8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

Analysis

max time kernel
91s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea78193c0a312343dc3d6ecf4c9709a1.exe
Size

1.9MB
MD5

ea78193c0a312343dc3d6ecf4c9709a1
SHA1

a0ef53ffbda9e058034c460dcf924971da8dedcb
SHA256

af910cca03f917e9f66f2928480d463c358ae42246e32b0900e5572a09920cb2
SHA512

835efc748beddcdf0ca2a8203d9f461e5a6f831dec65a6f0fa56f158b947ce53228ed0c89a688bd0fcd2883cae89bb86a88ab3f9b8a9d98d5f96a46759fc913a
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2888	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2052	powershell.exe
2416	powershell.exe
2872	powershell.exe
2828	powershell.exe
2932	powershell.exe
2708	powershell.exe
2628	powershell.exe
2636	powershell.exe
2736	powershell.exe
2732	powershell.exe
2820	powershell.exe
2724	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ea78193c0a312343dc3d6ecf4c9709a1.exe

Executes dropped EXE 7 IoCs

pid	Process
568	lsm.exe
2080	lsm.exe
2764	lsm.exe
2720	lsm.exe
2368	lsm.exe
2992	lsm.exe
2908	lsm.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\System.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\886983d96e3d3e	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Program Files\Common Files\Services\101b941d020240	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\RCXC89E.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files\Common Files\Services\RCXD595.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files\Common Files\Services\RCXD604.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Program Files\Common Files\Services\lsm.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Program Files\7-Zip\27d1bcfc3c54e0	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXD18C.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\WmiPrvSE.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\WmiPrvSE.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\24dbde2999530e	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Program Files\7-Zip\System.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files\Common Files\Services\lsm.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files\7-Zip\RCXDC9D.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\RCXC90C.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXD18D.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files\7-Zip\RCXDC9E.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3016	schtasks.exe
1184	schtasks.exe
1852	schtasks.exe
2676	schtasks.exe
328	schtasks.exe
2180	schtasks.exe
2844	schtasks.exe
2876	schtasks.exe
1440	schtasks.exe
2480	schtasks.exe
696	schtasks.exe
2324	schtasks.exe
324	schtasks.exe
2712	schtasks.exe
2548	schtasks.exe
2720	schtasks.exe
1840	schtasks.exe
1240	schtasks.exe
1708	schtasks.exe
2884	schtasks.exe
2620	schtasks.exe
2680	schtasks.exe
1208	schtasks.exe
2436	schtasks.exe
1476	schtasks.exe
2496	schtasks.exe
2912	schtasks.exe
2352	schtasks.exe
952	schtasks.exe
2448	schtasks.exe
2760	schtasks.exe
2644	schtasks.exe
2036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2264	ea78193c0a312343dc3d6ecf4c9709a1.exe
2264	ea78193c0a312343dc3d6ecf4c9709a1.exe
2264	ea78193c0a312343dc3d6ecf4c9709a1.exe
2264	ea78193c0a312343dc3d6ecf4c9709a1.exe
2264	ea78193c0a312343dc3d6ecf4c9709a1.exe
2264	ea78193c0a312343dc3d6ecf4c9709a1.exe
2264	ea78193c0a312343dc3d6ecf4c9709a1.exe
2264	ea78193c0a312343dc3d6ecf4c9709a1.exe
2264	ea78193c0a312343dc3d6ecf4c9709a1.exe
2828	powershell.exe
2732	powershell.exe
2708	powershell.exe
2416	powershell.exe
2872	powershell.exe
2820	powershell.exe
2932	powershell.exe
2052	powershell.exe
2636	powershell.exe
2628	powershell.exe
2736	powershell.exe
2724	powershell.exe
568	lsm.exe
2080	lsm.exe
2764	lsm.exe
2720	lsm.exe
2368	lsm.exe
2992	lsm.exe
2908	lsm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	568	lsm.exe
Token: SeDebugPrivilege	2080	lsm.exe
Token: SeDebugPrivilege	2764	lsm.exe
Token: SeDebugPrivilege	2720	lsm.exe
Token: SeDebugPrivilege	2368	lsm.exe
Token: SeDebugPrivilege	2992	lsm.exe
Token: SeDebugPrivilege	2908	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2736	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	65
PID 2264 wrote to memory of 2736	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	65
PID 2264 wrote to memory of 2736	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	65
PID 2264 wrote to memory of 2416	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	66
PID 2264 wrote to memory of 2416	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	66
PID 2264 wrote to memory of 2416	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	66
PID 2264 wrote to memory of 2872	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	67
PID 2264 wrote to memory of 2872	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	67
PID 2264 wrote to memory of 2872	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	67
PID 2264 wrote to memory of 2828	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	68
PID 2264 wrote to memory of 2828	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	68
PID 2264 wrote to memory of 2828	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	68
PID 2264 wrote to memory of 2732	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	69
PID 2264 wrote to memory of 2732	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	69
PID 2264 wrote to memory of 2732	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	69
PID 2264 wrote to memory of 2820	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	70
PID 2264 wrote to memory of 2820	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	70
PID 2264 wrote to memory of 2820	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	70
PID 2264 wrote to memory of 2724	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	71
PID 2264 wrote to memory of 2724	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	71
PID 2264 wrote to memory of 2724	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	71
PID 2264 wrote to memory of 2932	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	72
PID 2264 wrote to memory of 2932	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	72
PID 2264 wrote to memory of 2932	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	72
PID 2264 wrote to memory of 2708	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	73
PID 2264 wrote to memory of 2708	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	73
PID 2264 wrote to memory of 2708	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	73
PID 2264 wrote to memory of 2636	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	74
PID 2264 wrote to memory of 2636	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	74
PID 2264 wrote to memory of 2636	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	74
PID 2264 wrote to memory of 2052	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	76
PID 2264 wrote to memory of 2052	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	76
PID 2264 wrote to memory of 2052	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	76
PID 2264 wrote to memory of 2628	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	78
PID 2264 wrote to memory of 2628	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	78
PID 2264 wrote to memory of 2628	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	78
PID 2264 wrote to memory of 568	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	89
PID 2264 wrote to memory of 568	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	89
PID 2264 wrote to memory of 568	2264	ea78193c0a312343dc3d6ecf4c9709a1.exe	89
PID 568 wrote to memory of 2068	568	lsm.exe	90
PID 568 wrote to memory of 2068	568	lsm.exe	90
PID 568 wrote to memory of 2068	568	lsm.exe	90
PID 568 wrote to memory of 2444	568	lsm.exe	91
PID 568 wrote to memory of 2444	568	lsm.exe	91
PID 568 wrote to memory of 2444	568	lsm.exe	91
PID 2068 wrote to memory of 2080	2068	WScript.exe	92
PID 2068 wrote to memory of 2080	2068	WScript.exe	92
PID 2068 wrote to memory of 2080	2068	WScript.exe	92
PID 2080 wrote to memory of 284	2080	lsm.exe	93
PID 2080 wrote to memory of 284	2080	lsm.exe	93
PID 2080 wrote to memory of 284	2080	lsm.exe	93
PID 2080 wrote to memory of 2424	2080	lsm.exe	94
PID 2080 wrote to memory of 2424	2080	lsm.exe	94
PID 2080 wrote to memory of 2424	2080	lsm.exe	94
PID 284 wrote to memory of 2764	284	WScript.exe	95
PID 284 wrote to memory of 2764	284	WScript.exe	95
PID 284 wrote to memory of 2764	284	WScript.exe	95
PID 2764 wrote to memory of 2844	2764	lsm.exe	96
PID 2764 wrote to memory of 2844	2764	lsm.exe	96
PID 2764 wrote to memory of 2844	2764	lsm.exe	96
PID 2764 wrote to memory of 2232	2764	lsm.exe	97
PID 2764 wrote to memory of 2232	2764	lsm.exe	97
PID 2764 wrote to memory of 2232	2764	lsm.exe	97
PID 2844 wrote to memory of 2720	2844	WScript.exe	98

System policy modification 1 TTPs 24 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ea78193c0a312343dc3d6ecf4c9709a1.exe
"C:\Users\Admin\AppData\Local\Temp\ea78193c0a312343dc3d6ecf4c9709a1.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ea78193c0a312343dc3d6ecf4c9709a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\ea78193c0a312343dc3d6ecf4c9709a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:568
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35690f11-37e2-4a00-9e08-3875ba6070d4.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
      "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2080
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c53a695e-dab0-417c-ba18-b7c9655002d5.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:284
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af9f1bc1-4309-47cb-8d4f-581de7b10632.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cb44221-bb27-41df-b76b-026a97640bb4.vbs"
        9⤵
        
        PID:344
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f207be-9bb2-462e-a610-dccb56fe521f.vbs"
        11⤵
        
        PID:1772
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\092d7b2f-0b13-4484-b601-8b51ea417354.vbs"
        13⤵
        
        PID:2296
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ff7c4c8-e24f-400b-ad1d-ba3c87ce420b.vbs"
        15⤵
        
        PID:352
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        16⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb38747c-d6a2-42c0-8788-436dc6bdb2d6.vbs"
        17⤵
        
        PID:1948
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        18⤵
        
        PID:788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7394667-dc65-4a45-9f6f-687b14e9588c.vbs"
        19⤵
        
        PID:1728
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        20⤵
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5679b6da-bf71-4fb7-83f5-f7470715a1cd.vbs"
        21⤵
        
        PID:2144
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        22⤵
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcd7ba0b-1548-4366-9e4c-dbdd74cc6d43.vbs"
        23⤵
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b94a473-0297-493f-a845-b5c5e3b76416.vbs"
        23⤵
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\accc70bd-40b7-4d86-8704-e0c3db0c0db8.vbs"
        21⤵
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\642660b9-c721-4b89-a32e-3c6ef3820352.vbs"
        19⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d90f9efd-f636-407c-9d1c-54584d11c5d4.vbs"
        17⤵
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30eb560f-56e4-4f5f-a544-6448ea85f389.vbs"
        15⤵
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1381da73-6de5-4c04-967c-111252bf6af5.vbs"
        13⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bc6b71e-a019-4ff2-a640-8e9235d49fd2.vbs"
        11⤵
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf8d4207-330c-4a47-983a-e173397cd277.vbs"
        9⤵
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38bf6d9d-0635-4235-b237-2b900418844f.vbs"
        7⤵
        
        PID:2232
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cdf6ff8-f84b-4567-ad2b-4f6e8587a84e.vbs"
        5⤵
        
        PID:2424
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76d5bc96-65da-4585-b3b0-e7a912ab525e.vbs"
    3⤵
    PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ea78193c0a312343dc3d6ecf4c9709a1e" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\ea78193c0a312343dc3d6ecf4c9709a1.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ea78193c0a312343dc3d6ecf4c9709a1" /sc ONLOGON /tr "'C:\Users\Default User\ea78193c0a312343dc3d6ecf4c9709a1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ea78193c0a312343dc3d6ecf4c9709a1e" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\ea78193c0a312343dc3d6ecf4c9709a1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe

Filesize
1.1MB

MD5
3adfd93b73329140696aac81c3feb299

SHA1
746317eb4af1964700c66cb4335c81875445c56c

SHA256
f15ae1d009590f9a8cf98e2bf765561102ef4189ec6b11fcd8525571987602fd

SHA512
cd425538c51738b376fa80fdbfc50c40d48e7bf6621d1bdb99f996e18a382cdf17b0a227829f463a362b8040c83e65a8565952d6984778a88b1ba5dc46535b74

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\WmiPrvSE.exe

Filesize
1.9MB

MD5
ea78193c0a312343dc3d6ecf4c9709a1

SHA1
a0ef53ffbda9e058034c460dcf924971da8dedcb

SHA256
af910cca03f917e9f66f2928480d463c358ae42246e32b0900e5572a09920cb2

SHA512
835efc748beddcdf0ca2a8203d9f461e5a6f831dec65a6f0fa56f158b947ce53228ed0c89a688bd0fcd2883cae89bb86a88ab3f9b8a9d98d5f96a46759fc913a

Download Submit
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe

Filesize
1.9MB

MD5
1a1868dcf2b9e2b6e6620e5833b30765

SHA1
c260296e4f3cee326105a5ffd1b4679e15c5d3b5

SHA256
f782404de7d1e0145526116d7c7268e49e26dd5ecbe9c3b88375e65fee89a434

SHA512
f63da892bf5c393504f399d55a3a92951df184a7ede0de6552cc62afa3d5585440d5d1c27670655be1f733399d52f0b51c2773f541bd8600706588f60f6a3509

Download Submit
C:\Program Files\Common Files\Services\lsm.exe

Filesize
1.9MB

MD5
c292424fa3a48a8871595ad0dccea494

SHA1
a4ba43a4738e5dc7c40eeb65bef3508a202b829e

SHA256
d650ccc5b80e3171f86b39948d1f336ef973c657bff2c1c3705bef174fcd9c01

SHA512
d2e3e40c160255bf3a28b205f9a99d7981ea6bf39d78bb47a650422f120cd25598d60d40ad6ef325c911423e932d3f6ccdc97638c58b8df4182c2f6c4eff01b2

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe

Filesize
1.9MB

MD5
1aae0f8c0098c17b2133a35ec9b58514

SHA1
a840e064b6fe1f1c66a005f02b070503acf70602

SHA256
21d98909525b92a4ef605ebf75a9830687a50ced2ebd1fbec38f819d295407f5

SHA512
7dfa3537ec83d5a364b11f20b85b99229613acbbdd798bb94a7d8f75f61c04a3fbefbef457b22eb52e249edbd74f6365fcd608629e01586c7f3ff124675c1094

Download Submit
C:\Users\Admin\AppData\Local\Temp\092d7b2f-0b13-4484-b601-8b51ea417354.vbs

Filesize
751B

MD5
1af24f0e7753183d7aa02cc7b46f3d61

SHA1
70db2f235a2e83d35df787dbf2d5555faddba494

SHA256
b05c6eefb3e5b006944a7e8c369206b34ca86c151a19b53d1871bdec42bac1dd

SHA512
97ec8ec54d7a8dbb7e9d89f7c40e154080bae8deb97877e8d9cbba28fdd5e1527264e8168c56ec64b15dfc29f42676fd42d540debfe84561aa702046987103a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\09f207be-9bb2-462e-a610-dccb56fe521f.vbs

Filesize
751B

MD5
78854741ea1f0ef1ba20188831117fab

SHA1
cbd6a8d7d387e4c08eeb00555b2e121b6a8058e8

SHA256
052931b3cd5c113634b9813575c74359df56a18af98a049ec7c6cce8ed93852a

SHA512
58e5aa6dfdeb3815d11ab8e772aec5b3c15de830eb2736e8cc91523228325cd405f5ad39faa5e966a2f95e09014f97ec8da59b6f0779d194e285bdc915adc3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cb44221-bb27-41df-b76b-026a97640bb4.vbs

Filesize
751B

MD5
f5a191e6e7c2a418ecf2e8579452559e

SHA1
a46e1ccd238a59e3239bb8855dbad288dc132749

SHA256
0420b736e2fbd663e0c1b29f28b6a2d09d387496a8185097fafbcb51a6c492b7

SHA512
dcabbd4ef23e25ca55672e8a5096356f0732678b825f12c4a0ef2d5a4fe89d5a5731738c2c2b331b3f2284591f58108ca534540eb6f82911d2d874401f8d725f

Download Submit
C:\Users\Admin\AppData\Local\Temp\35690f11-37e2-4a00-9e08-3875ba6070d4.vbs

Filesize
750B

MD5
7c82447a0e764f68b8f30367c0353444

SHA1
d655c4879c99f8611e80c5f3ee63ce8d47959fd9

SHA256
47bbedb3306b9dc1dc7e441a501cd45e21eb305301921b715ead15048a5c64b4

SHA512
885be08e25f7982aa66d5328d28468126671337d81bdae2ff98005e51f86a23c221251f736d80603bb5e11a95dc9efbacca6e1adc88ab86d29f4d42a433d9832

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ff7c4c8-e24f-400b-ad1d-ba3c87ce420b.vbs

Filesize
751B

MD5
f7a33c1dccf539f938fd597430687786

SHA1
cc5c7892a45ddc9a5aef873bb6e1ecf6d85615b3

SHA256
7fecf0313c885d8fc4c29b658ffdb569dbf8d9045e0c239766e22f2eab536f90

SHA512
a5fff63d778cb7eabe21b80d44a3da18e8e7df3479d860cc4dcf8d3b62128a40cd8bb4a968b5d692032f9d4a7f10e95bf79cc485b97e617f3d8b24c43b753fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\5679b6da-bf71-4fb7-83f5-f7470715a1cd.vbs

Filesize
751B

MD5
6694a9b9b002882a4ea22ec737e595fc

SHA1
4da8a3c6c17b94de002dd3f1c16138c3d6bc0d46

SHA256
60a2cec8edae249f2069ab53250d88e301e251e5fd5cc70e05356f0439cb4d11

SHA512
8122a8e193fd4d00a1a30d094c1b7c6f4e1f520a29c8a1dbbf2f4e8f0bb0266d580779b526d601f69494b96067bc850f3c724bc266229fbc6d3f5d734db7222a

Download Submit
C:\Users\Admin\AppData\Local\Temp\67d364d828a3a1e72dc99b586dadae47b5918f45.exe

Filesize
411KB

MD5
952b12db2e5dd68c5f92146933dac909

SHA1
892371feeac04570abb0552dba2da4caf788be9e

SHA256
d08c989ae65e4b128e1482d4a33d111e1e7f5b7c5f60915f04bd5e28a172a8d4

SHA512
014e6159851b681943ec24f16e011fb51781d182eda57433bbca1939cf0cfceea402bef587b9d92467d2c48ea40ee816a03064a6a7b40fc5d45731edc807e185

Download Submit
C:\Users\Admin\AppData\Local\Temp\76d5bc96-65da-4585-b3b0-e7a912ab525e.vbs

Filesize
527B

MD5
593d1d1096c50655e59471a6b836c5e1

SHA1
6c4f97bdbfcefaf2a95a12602916ffff5ba4fb03

SHA256
df18d2de58dbb82aa090eb961486ff17302a8b2afbcf71307233b9789b25e0b2

SHA512
bb61a7f39a160ff219f97f51ee8a21dabd48c55c650fe49e781963ca1539c2e5355b7a1e56c831746b5c5d76d0971b4203e8a365f88dd64079953ac2a8493912

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7394667-dc65-4a45-9f6f-687b14e9588c.vbs

Filesize
750B

MD5
100999cc42a488d1f9325c332c511f51

SHA1
3fabbf22099932bea3d8a70889ab2e7597711612

SHA256
74d230f948b11670a3cf65da21af01ff9665cac9c030949fba95b8868aaf4c6a

SHA512
e46d2a5a365fb973d734aa4215e8d6a9aec450e020693a6e951f7b5ccc6dda4c2ed8f67323a2c7c2d8edd55f42f9817e12d103fe9f5829e5efa65a99ad783516

Download Submit
C:\Users\Admin\AppData\Local\Temp\af9f1bc1-4309-47cb-8d4f-581de7b10632.vbs

Filesize
751B

MD5
8694b2c37948c160559e70f0a7131edd

SHA1
c1f0ecb8a79326ef3177aabc767e94cc4cc2cb6a

SHA256
9b4cca782c925e8b1c9b811d2fe9ce9d58f4518b884af160511f9c10afc048af

SHA512
6595c2e003f0df2f638382b4e57c6ba29e2114455f0f7c1309f0e3545b0cec9b94e79000853bd55c38e73a403c247a372ad27579c9d161486e61cc5550c6563e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53a695e-dab0-417c-ba18-b7c9655002d5.vbs

Filesize
751B

MD5
2fc2b1bdf2efb997f31a3d9f2d34aa0c

SHA1
9950200885fc9c29c2900672a48395411a422e00

SHA256
590572fc9179dcd76fa7614a87f189b6254ff9a2c0d08a9faaec520de6bbe31f

SHA512
8877d289a3e553e740a4c3ac477d260fdd07e53e9d977c0e5ced4b13ae1cfe5d4b61759d93aa1f8bda4e7434ed6b8aeae787951501ed283ff1f4d6217b405d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd7ba0b-1548-4366-9e4c-dbdd74cc6d43.vbs

Filesize
751B

MD5
ec456cd222db3a62d9d09511485a1570

SHA1
e7aaf405da77bc0a2085a98afb3f55e2992bdd69

SHA256
a99150281a2539343eec32b08db6c0a47701d8d642913bdbd7649824b4ce693d

SHA512
4c0f04a5c3a472dfce4434bcdcb8cfefee10ed7f9bdc860d26cebd52c3154c94e60b82be2e6c9cc230f2f2c55134394035c2adccd91028353fcc153dbb28c9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb38747c-d6a2-42c0-8788-436dc6bdb2d6.vbs

Filesize
751B

MD5
8ef022d9afbcf7f55b2897b0c3c9b8ab

SHA1
b202046fb8b634efb4238073f9c769c9156ee87e

SHA256
b20b13a01cba44c54bc779c75881740b8412a25e39e11c436746777e5b5a7e80

SHA512
cb68203dde801c23a72a645bda42c3d1aa7cb1c68fc3c8c5f93c043cfeba6304cfc7d3c3a32f27db5cb61933c5327e27e60e4606b88d44f386a5b8bbcc2f62fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
58623ba82b37782b9eba50a4a0d4de9e

SHA1
504d97e2b0135e3e74d047e255ca359fd550c1da

SHA256
de6e195259ef051c13f8625592fc560eda6dafd5fbbf323c06965a48596d007a

SHA512
1a0bb0bb2f38fc9abe1580ce14e161cb3f152f9b5e1f3a9350b582d5f0bc6d3f86c79e2f2281e971c31199b25365ace56095e7a2dd06b02f662751ae4d24f393

Download Submit
memory/568-245-0x000000001A8B0000-0x000000001A8C2000-memory.dmp

Filesize
72KB

Download
memory/568-204-0x0000000000110000-0x00000000002FA000-memory.dmp

Filesize
1.9MB

Download
memory/788-343-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/788-342-0x0000000000050000-0x000000000023A000-memory.dmp

Filesize
1.9MB

Download
memory/1644-330-0x0000000000C30000-0x0000000000E1A000-memory.dmp

Filesize
1.9MB

Download
memory/1872-355-0x0000000000E20000-0x000000000100A000-memory.dmp

Filesize
1.9MB

Download
memory/1872-356-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/2080-256-0x0000000001020000-0x000000000120A000-memory.dmp

Filesize
1.9MB

Download
memory/2264-17-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/2264-6-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/2264-7-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/2264-219-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2264-13-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/2264-14-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/2264-10-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/2264-8-0x0000000000840000-0x0000000000896000-memory.dmp

Filesize
344KB

Download
memory/2264-16-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/2264-12-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/2264-9-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/2264-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/2264-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2264-3-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/2264-4-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/2264-18-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2264-5-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2264-1-0x00000000008F0000-0x0000000000ADA000-memory.dmp

Filesize
1.9MB

Download
memory/2264-15-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download
memory/2368-293-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/2368-292-0x00000000006C0000-0x0000000000716000-memory.dmp

Filesize
344KB

Download
memory/2368-291-0x0000000000360000-0x000000000054A000-memory.dmp

Filesize
1.9MB

Download
memory/2720-279-0x0000000001320000-0x000000000150A000-memory.dmp

Filesize
1.9MB

Download
memory/2804-368-0x0000000001220000-0x000000000140A000-memory.dmp

Filesize
1.9MB

Download
memory/2828-201-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2828-190-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2908-318-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/2992-306-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/2992-305-0x0000000000300000-0x00000000004EA000-memory.dmp

Filesize
1.9MB

Download