733c506cda2bbeb38f005cc1

SHA512
c369acbcd1e5f4fe077acddc96a652bccfa793092aee3df8f17c292e921669cc36d11bafb1a41a51e891e33e2d09813972c4f3b6c8f1c9dcbd67db158bdd9ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\af58ad1e-d14d-41de-be16-307f0fe4ff5e.vbs

Filesize
489B

MD5
7042777d38bbb2c4eff9016ebb78d7db

SHA1
cc8e4d8d4baf5dc490d647f8bba767b7cb9c5e86

SHA256
faa58f78d17a03aa4049d8a532258332a3e6817157be26b0f55fa46848066e02

SHA512
179f653e5b0965c739a58543614bac0ad51c142ee5ec36ca39a7982caafeb013dc6686259e5bc386c03e2be1a7e5b2499df4b2543b0c1cb103387fdc1bda8556

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8bdceb5-d622-45e2-b979-37397f508cb9.vbs

Filesize
712B

MD5
617864bff63feba307d706d199bc3fab

SHA1
a6ff58af4677582f07bf69910d4745d8031f5cba

SHA256
e9bf8fed75fbf0d29ae98e94df2c0a5cd07a12b1a6de83f724d02b5ec0fa02f3

SHA512
9b8c4c129a478245103b47f158dfa04a412da70f5d452a01237326081c3c6df695a6af187d74b0c584dafb2e0b39ef1a0f2bffd64d1523129c2dde8e3b5b0866

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cb9d00-777e-4721-9551-9125f6f12803.vbs

Filesize
713B

MD5
2574bc92db1e152cc602c620b59a9337

SHA1
eb0caac870bed54dc0534014a3dda93fd10af7e9

SHA256
c6e9feb37dfc6c9c662500a0d555aa9c34e3032a9389897bdcb409f0c3573f89

SHA512
c5d32dd71855c5ca6b9467649acc2a7c592536dbaed974417c8ad2f61cc685ec1542a176af844dd3ecebd480cd6c99b9de20826480a135a4d934fca15d952220

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3979401-7530-4b8c-9ae9-24f61acb9235.vbs

Filesize
713B

MD5
4b495a8d768b5bbcb162e671f74bf8be

SHA1
d2a9f49d40de7acabbc413a49e35a4be0bf2c36e

SHA256
ae99efdb829471e5370bbcb31103c53b1b9d372e966dcac6f15fbfe6952f9181

SHA512
ef9cf04674c300faaa199b12c19f8235e3da1664692ebf75489391079c3aca9689c1e6b72e61226f6d48cec64f3d23da1e9b9a76e9d29eb1ef0d5d318d9a54e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F6.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5900AWGQ5T85BDP2GY2A.temp

Filesize
7KB

MD5
de6b5bcd0671fae611a4fcefd92b1d31

SHA1
f02bdae4a9d4c8024fb39dcd41f2798bd564844d

SHA256
d8fa963b74eb9c33029bbef6ac42fd1d0c937d764ff4dbb7e6e4a2ede5b32522

SHA512
e457c828e3a035b7a50cea60e71a693b0b799d5580c284bce088c59a8c0ae51e409e66169d989cb6024ace646e345ba97b81594d683e436187e7326d6fda4eae

Download Submit
memory/376-172-0x0000000000F10000-0x0000000001404000-memory.dmp

Filesize
5.0MB

Download
memory/872-307-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download
memory/900-85-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/900-86-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1272-260-0x0000000001030000-0x0000000001524000-memory.dmp

Filesize
5.0MB

Download
memory/1272-261-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/1280-277-0x0000000001190000-0x00000000011A2000-memory.dmp

Filesize
72KB

Download
memory/1280-276-0x00000000012E0000-0x00000000017D4000-memory.dmp

Filesize
5.0MB

Download
memory/1820-0-0x000007FEF64A3000-0x000007FEF64A4000-memory.dmp

Filesize
4KB

Download
memory/1820-15-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/1820-1-0x0000000000E90000-0x0000000001384000-memory.dmp

Filesize
5.0MB

Download
memory/1820-8-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/1820-16-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1820-6-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/1820-14-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/1820-5-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/1820-4-0x0000000000510000-0x000000000052C000-memory.dmp

Filesize
112KB

Download
memory/1820-107-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-13-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1820-2-0x000007FEF64A0000-0x000007FEF6E8C000-memory.dmp

Filesize
9.9MB

Download
memory/1820-3-0x000000001B660000-0x000000001B78E000-memory.dmp

Filesize
1.2MB

Download
memory/1820-12-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/1820-7-0x0000000000540000-0x0000000000556000-memory.dmp

Filesize
88KB

Download
memory/1820-11-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1820-10-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/1820-9-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2032-216-0x00000000003C0000-0x00000000008B4000-memory.dmp

Filesize
5.0MB

Download
memory/2172-245-0x0000000000890000-0x0000000000D84000-memory.dmp

Filesize
5.0MB

Download
memory/2396-157-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/2396-292-0x0000000001380000-0x0000000001874000-memory.dmp

Filesize
5.0MB

Download
memory/2396-156-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/2600-83-0x0000000000C00000-0x00000000010F4000-memory.dmp

Filesize
5.0MB

Download
memory/2772-201-0x00000000011C0000-0x00000000016B4000-memory.dmp

Filesize
5.0MB

Download