dcrat | b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30

Analysis

max time kernel
120s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Size

1.5MB
MD5

e6606aa0691b886298e05ae11a4167e2
SHA1

39da4c5f82a23ffd68f3151c9e54f0ea5d7bd076
SHA256

b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30
SHA512

12ae8bc3c473a594b42b85ca6dc2e14f6b287fc126f41c3270a9e278213faf2e333830f95210f7d31fe404800a3b80b463079eea4067d504957f6ec5c681580b
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRG:EzhWhCXQFN+0IEuQgyiVKu

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\y2exy5dmnrsq6\\dllhost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\y2exy5dmnrsq6\\dllhost.exe\", \"C:\\Windows\\System32\\audiosrv\\sihost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\y2exy5dmnrsq6\\dllhost.exe\", \"C:\\Windows\\System32\\audiosrv\\sihost.exe\", \"C:\\Users\\Admin\\wininit.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	3500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	3500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	3500	schtasks.exe	83

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4908	powershell.exe
8	powershell.exe
3596	powershell.exe
1800	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 13 IoCs

pid	Process
2692	dllhost.exe
904	dllhost.exe
4812	dllhost.exe
2024	dllhost.exe
4992	dllhost.exe
2796	dllhost.exe
4560	dllhost.exe
4972	dllhost.exe
4756	dllhost.exe
3632	dllhost.exe
4924	dllhost.exe
1412	dllhost.exe
3236	dllhost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\wininit.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\wininit.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\y2exy5dmnrsq6\\dllhost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\y2exy5dmnrsq6\\dllhost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\audiosrv\\sihost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\audiosrv\\sihost.exe\""	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\y2exy5dmnrsq6\RCX9135.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\audiosrv\RCX9359.tmp	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\audiosrv\sihost.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File opened for modification	C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\y2exy5dmnrsq6\5940a34987c991	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\audiosrv\sihost.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
File created	C:\Windows\System32\audiosrv\66fc9ff0ee96c2	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\fonts\smss.exe	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2480	schtasks.exe
1536	schtasks.exe
3688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
4908	powershell.exe
3596	powershell.exe
1800	powershell.exe
8	powershell.exe
1800	powershell.exe
3596	powershell.exe
4908	powershell.exe
8	powershell.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
2692	dllhost.exe
904	dllhost.exe
904	dllhost.exe
904	dllhost.exe
904	dllhost.exe
904	dllhost.exe
904	dllhost.exe
904	dllhost.exe
904	dllhost.exe
904	dllhost.exe
904	dllhost.exe
904	dllhost.exe
904	dllhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	2692	dllhost.exe
Token: SeDebugPrivilege	904	dllhost.exe
Token: SeDebugPrivilege	4812	dllhost.exe
Token: SeDebugPrivilege	2024	dllhost.exe
Token: SeDebugPrivilege	4992	dllhost.exe
Token: SeDebugPrivilege	2796	dllhost.exe
Token: SeDebugPrivilege	4560	dllhost.exe
Token: SeDebugPrivilege	4972	dllhost.exe
Token: SeDebugPrivilege	4756	dllhost.exe
Token: SeDebugPrivilege	3632	dllhost.exe
Token: SeDebugPrivilege	4924	dllhost.exe
Token: SeDebugPrivilege	1412	dllhost.exe
Token: SeDebugPrivilege	3236	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 8	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	87
PID 2072 wrote to memory of 8	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	87
PID 2072 wrote to memory of 4908	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	88
PID 2072 wrote to memory of 4908	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	88
PID 2072 wrote to memory of 1800	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	89
PID 2072 wrote to memory of 1800	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	89
PID 2072 wrote to memory of 3596	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	90
PID 2072 wrote to memory of 3596	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	90
PID 2072 wrote to memory of 2692	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	95
PID 2072 wrote to memory of 2692	2072	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe	95
PID 2692 wrote to memory of 3988	2692	dllhost.exe	96
PID 2692 wrote to memory of 3988	2692	dllhost.exe	96
PID 2692 wrote to memory of 1960	2692	dllhost.exe	97
PID 2692 wrote to memory of 1960	2692	dllhost.exe	97
PID 3988 wrote to memory of 904	3988	WScript.exe	102
PID 3988 wrote to memory of 904	3988	WScript.exe	102
PID 904 wrote to memory of 4644	904	dllhost.exe	103
PID 904 wrote to memory of 4644	904	dllhost.exe	103
PID 904 wrote to memory of 4844	904	dllhost.exe	104
PID 904 wrote to memory of 4844	904	dllhost.exe	104
PID 4644 wrote to memory of 4812	4644	WScript.exe	107
PID 4644 wrote to memory of 4812	4644	WScript.exe	107
PID 4812 wrote to memory of 3060	4812	dllhost.exe	108
PID 4812 wrote to memory of 3060	4812	dllhost.exe	108
PID 4812 wrote to memory of 3296	4812	dllhost.exe	109
PID 4812 wrote to memory of 3296	4812	dllhost.exe	109
PID 3060 wrote to memory of 2024	3060	WScript.exe	112
PID 3060 wrote to memory of 2024	3060	WScript.exe	112
PID 2024 wrote to memory of 4564	2024	dllhost.exe	113
PID 2024 wrote to memory of 4564	2024	dllhost.exe	113
PID 2024 wrote to memory of 2928	2024	dllhost.exe	114
PID 2024 wrote to memory of 2928	2024	dllhost.exe	114
PID 4564 wrote to memory of 4992	4564	WScript.exe	115
PID 4564 wrote to memory of 4992	4564	WScript.exe	115
PID 4992 wrote to memory of 2808	4992	dllhost.exe	116
PID 4992 wrote to memory of 2808	4992	dllhost.exe	116
PID 4992 wrote to memory of 4328	4992	dllhost.exe	117
PID 4992 wrote to memory of 4328	4992	dllhost.exe	117
PID 2808 wrote to memory of 2796	2808	WScript.exe	118
PID 2808 wrote to memory of 2796	2808	WScript.exe	118
PID 2796 wrote to memory of 1448	2796	dllhost.exe	119
PID 2796 wrote to memory of 1448	2796	dllhost.exe	119
PID 2796 wrote to memory of 1188	2796	dllhost.exe	120
PID 2796 wrote to memory of 1188	2796	dllhost.exe	120
PID 1448 wrote to memory of 4560	1448	WScript.exe	121
PID 1448 wrote to memory of 4560	1448	WScript.exe	121
PID 4560 wrote to memory of 3480	4560	dllhost.exe	122
PID 4560 wrote to memory of 3480	4560	dllhost.exe	122
PID 4560 wrote to memory of 4496	4560	dllhost.exe	123
PID 4560 wrote to memory of 4496	4560	dllhost.exe	123
PID 3480 wrote to memory of 4972	3480	WScript.exe	124
PID 3480 wrote to memory of 4972	3480	WScript.exe	124
PID 4972 wrote to memory of 2712	4972	dllhost.exe	125
PID 4972 wrote to memory of 2712	4972	dllhost.exe	125
PID 4972 wrote to memory of 4956	4972	dllhost.exe	126
PID 4972 wrote to memory of 4956	4972	dllhost.exe	126
PID 2712 wrote to memory of 4756	2712	WScript.exe	127
PID 2712 wrote to memory of 4756	2712	WScript.exe	127
PID 4756 wrote to memory of 4228	4756	dllhost.exe	128
PID 4756 wrote to memory of 4228	4756	dllhost.exe	128
PID 4756 wrote to memory of 1860	4756	dllhost.exe	129
PID 4756 wrote to memory of 1860	4756	dllhost.exe	129
PID 4228 wrote to memory of 3632	4228	WScript.exe	130
PID 4228 wrote to memory of 3632	4228	WScript.exe	130

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe
"C:\Users\Admin\AppData\Local\Temp\b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\audiosrv\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
  "C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2692
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e978da56-af80-446d-b6d0-7cec79dc9376.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
      C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:904
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1c0afd7-545d-4c2f-9607-34acf9040d1f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b645820d-ee3b-4cf4-95d8-3d55806d544c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e30e5759-9e2f-49b4-b469-9e6d4da02161.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\495df437-6e08-4f22-a935-696d473bd84c.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b9d3e59-11c9-4023-8031-30f57d771e05.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9994abce-6a43-4974-85d9-60e0f7a0a6b3.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24247bd7-77e4-4fa1-9115-71bd800eb502.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12d83b68-3bc1-4534-a3cc-e08c198b92ff.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d13d1ac-ad90-4172-9a33-b9163b15b4ec.vbs"
        21⤵
        
        PID:1580
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90900291-3be0-4d62-9942-0a69d2d0d7e7.vbs"
        23⤵
        
        PID:1728
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\386615c4-f815-427f-aef9-77c7f77a382e.vbs"
        25⤵
        
        PID:4996
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        
        C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cea28af3-73c3-47ec-8576-90c2639928bc.vbs"
        25⤵
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89465fec-6f3d-4ce9-926a-0e20c682b5d2.vbs"
        23⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7448396-9553-406d-b7e7-703f6a2e9811.vbs"
        21⤵
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5860c246-046d-49ab-a35e-c00296213d4d.vbs"
        19⤵
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df38ba5b-9e3d-40df-8948-52cc7d2d7b2b.vbs"
        17⤵
        
        PID:4956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d4c84f2-c105-4eaf-a620-ad7b24849fbe.vbs"
        15⤵
        
        PID:4496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbfa18ea-df4d-4f4f-a52c-784479f5e6ec.vbs"
        13⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68107af8-90ee-4394-a129-1b727e419d4d.vbs"
        11⤵
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dce76d0-8bf5-4169-803a-2e11e5fb2835.vbs"
        9⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62cf2bf1-66a4-4b10-ba2c-5a6a5ead6413.vbs"
        7⤵
        
        PID:3296
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d705a6e-c9e4-487c-8b5b-d7886460aec8.vbs"
        5⤵
        
        PID:4844
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\215f43a6-7165-4fbe-9fb8-dd5d393af46e.vbs"
    3⤵
    PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\audiosrv\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b9d3e59-11c9-4023-8031-30f57d771e05.vbs

Filesize
721B

MD5
5d59260e270395f8ed81ceb843cb9281

SHA1
9f4ddef7aee7eb4892c1b15d10d46f8ba1056d95

SHA256
ab288842d464ef49667716da9a78e39523030bf9011c60b5358a5717237c556c

SHA512
dc2c6d4dabf296b9816161fd64e6e0a2936159fe747b7c44ce322cb682c41db0098f4341e6193ad4a0df69c3653a7217481dd95d4aaffb5b439692090d84796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\12d83b68-3bc1-4534-a3cc-e08c198b92ff.vbs

Filesize
721B

MD5
3a9bb2f3e5e8dced1d6eb0f21120d63b

SHA1
52669e42e7ac686303f1580b1d3fbf3e5a808cbd

SHA256
f11008563362651629f27d5c25581bf2831f7597d9e03155121e57eb640c4675

SHA512
e5617dfc232baff25de84cd9c9f6c3a9ff51941120f7c4c56e967c4173936e41a9abf451a01cddc0723134581b77c86dd303618f31627d2150abd28fa931858e

Download Submit
C:\Users\Admin\AppData\Local\Temp\215f43a6-7165-4fbe-9fb8-dd5d393af46e.vbs

Filesize
497B

MD5
ced1dd62155a5f3b2db94564e2bb93e3

SHA1
f6a922d0205293038ce822fa3a5167ef50684b4c

SHA256
8e38273aebc710057862bef95d254144598701f36b83e017d5d00896f8c37b18

SHA512
061774ef9b420872dd61e894bd329a1116c06e12b0e46f153ed23119af009d5cc25acdb682fe5ab5816d93d2a42671878cbff7abd29dfe69c266295eeeb0fb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\24247bd7-77e4-4fa1-9115-71bd800eb502.vbs

Filesize
721B

MD5
96099301740ffda5b6a6e3e31ca7dc80

SHA1
017902b186d291e55140f2d519ed6ef86cee39d0

SHA256
d4d3dfe4c7eeca56a71c11cfda8b9d7fc9c9a4c3664553b03dd41fd690113991

SHA512
29fa0bfdec5e327a96a6b52b99e48fe8fdaf9eb626ef04232e1de934df7ebc4d36cf6da04da4f7b5696f670071752b65c51458f73775962214cbf599f7620638

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d13d1ac-ad90-4172-9a33-b9163b15b4ec.vbs

Filesize
721B

MD5
75b5d565498412a592c3c8d7e52f7fde

SHA1
3e0f34b7ca11f1624ee940864aef57b4e7337e2a

SHA256
e1d88aa76f0127d69103566f874c6eabc60375355ef782ebc03f02734d8aff98

SHA512
d77f8f350113bfd7b85deb9136fe5adaace9becfa1ef1c57e4b5db2e94d8a9b789094d58a2bcdbbc62cba3548f97dea895e950eeb632d4497c3ad1e7a16adf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\386615c4-f815-427f-aef9-77c7f77a382e.vbs

Filesize
721B

MD5
33878f3b1b64d8b1ff5c731c8c842552

SHA1
5ed03658e1c00b707e8607b27b4aba430e1eba4b

SHA256
dbab7f13f57d4c3584a49ee88e31e052a8bf2ffdd5b4d213c711a949768081eb

SHA512
569df50aa61798158f9717dffb5562d7b9e987dbcc96f430a24c08300726ebbd092948db02842e2e329b4906666057b43d0c201fc44153b01743c3f7780b3f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\495df437-6e08-4f22-a935-696d473bd84c.vbs

Filesize
721B

MD5
b11b37aef5cd4448d9867bf19e3ba3c5

SHA1
ce3d1731b9f2784bbcbdf0ab6b2815f3124896dd

SHA256
115d6ccb45f920da9c53b98df87406482a9bb1e9b4bee866f2e0fa346d1022af

SHA512
d5d7bd9f82a1d8df4d25c908c0c090f6f59412a54419249d78f055bc26eee302282462e922c3dd1c72e46f001e1c5acdad66424be840782e8c728248a9f61f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\90900291-3be0-4d62-9942-0a69d2d0d7e7.vbs

Filesize
721B

MD5
e7666f24434df52089daf090fe99033b

SHA1
229eade2f2fce45819194b1bf70a841c12b79f7c

SHA256
9d91b9f71f3ab46118c10c04deefe79d5aa786f70b0ad646a33ad3709822374b

SHA512
170a5983522bd190ca879cbca418cea2665bcc88d4ffdca002a71240f832ca788f80606a546dc064bc3e2996d77de9576094c98201039ef00fb45027c7b022d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9994abce-6a43-4974-85d9-60e0f7a0a6b3.vbs

Filesize
721B

MD5
1f811a31158a3cf4d738eb18221a42af

SHA1
ded72c667f47f74035d5d5782a8a44172dd0b029

SHA256
77c8dbe8002c52f97a1de28101c734e2b599dc9010c0d5a057b05dc6f3916a11

SHA512
1016722e2f0cffb5c8b0718f738ba9e9b069202b74964c32b1af90b4b5fb4333e5964f661fae32dc5beb9388b1753ba4eab22ffb6f0300f83bc79ee215ee3a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lpbxzxml.h3d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b645820d-ee3b-4cf4-95d8-3d55806d544c.vbs

Filesize
721B

MD5
8929769945d4c698f591e14c7fe7a162

SHA1
8df4f6c7878b46b31af27f7eccb1571632ca2da1

SHA256
faa61b196da0e7f07c7a8d685f8a877c14523b8bbf7a9976a3860f0772901db9

SHA512
b94a7a2f3e99998599839b627092e89d25effbd318fb5310bfc6520d41220f44671906e7796fe1076909b9590d92ce01535784687b7b716e1d47f8d50880ffa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1c0afd7-545d-4c2f-9607-34acf9040d1f.vbs

Filesize
720B

MD5
17898b96b9a547a5a61798aaeb82d3ad

SHA1
78aa395e007d8b1778cdecce15679e6c0a21d58b

SHA256
5c0bdea86450b734ba98cfdefdba752871d2088bc7b7c1acc8ffe8197f9d7081

SHA512
1ff1541a310a0306a1037bfcc5865f844b416478538f67a889718e5f478471b634c3d64199f477873eb2f9aa95b2ed893a26ce3753e4a6cbdf69aa5a111729c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e30e5759-9e2f-49b4-b469-9e6d4da02161.vbs

Filesize
721B

MD5
8d8d0bdb2aa8dd98474ee2f243b2e303

SHA1
0174e0c23b18ea6305cfa4122dfc0a4d67c77685

SHA256
e0da7acae407d4d927aa0f9f6d6806c409e3ace33fe3cf74f04352c9e1b7f41c

SHA512
04c6ebf8834ecf8deab4203fd0edd56024c5832ece460fb61214082e55823b4612b13d502f52c81d0121093a5818853665b7f8afd1bb8a1765f932d92fea0b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e978da56-af80-446d-b6d0-7cec79dc9376.vbs

Filesize
721B

MD5
76ef8b360671e90b90d4240724c83729

SHA1
a0994f4b59484ad1188dd46a17731e9877156c95

SHA256
1d2a008d6cf8a255a0643eed6e87f8031ce44ed0d9b76ffb973a0f4e43e16482

SHA512
9a0cdab04e78a8952260e711d5e23845e40392ff06eac8b2671a062dca779e703c289e1dd2acc8dd71653a3704efa60877509e135b091c41aacfdb1801ab2723

Download Submit
C:\Windows\System32\y2exy5dmnrsq6\dllhost.exe

Filesize
1.5MB

MD5
e6606aa0691b886298e05ae11a4167e2

SHA1
39da4c5f82a23ffd68f3151c9e54f0ea5d7bd076

SHA256
b1f5f4c7b4c9919532783142fbd5af48df5768e591a57c08c256125155e01f30

SHA512
12ae8bc3c473a594b42b85ca6dc2e14f6b287fc126f41c3270a9e278213faf2e333830f95210f7d31fe404800a3b80b463079eea4067d504957f6ec5c681580b

Download Submit
memory/1800-88-0x000001D276C90000-0x000001D276CB2000-memory.dmp

Filesize
136KB

Download
memory/2072-12-0x000000001BD00000-0x000000001BD08000-memory.dmp

Filesize
32KB

Download
memory/2072-0-0x00007FFB5E6D3000-0x00007FFB5E6D5000-memory.dmp

Filesize
8KB

Download
memory/2072-11-0x000000001BCF0000-0x000000001BD00000-memory.dmp

Filesize
64KB

Download
memory/2072-34-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/2072-1-0x0000000000F10000-0x000000000108E000-memory.dmp

Filesize
1.5MB

Download
memory/2072-18-0x000000001BD60000-0x000000001BD68000-memory.dmp

Filesize
32KB

Download
memory/2072-21-0x000000001BE90000-0x000000001BE98000-memory.dmp

Filesize
32KB

Download
memory/2072-17-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/2072-16-0x000000001BD40000-0x000000001BD48000-memory.dmp

Filesize
32KB

Download
memory/2072-15-0x000000001BD30000-0x000000001BD3A000-memory.dmp

Filesize
40KB

Download
memory/2072-136-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/2072-10-0x000000001BCE0000-0x000000001BCF0000-memory.dmp

Filesize
64KB

Download
memory/2072-13-0x000000001BD10000-0x000000001BD1A000-memory.dmp

Filesize
40KB

Download
memory/2072-20-0x000000001BE80000-0x000000001BE8C000-memory.dmp

Filesize
48KB

Download
memory/2072-25-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/2072-24-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/2072-14-0x000000001BD20000-0x000000001BD2C000-memory.dmp

Filesize
48KB

Download
memory/2072-9-0x0000000003500000-0x000000000350C000-memory.dmp

Filesize
48KB

Download
memory/2072-2-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/2072-8-0x00000000034F0000-0x00000000034F8000-memory.dmp

Filesize
32KB

Download
memory/2072-6-0x00000000034C0000-0x00000000034CA000-memory.dmp

Filesize
40KB

Download
memory/2072-7-0x00000000034E0000-0x00000000034EC000-memory.dmp

Filesize
48KB

Download
memory/2072-4-0x00000000034B0000-0x00000000034C2000-memory.dmp

Filesize
72KB

Download
memory/2072-5-0x00000000034D0000-0x00000000034DC000-memory.dmp

Filesize
48KB

Download
memory/2072-3-0x00000000034A0000-0x00000000034A8000-memory.dmp

Filesize
32KB

Download
memory/4812-160-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/4924-251-0x000000001AF30000-0x000000001AF42000-memory.dmp

Filesize
72KB

Download
memory/4972-217-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/4992-183-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download