ramnit | d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6f

Analysis

max time kernel
12s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
Size

311KB
MD5

a7edf36f9caa29297f52c4ccac273500
SHA1

5331f3d8151335ec04602a0f199c42c8989d2a0c
SHA256

d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6f
SHA512

323c8c42de66c366395f9ccefcca0ff67bb4c64cd03a2843c575735cffdbe0abcae87010cc55a92b30c9f20a8312671c6bde4af5853b64914bedfd7bc7904446
SSDEEP

6144:2R2J0LS6Vgb8qG7ZDqqGoH4iToATg1PBnnykONu:2Rm0OqgtGBPl4UoHnn1r

Score

10^/10

ramnit sality backdoor banker discovery evasion persistence privilege_escalation spyware stealer trojan upx worm

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe:*:enabled:@shell32.dll,-1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WaterMark.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	WaterMark.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
384	netsh.exe
2080	netsh.exe

Deletes itself 1 IoCs

pid	Process
3296	WaterMark.exe

Executes dropped EXE 2 IoCs

pid	Process
2040	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
3296	WaterMark.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WaterMark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	WaterMark.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	WaterMark.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2040-13-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2040-11-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2040-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2040-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2040-7-0x00000000031F0000-0x0000000004223000-memory.dmp	upx
behavioral2/memory/2040-20-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2040-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2040-15-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2040-22-0x00000000031F0000-0x0000000004223000-memory.dmp	upx
behavioral2/memory/3296-35-0x0000000003410000-0x0000000004443000-memory.dmp	upx
behavioral2/memory/3296-64-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3296-53-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3296-43-0x0000000003410000-0x0000000004443000-memory.dmp	upx
behavioral2/memory/3296-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3296-70-0x0000000003410000-0x0000000004443000-memory.dmp	upx
behavioral2/memory/5112-80-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3296-72-0x0000000003410000-0x0000000004443000-memory.dmp	upx
behavioral2/memory/3296-129-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6C08.tmp	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	WaterMark.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5F75.tmp	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaterMark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FE90041C-C07B-11EF-AF2A-C67090DD1599} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FE972A1A-C07B-11EF-AF2A-C67090DD1599} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe
3296	WaterMark.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe
Token: SeDebugPrivilege	3296	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5040	iexplore.exe
1424	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1424	iexplore.exe
1424	iexplore.exe
5040	iexplore.exe
5040	iexplore.exe
756	IEXPLORE.EXE
756	IEXPLORE.EXE
3556	IEXPLORE.EXE
3556	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2040	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
3296	WaterMark.exe
5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 2040	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	85
PID 5112 wrote to memory of 2040	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	85
PID 5112 wrote to memory of 2040	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	85
PID 5112 wrote to memory of 620	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	5
PID 5112 wrote to memory of 620	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	5
PID 5112 wrote to memory of 620	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	5
PID 5112 wrote to memory of 620	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	5
PID 5112 wrote to memory of 620	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	5
PID 5112 wrote to memory of 620	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	5
PID 5112 wrote to memory of 672	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	7
PID 5112 wrote to memory of 672	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	7
PID 5112 wrote to memory of 672	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	7
PID 5112 wrote to memory of 672	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	7
PID 5112 wrote to memory of 672	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	7
PID 5112 wrote to memory of 672	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	7
PID 5112 wrote to memory of 796	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	8
PID 5112 wrote to memory of 796	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	8
PID 5112 wrote to memory of 796	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	8
PID 5112 wrote to memory of 796	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	8
PID 5112 wrote to memory of 796	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	8
PID 5112 wrote to memory of 796	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	8
PID 2040 wrote to memory of 3296	2040	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe	86
PID 2040 wrote to memory of 3296	2040	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe	86
PID 2040 wrote to memory of 3296	2040	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe	86
PID 5112 wrote to memory of 804	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	9
PID 5112 wrote to memory of 804	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	9
PID 5112 wrote to memory of 804	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	9
PID 5112 wrote to memory of 804	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	9
PID 5112 wrote to memory of 804	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	9
PID 5112 wrote to memory of 804	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	9
PID 5112 wrote to memory of 812	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	10
PID 5112 wrote to memory of 812	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	10
PID 5112 wrote to memory of 812	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	10
PID 5112 wrote to memory of 812	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	10
PID 5112 wrote to memory of 812	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	10
PID 5112 wrote to memory of 812	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	10
PID 5112 wrote to memory of 920	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	11
PID 5112 wrote to memory of 920	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	11
PID 5112 wrote to memory of 920	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	11
PID 5112 wrote to memory of 920	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	11
PID 5112 wrote to memory of 920	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	11
PID 5112 wrote to memory of 920	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	11
PID 5112 wrote to memory of 972	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	12
PID 5112 wrote to memory of 972	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	12
PID 5112 wrote to memory of 972	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	12
PID 5112 wrote to memory of 972	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	12
PID 5112 wrote to memory of 972	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	12
PID 5112 wrote to memory of 972	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	12
PID 5112 wrote to memory of 380	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	13
PID 5112 wrote to memory of 380	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	13
PID 5112 wrote to memory of 380	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	13
PID 5112 wrote to memory of 380	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	13
PID 5112 wrote to memory of 380	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	13
PID 5112 wrote to memory of 380	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	13
PID 5112 wrote to memory of 432	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	14
PID 5112 wrote to memory of 432	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	14
PID 5112 wrote to memory of 432	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	14
PID 5112 wrote to memory of 432	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	14
PID 5112 wrote to memory of 432	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	14
PID 5112 wrote to memory of 432	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	14
PID 3296 wrote to memory of 384	3296	WaterMark.exe	87
PID 3296 wrote to memory of 384	3296	WaterMark.exe	87
PID 3296 wrote to memory of 384	3296	WaterMark.exe	87
PID 5112 wrote to memory of 880	5112	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe	15

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaterMark.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:804
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:812
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3204
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3820
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3908
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3972
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4052
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2588
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:3172
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:5072
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4924
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2332
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2060
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2412
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1096
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2516
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:3572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1348
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1260

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2800

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe
  "C:\Users\Admin\AppData\Local\Temp\d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fN.exe"
  2⤵
  - Modifies firewall policy service
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
    C:\Users\Admin\AppData\Local\Temp\d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe
    3⤵
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2040
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Deletes itself
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3296
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:384
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:4664
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5040
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5040 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3556
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1424
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:17410 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        7⤵
        Modifies Windows Firewall
        
        PID:2080
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:644
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE"
        7⤵
        
        PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4040

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
36ed732b90a27bd5f4716645a456ad34

SHA1
93caaf2e2b76b96142e3a9865eb12aa6aab4296e

SHA256
a41bae0a57d70f030a24668e1e68cfec75c27ed94105d8ae895025edfef3132e

SHA512
460f8f4e5bc5f445c7f175699c80e86e2f4c1822a4e7c3ecb07de224db0c7428f74058fa3e164b3fde0777af2818da0e9e831b869e8bd7b1ffb3b4abc794fbd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c90f37242d336b822468f697b1608136

SHA1
ed0ac5f36daba0d87a42ef666e08a2839eaee489

SHA256
1e09b0f014a6f31156b9b3138d6ed81b96e49fb49cf53d35c79e2b3dc03641c5

SHA512
7aac88602487fb35f455db0c377dc0334e5f13aa8f9351b83c2d1dc0eefd0e61a86a8e7ce04f57fa4e1435ae45aee467931d91bb7831ea7ea4ac8bdb1ddb0d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FE90041C-C07B-11EF-AF2A-C67090DD1599}.dat

Filesize
3KB

MD5
5db7670ad0fa64e0a0cd15d96b8355ad

SHA1
7569bddbc0470dd778f4f575323a9612d3b32d6a

SHA256
04e34591d0bd413b7e4ea8c6103caa340ac07f8708fd579eff7f48b8a8f082e3

SHA512
5f955b5c74fd77715a8fb574daa2fa6201a1fbe784ac303f9a4d5a71855c8810060e5b9854fa1176d82bea6795fa68e5dd341cdc42d16ba485c7a6cdc85a1ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FE972A1A-C07B-11EF-AF2A-C67090DD1599}.dat

Filesize
5KB

MD5
79457c5bc5a53fbdf6eba3ba0496cf4b

SHA1
b346d96c98be49d71389d20095412dd09c2581db

SHA256
8cb64e6e39239806c582d5bcc0a62f23ef112957a5f02788542cff24c1eadb20

SHA512
c093e1eb089467a3fce085747e1801c8325cffeb9e1e30ad2fa925343d95729b5fd7a5f54124416786e45f5d83ce15f0a64bdf3131d89e44ac153655f4597c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verEDCB.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DQ67RYHS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2f6e8823aadf0327387ee43f72150f0b9daf58d958abbcd70e1d8a3d11fdc6fNmgr.exe

Filesize
154KB

MD5
42d87db4c8bf5b4d423438bda404d282

SHA1
91dca72613ece33dc565d6f06f412870ea60a41a

SHA256
e4a6e8d94f289fe401e265a59228858aae68677cd09425ab7066c72d4a03aad3

SHA512
ca78048b7080f81faefdb61d7e58a41086d54861acfbc0f57f2b5c548be28cb633bd8624f3ebb89b289a8503d7ede43ea6698c02c697b07bbcbd6fc39146219d

Download Submit
C:\Windows\SYSTEM.INI

Filesize
258B

MD5
ef1673d1747ee2b74e2caac668544c6e

SHA1
c3c7a2cb4801c7604b9fe57033d6d2fe053219fa

SHA256
5994afc2fa5b3c1a3ec54f1107fd8b3911b4f462380226f2d9692332f0cdf1be

SHA512
59239f80c7b646a45cf4a1d89515eb94e406790e22a5c0b77f0710dc023ba9e5b1a2b93ef6892d6156ff9c1e7df1cda5f81a5eaac1e7638e6d21a83fa0e89871

Download Submit
memory/384-65-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/384-66-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/384-61-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/384-90-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/2040-5-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2040-7-0x00000000031F0000-0x0000000004223000-memory.dmp

Filesize
16.2MB

Download
memory/2040-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2040-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2040-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2040-22-0x00000000031F0000-0x0000000004223000-memory.dmp

Filesize
16.2MB

Download
memory/2040-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2040-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2040-11-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2040-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2040-14-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2040-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2040-6-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3296-54-0x0000000077282000-0x0000000077283000-memory.dmp

Filesize
4KB

Download
memory/3296-59-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3296-62-0x0000000000070000-0x0000000000072000-memory.dmp

Filesize
8KB

Download
memory/3296-53-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3296-43-0x0000000003410000-0x0000000004443000-memory.dmp

Filesize
16.2MB

Download
memory/3296-37-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-36-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-34-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-63-0x0000000000070000-0x0000000000072000-memory.dmp

Filesize
8KB

Download
memory/3296-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3296-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-70-0x0000000003410000-0x0000000004443000-memory.dmp

Filesize
16.2MB

Download
memory/3296-129-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3296-97-0x0000000000070000-0x0000000000072000-memory.dmp

Filesize
8KB

Download
memory/3296-52-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3296-35-0x0000000003410000-0x0000000004443000-memory.dmp

Filesize
16.2MB

Download
memory/3296-72-0x0000000003410000-0x0000000004443000-memory.dmp

Filesize
16.2MB

Download
memory/3296-89-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/5112-57-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/5112-83-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/5112-80-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5112-74-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/5112-73-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/5112-67-0x00000000008F0000-0x00000000008F2000-memory.dmp

Filesize
8KB

Download
memory/5112-69-0x00000000008F0000-0x00000000008F2000-memory.dmp

Filesize
8KB

Download
memory/5112-56-0x00000000008F0000-0x00000000008F2000-memory.dmp

Filesize
8KB

Download
memory/5112-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download