dcrat | ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Size

1.2MB
MD5

6783cedfbb7ee848a0bb6e5f9e849945
SHA1

cdf977f9deb3c1db344a0cbaf09f3b64bfa812c5
SHA256

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd
SHA512

be8440ffca1061d78c6657b0e4eaeedb2697d5cb612a66009ec2f38783c76876833348eb86b60ee06c0e076dd5ef16bf60ad59fe51ee8ee1c9ccf347e2e2f38d
SSDEEP

24576:CgUVDQapmJamx98IhSf5QdINv5dHnG3xu:C7DyfONvfu

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 28 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
700	schtasks.exe
1988	schtasks.exe
2728	schtasks.exe
2456	schtasks.exe
1016	schtasks.exe
824	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
1672	schtasks.exe
2176	schtasks.exe
2348	schtasks.exe
2584	schtasks.exe
2980	schtasks.exe
2744	schtasks.exe
2268	schtasks.exe
1260	schtasks.exe
2004	schtasks.exe
2020	schtasks.exe
2632	schtasks.exe
2780	schtasks.exe
2524	schtasks.exe
2648	schtasks.exe
1240	schtasks.exe
1128	schtasks.exe
2464	schtasks.exe
992	schtasks.exe
2740	schtasks.exe
2516	schtasks.exe
1252	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\Default\\Desktop\\lsm.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\Default\\Desktop\\lsm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\", \"C:\\Users\\All Users\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\Default\\Desktop\\lsm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\", \"C:\\Users\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\winlogon.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Idle.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\Default\\Desktop\\lsm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\Default\\Desktop\\lsm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\", \"C:\\Users\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Windows\\ShellNew\\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\Default\\Desktop\\lsm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\", \"C:\\Users\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Windows\\ShellNew\\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\Default\\Desktop\\lsm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\", \"C:\\Users\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Windows\\ShellNew\\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Recovery\\1fdecb22-2889-11ef-9d63-46d84c032646\\lsm.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\Default\\Desktop\\lsm.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\", \"C:\\Users\\All Users\\csrss.exe\", \"C:\\Program Files\\Windows Mail\\fr-FR\\winlogon.exe\", \"C:\\Windows\\ShellNew\\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe\", \"C:\\Program Files\\Uninstall Information\\lsass.exe\", \"C:\\Recovery\\1fdecb22-2889-11ef-9d63-46d84c032646\\lsm.exe\", \"C:\\Users\\Public\\Downloads\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2600	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2600	schtasks.exe

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsm.exeea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1900-1-0x0000000000B90000-0x0000000000CCE000-memory.dmp	dcrat
C:\Program Files\Windows Mail\fr-FR\winlogon.exe	dcrat
behavioral1/memory/2916-39-0x0000000000280000-0x00000000003BE000-memory.dmp	dcrat
behavioral1/memory/1696-52-0x0000000001240000-0x000000000137E000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\508b3db0c8e9cbaef68ff4b6ba43af7de4edebaf.exe	dcrat
behavioral1/memory/1056-97-0x0000000000180000-0x00000000002BE000-memory.dmp	dcrat
behavioral1/memory/1320-109-0x0000000000F50000-0x000000000108E000-memory.dmp	dcrat
behavioral1/memory/2496-122-0x00000000002D0000-0x000000000040E000-memory.dmp	dcrat
behavioral1/memory/1604-135-0x0000000000C00000-0x0000000000D3E000-memory.dmp	dcrat
behavioral1/memory/648-159-0x0000000000F80000-0x00000000010BE000-memory.dmp	dcrat
behavioral1/memory/876-183-0x0000000000FF0000-0x000000000112E000-memory.dmp	dcrat
behavioral1/memory/1076-206-0x0000000001100000-0x000000000123E000-memory.dmp	dcrat

Detects executables packed with SmartAssembly 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1900-4-0x00000000001D0000-0x00000000001DA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1900-10-0x0000000000B80000-0x0000000000B8A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/1900-13-0x00000000022B0000-0x00000000022BA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Executes dropped EXE 15 IoCs

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid process

2916 lsm.exe
1696 lsm.exe
2280 lsm.exe
2320 lsm.exe
2008 lsm.exe
1056 lsm.exe
1320 lsm.exe
2496 lsm.exe
1604 lsm.exe
2128 lsm.exe
648 lsm.exe
2708 lsm.exe
876 lsm.exe
1288 lsm.exe
1076 lsm.exe

pid	process
2916	lsm.exe
1696	lsm.exe
2280	lsm.exe
2320	lsm.exe
2008	lsm.exe
1056	lsm.exe
1320	lsm.exe
2496	lsm.exe
1604	lsm.exe
2128	lsm.exe
648	lsm.exe
2708	lsm.exe
876	lsm.exe
1288	lsm.exe
1076	lsm.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Uninstall Information\\lsass.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\1fdecb22-2889-11ef-9d63-46d84c032646\\lsm.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Desktop\\lsm.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Mail\\fr-FR\\winlogon.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd = "\"C:\\Windows\\ShellNew\\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Mail\\fr-FR\\winlogon.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\1fdecb22-2889-11ef-9d63-46d84c032646\\lsm.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Downloads\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Desktop\\lsm.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\taskhost.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd = "\"C:\\Windows\\ShellNew\\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Uninstall Information\\lsass.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Downloads\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in Program Files directory 6 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\b75386f1303e64	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files\Windows Mail\fr-FR\winlogon.exe	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files\Windows Mail\fr-FR\cc11b995f2a76d	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Drops file in Windows directory 2 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
File created	C:\Windows\ShellNew\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Windows\ShellNew\8a22c56d7b82eb	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
824	schtasks.exe
2728	schtasks.exe
2464	schtasks.exe
2516	schtasks.exe
2740	schtasks.exe
2268	schtasks.exe
1016	schtasks.exe
1240	schtasks.exe
2456	schtasks.exe
2348	schtasks.exe
2004	schtasks.exe
2020	schtasks.exe
2632	schtasks.exe
2980	schtasks.exe
992	schtasks.exe
2780	schtasks.exe
2524	schtasks.exe
1672	schtasks.exe
2584	schtasks.exe
1260	schtasks.exe
1128	schtasks.exe
2744	schtasks.exe
1988	schtasks.exe
700	schtasks.exe
2648	schtasks.exe
2176	schtasks.exe
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	process
1900	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
1900	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
1900	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
2916	lsm.exe
1696	lsm.exe
2280	lsm.exe
2320	lsm.exe
2008	lsm.exe
1056	lsm.exe
1320	lsm.exe
2496	lsm.exe
1604	lsm.exe
2128	lsm.exe
648	lsm.exe
2708	lsm.exe
876	lsm.exe
1288	lsm.exe
1076	lsm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	pid	process
Token: SeDebugPrivilege	1900	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Token: SeDebugPrivilege	2916	lsm.exe
Token: SeDebugPrivilege	1696	lsm.exe
Token: SeDebugPrivilege	2280	lsm.exe
Token: SeDebugPrivilege	2320	lsm.exe
Token: SeDebugPrivilege	2008	lsm.exe
Token: SeDebugPrivilege	1056	lsm.exe
Token: SeDebugPrivilege	1320	lsm.exe
Token: SeDebugPrivilege	2496	lsm.exe
Token: SeDebugPrivilege	1604	lsm.exe
Token: SeDebugPrivilege	2128	lsm.exe
Token: SeDebugPrivilege	648	lsm.exe
Token: SeDebugPrivilege	2708	lsm.exe
Token: SeDebugPrivilege	876	lsm.exe
Token: SeDebugPrivilege	1288	lsm.exe
Token: SeDebugPrivilege	1076	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exelsm.exeWScript.exelsm.exeWScript.exelsm.exeWScript.exelsm.exeWScript.exelsm.exeWScript.exelsm.exeWScript.exelsm.exeWScript.exe

description	pid	process	target process
PID 1900 wrote to memory of 2916	1900	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe	lsm.exe
PID 1900 wrote to memory of 2916	1900	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe	lsm.exe
PID 1900 wrote to memory of 2916	1900	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe	lsm.exe
PID 2916 wrote to memory of 2420	2916	lsm.exe	WScript.exe
PID 2916 wrote to memory of 2420	2916	lsm.exe	WScript.exe
PID 2916 wrote to memory of 2420	2916	lsm.exe	WScript.exe
PID 2916 wrote to memory of 2880	2916	lsm.exe	WScript.exe
PID 2916 wrote to memory of 2880	2916	lsm.exe	WScript.exe
PID 2916 wrote to memory of 2880	2916	lsm.exe	WScript.exe
PID 2420 wrote to memory of 1696	2420	WScript.exe	lsm.exe
PID 2420 wrote to memory of 1696	2420	WScript.exe	lsm.exe
PID 2420 wrote to memory of 1696	2420	WScript.exe	lsm.exe
PID 1696 wrote to memory of 956	1696	lsm.exe	WScript.exe
PID 1696 wrote to memory of 956	1696	lsm.exe	WScript.exe
PID 1696 wrote to memory of 956	1696	lsm.exe	WScript.exe
PID 1696 wrote to memory of 1276	1696	lsm.exe	WScript.exe
PID 1696 wrote to memory of 1276	1696	lsm.exe	WScript.exe
PID 1696 wrote to memory of 1276	1696	lsm.exe	WScript.exe
PID 956 wrote to memory of 2280	956	WScript.exe	lsm.exe
PID 956 wrote to memory of 2280	956	WScript.exe	lsm.exe
PID 956 wrote to memory of 2280	956	WScript.exe	lsm.exe
PID 2280 wrote to memory of 1216	2280	lsm.exe	WScript.exe
PID 2280 wrote to memory of 1216	2280	lsm.exe	WScript.exe
PID 2280 wrote to memory of 1216	2280	lsm.exe	WScript.exe
PID 2280 wrote to memory of 2712	2280	lsm.exe	WScript.exe
PID 2280 wrote to memory of 2712	2280	lsm.exe	WScript.exe
PID 2280 wrote to memory of 2712	2280	lsm.exe	WScript.exe
PID 1216 wrote to memory of 2320	1216	WScript.exe	lsm.exe
PID 1216 wrote to memory of 2320	1216	WScript.exe	lsm.exe
PID 1216 wrote to memory of 2320	1216	WScript.exe	lsm.exe
PID 2320 wrote to memory of 376	2320	lsm.exe	WScript.exe
PID 2320 wrote to memory of 376	2320	lsm.exe	WScript.exe
PID 2320 wrote to memory of 376	2320	lsm.exe	WScript.exe
PID 2320 wrote to memory of 1224	2320	lsm.exe	WScript.exe
PID 2320 wrote to memory of 1224	2320	lsm.exe	WScript.exe
PID 2320 wrote to memory of 1224	2320	lsm.exe	WScript.exe
PID 376 wrote to memory of 2008	376	WScript.exe	lsm.exe
PID 376 wrote to memory of 2008	376	WScript.exe	lsm.exe
PID 376 wrote to memory of 2008	376	WScript.exe	lsm.exe
PID 2008 wrote to memory of 2744	2008	lsm.exe	WScript.exe
PID 2008 wrote to memory of 2744	2008	lsm.exe	WScript.exe
PID 2008 wrote to memory of 2744	2008	lsm.exe	WScript.exe
PID 2008 wrote to memory of 2144	2008	lsm.exe	WScript.exe
PID 2008 wrote to memory of 2144	2008	lsm.exe	WScript.exe
PID 2008 wrote to memory of 2144	2008	lsm.exe	WScript.exe
PID 2744 wrote to memory of 1056	2744	WScript.exe	lsm.exe
PID 2744 wrote to memory of 1056	2744	WScript.exe	lsm.exe
PID 2744 wrote to memory of 1056	2744	WScript.exe	lsm.exe
PID 1056 wrote to memory of 2256	1056	lsm.exe	WScript.exe
PID 1056 wrote to memory of 2256	1056	lsm.exe	WScript.exe
PID 1056 wrote to memory of 2256	1056	lsm.exe	WScript.exe
PID 1056 wrote to memory of 2892	1056	lsm.exe	WScript.exe
PID 1056 wrote to memory of 2892	1056	lsm.exe	WScript.exe
PID 1056 wrote to memory of 2892	1056	lsm.exe	WScript.exe
PID 2256 wrote to memory of 1320	2256	WScript.exe	lsm.exe
PID 2256 wrote to memory of 1320	2256	WScript.exe	lsm.exe
PID 2256 wrote to memory of 1320	2256	WScript.exe	lsm.exe
PID 1320 wrote to memory of 340	1320	lsm.exe	WScript.exe
PID 1320 wrote to memory of 340	1320	lsm.exe	WScript.exe
PID 1320 wrote to memory of 340	1320	lsm.exe	WScript.exe
PID 1320 wrote to memory of 1696	1320	lsm.exe	WScript.exe
PID 1320 wrote to memory of 1696	1320	lsm.exe	WScript.exe
PID 1320 wrote to memory of 1696	1320	lsm.exe	WScript.exe
PID 340 wrote to memory of 2496	340	WScript.exe	lsm.exe

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exeea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
"C:\Users\Admin\AppData\Local\Temp\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1900

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
"C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2916

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0eaad67-4c4e-4cb8-9771-edf8215ceee6.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1696

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44f23ea3-be00-474b-95ca-a9258b02110c.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e3ea932-4d90-471a-9653-9a1e0523c1e0.vbs"
7⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2a44235-b976-4458-a28c-bc551d81c504.vbs"
9⤵
- Suspicious use of WriteProcessMemory
PID:376

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2008

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f712e3d4-e0fe-4304-8c22-72245607bc02.vbs"
11⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1056

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fd728e0-a1c4-4156-8d32-1d9b01336891.vbs"
13⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1320

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe2a2767-bc5a-4bb6-adcb-a86492ec32a3.vbs"
15⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2496

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c8b422e-fe65-4ed0-a7de-cbfa5efd0f7f.vbs"
17⤵
PID:2624

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9e2de92-13b5-434c-8ca9-255f1c2e371f.vbs"
19⤵
PID:1852

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2128

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba686c88-bbe5-4ad7-bbba-9e248f60f3e1.vbs"
21⤵
PID:2356

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:648

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f58e0a71-f50d-4d62-8e0e-a56c3404cadc.vbs"
23⤵
PID:1920

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f589bff-1dde-41a9-8957-84cf901f95cb.vbs"
25⤵
PID:2484

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:876

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5eacfdb-af9c-4878-a46c-de8943a90a38.vbs"
27⤵
PID:2912

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1288

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d4c268e-22d5-4f9b-ad6f-563ebd448aac.vbs"
29⤵
PID:2424

C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe
30⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ce85d0d-7425-432d-9430-416d7b27fd74.vbs"
31⤵
PID:3008

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5c18a53-b1ec-4ef3-b871-4650699e548e.vbs"
31⤵
PID:1716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa73a97-bd39-4123-a8a0-20a43bbdd3bf.vbs"
29⤵
PID:3012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fff1622-7814-4aff-bff4-6ffe4dd7b39b.vbs"
27⤵
PID:2324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a40170c1-4e56-4911-ad7e-fe7a442a68ed.vbs"
25⤵
PID:2592

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bf4cc45-2970-4b60-b0cb-9cc230f2ee19.vbs"
23⤵
PID:1524

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b0f8d46-0496-4deb-af6a-a78928ce649a.vbs"
21⤵
PID:2196

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11151181-ba40-4635-b847-a698c4325339.vbs"
19⤵
PID:768

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d203ddb-8fc0-4e98-9d62-21f92b32c1cd.vbs"
17⤵
PID:2804

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8730dc05-a874-4d4c-82d7-632952adc831.vbs"
15⤵
PID:1696

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\790d7cb3-5654-4f38-9d74-bbd04ead92fe.vbs"
13⤵
PID:2892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\517fdaa9-b258-4cc9-ad7b-bc7f5d16f3b1.vbs"
11⤵
PID:2144

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c18b5b74-45e5-4567-a0af-98c16f1eb0b1.vbs"
9⤵
PID:1224

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a7a0d71-e103-4a3d-a143-dcd9d6677c80.vbs"
7⤵
PID:2712

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cc134a0-fe12-4875-b62b-91b94c38441a.vbs"
5⤵
PID:1276

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1d20242-b182-4df2-a034-2a0e13b42b0d.vbs"
3⤵
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\fr-FR\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadde" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd" /sc ONLOGON /tr "'C:\Windows\ShellNew\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadde" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\fr-FR\winlogon.exe
Filesize
1.2MB

MD5
6783cedfbb7ee848a0bb6e5f9e849945

SHA1
cdf977f9deb3c1db344a0cbaf09f3b64bfa812c5

SHA256
ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd

SHA512
be8440ffca1061d78c6657b0e4eaeedb2697d5cb612a66009ec2f38783c76876833348eb86b60ee06c0e076dd5ef16bf60ad59fe51ee8ee1c9ccf347e2e2f38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d4c268e-22d5-4f9b-ad6f-563ebd448aac.vbs
Filesize
732B

MD5
a178e94a78f9fb484688d9e7578d6826

SHA1
09024f4566a79cc7b1db8a849949b93788c66f65

SHA256
eee10c0d5c52dd11776471abe4602fd2d895c92706613c138e09b8de072c48d0

SHA512
d61111110cb7a9e95c6b530c76cafc14e47435423c0309a0868a6f3c7252a347c6bfcf4bbaaa74158977215424de8ae0bef70ad2dfb2e32e8e244dd5a0a4bee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f589bff-1dde-41a9-8957-84cf901f95cb.vbs
Filesize
732B

MD5
4151d9b4c20d2221615aa8d2fdf86cc9

SHA1
f9ac4b7ee38cd5b5d15bf2f6c21e6bbd1f159799

SHA256
c4866e58bff5cc793c6ae5c511396977585a8171d597cc2a639ddc301339f48f

SHA512
0c00698103990364a40e7af7722d935fe9597d01cb7961f63543c2621460b23ba264e2d48604ba89dea94976c9c3d011244c79b8a213bac6ca78dd99667a908b

Download Submit
C:\Users\Admin\AppData\Local\Temp\44f23ea3-be00-474b-95ca-a9258b02110c.vbs
Filesize
732B

MD5
2fcd16fc7b0d5f3c38b57d366aed2160

SHA1
051a0ddcaa3da1bfd8abff0598c7192fecf17f41

SHA256
e67a80d105e9fec6d080554bcfadb88c0f71596698166778711becf64aaa49e6

SHA512
0ea4e2057ce29b0a4f9001c18d25dced0d86c098639a8bc4fcda327941c97e85e646f82478f43f9482aeda359773b1f8a0f87623693ae0877c1a9817c37180eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c8b422e-fe65-4ed0-a7de-cbfa5efd0f7f.vbs
Filesize
732B

MD5
2de6e195c6b551b87e3f6543d373b7ef

SHA1
e0da1d2aa32208ee36eeba225526eab0c8dda24d

SHA256
6d9807758cc216812e303e314db635c974e47355654580efe5d7c367eadd0de3

SHA512
fcd12e0933aac6a3914987a0eba3186dd75ab352255e36d17631fb8bb19bd888f8ae484830586ad9b03c0c5abab0365e2287251e8d0f7d20d694bb130fc02f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\508b3db0c8e9cbaef68ff4b6ba43af7de4edebaf.exe
Filesize
1.2MB

MD5
e0fbbed0c65afe2382e661b310391d2e

SHA1
f70dd24bd7fa902f540086115c91f013e2f137f4

SHA256
3a0b90a90638e625bb4cbcb027e22ab8890a0357175f0f412c3326d79c08aa09

SHA512
e78b6bf46d392dfa47439919fa90100eabdeea6ad77be8112adb6794e1af7c17e0f9ff83c301f46e3c8caf99c7a7877cf39098c1a5781ddcc3569a74fc9a68f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ce85d0d-7425-432d-9430-416d7b27fd74.vbs
Filesize
732B

MD5
b77ddaef20e65e8d597a7af68209b869

SHA1
3b74e15f59e23c4ad789d397108a807cc5ff2ad5

SHA256
54e0f46416959a22bdb6a9d08262b37c9fdf83b288d92f4d2f15029fd2578c9f

SHA512
d25e9335f25edfb00594da83ac5c4fb655de6b6bf8bf0ab3ec2d1d26b2ddad44f194914c505cfc0a2d728fffddbb6bf6bd8c82f0b5c491ee587d8c53709bb0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e3ea932-4d90-471a-9653-9a1e0523c1e0.vbs
Filesize
732B

MD5
170ba1264ad3c61b9c0ed1804c028b54

SHA1
bd54fc1e296d41ff96e4f7db0ba183e98e09a427

SHA256
0357fac5a2e79d8b2a9e3f645ff462755ead59434cbdbade3ed9975f1ab0e87f

SHA512
0b6035a060c45515e0182201a522757e4a46a522bc8ee199fbe58dd77780c219b9a894ac3cb1ffb35b8ef9bd48486c55c94005d3b4ae116270320fcb87e67486

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fd728e0-a1c4-4156-8d32-1d9b01336891.vbs
Filesize
732B

MD5
d5c019366bfad0d6704d936ff2c971df

SHA1
c9fbcf594c5280b38b645a4bc61b265b93a26bb0

SHA256
dac7eba38fb6c4bc60efcd12afb85e5f77237576800e4dd52dacf18545ca205d

SHA512
0fa667dfb713ffeabc8c5f572943af90877cc233ef7dce02d005787be4a5fef16d38a2400e40115ee75f0809544246812a661820c457ea1a1cf9ee0d9b87c8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba686c88-bbe5-4ad7-bbba-9e248f60f3e1.vbs
Filesize
732B

MD5
b4315ce4c3bf0f3ac57c2e5c2b34145e

SHA1
61e218409d81b259da856d92d13086bd3ceeeb1a

SHA256
09cfa96769e50c30c1789616874f17ba12f9c87523d25e07c42c9afd6bb6a15f

SHA512
cd20d6ad8d41b6e98d05ec578c8d18d693f8635b94a9edbac22bb9c5bbab5cbaf804880726cb38c3d4429c508a8b4e5aefadaa3c855921e90c859c6af0ea6657

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2a44235-b976-4458-a28c-bc551d81c504.vbs
Filesize
732B

MD5
69838298193dbd93542a81a1e190ad8e

SHA1
52f853ad072e1bcd6cdc11d2a227569dc334e501

SHA256
f1c0923e7ba3a4e66519d63da4562c75dac4addd5ff0f57a1e5dce691c0eb52a

SHA512
dbb058f896cf15549c4511950a431e2faec23510e63bfdf6d53016039d510d388376c45def503330ecdc9b4d4778accfecb7f0ca229f0c5919127608c61dbb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9e2de92-13b5-434c-8ca9-255f1c2e371f.vbs
Filesize
732B

MD5
5d762b4c97bbb4844096a9347cac6ede

SHA1
541cf58bc38962ba6b44406934a98af737568848

SHA256
c6fcc384b4ee9c3f94a34d7678d6ee21e53044edd3dc17f5199aeb5b63beafcb

SHA512
4c8d28b6c04ac2cd9498ac8d3def45fbee5e2f8215b2fbf4a9fd6f3bbda75dfa0d477cfd56ed2c0afbc110644d03064b3c4dc2e59b0d97310c19eb5b8031ac0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1d20242-b182-4df2-a034-2a0e13b42b0d.vbs
Filesize
508B

MD5
6dbb7d2221740d526e02d4fd7c1b271e

SHA1
bc6fec7d654e559a8558a2a6ab94e8a14f41adbf

SHA256
df7e4374f66430762e00757bbaf71cf0b1aa6cfe530df750384f219e474f0f1f

SHA512
a59993a4f681f87b8d67fd2ccc265bea458622247e2c63fb23e554d51f7fce35f084ffc88d47bbb0220080a7eb86f42fe470a1ac119da0dd1c0024c7dc8aa1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0eaad67-4c4e-4cb8-9771-edf8215ceee6.vbs
Filesize
732B

MD5
973a33c11af53efb1d44c3b9fb89e225

SHA1
31b8e825108d4a5b0021c0326764dc4e0b768e61

SHA256
2acbd80ca7a54b88302034db6963e17cdc8024396bae66be31cc0641e98c7323

SHA512
92c021af6bd68eeb6056d2af50801a5256d0af61d6c96f520ddac4beb25bc37fb05756c4ffc232fd568cb692c5905efd3036df616ddc5e3b07850ea09951c244

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5eacfdb-af9c-4878-a46c-de8943a90a38.vbs
Filesize
731B

MD5
c1a5431d96c64770985fb50e75d5ae40

SHA1
c2f46065992b4fb7005f06078438810ac7035370

SHA256
a10e5b8e66973be50a0511e88074aad2d12d1b8a8fa41bcda6687b7d6f930586

SHA512
84aeb4be19d1a2c29a9a7c2c25005276131600d4499d9eaaa574b9745635e9850d4396f79c27ede17fd911b6a0e710e2f8b7ab264a6d12d2bdc773c9936512e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f58e0a71-f50d-4d62-8e0e-a56c3404cadc.vbs
Filesize
731B

MD5
d26ee5d0452e0234939e290e8d240a25

SHA1
a347d6ccf1544fd59d3ef7f4ca14b8ac47a81ac6

SHA256
e3fd1b355f62da6949b65215250f379942beddd030809da2b5c3a834d00a36e2

SHA512
0832027555a4ac80488f6ac6d2c1ffbd1af5c9ec9afc52337eed623ac73852eb566120dbf4b93cadb4e197b2408a6e6ff251b3d6cf3d556e90ab70ab059f9d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\f712e3d4-e0fe-4304-8c22-72245607bc02.vbs
Filesize
732B

MD5
41031c211998c5260e26c2b5b409ebee

SHA1
b9026c5e99c7bcc8cac9162b9c5f519e1b47a22a

SHA256
4386378df3ebb9af2bfbe0540945bc6ee59ba147ef4fe775e09c86bf82c2e255

SHA512
7c5039a1b4f9f6dfc4a8e2b22ce55e1029ce0125fc78b7fb3c09930ebce162229a7ff0a3b4cc71cf2884c52b67a933ec68741a74ca3f5da8bdfc48081e377604

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe2a2767-bc5a-4bb6-adcb-a86492ec32a3.vbs
Filesize
732B

MD5
2e005591ed9814fad3382b602ca469a6

SHA1
024b861c887d858dd58c00404b0a35deaa04d002

SHA256
fbfd186c1329a4b058bb61d6fc5419c1332f35fe266266eeef2d10a5c0e45b18

SHA512
b65d85386d79ab04156caa632118fbf002d4c390f4cbba45ebb0cfdb400d4ad40d26232f011b2ee80036aaaf9078dcdcec2033c32adc1be7058eb0c1df11af40

Download Submit
memory/648-160-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/648-159-0x0000000000F80000-0x00000000010BE000-memory.dmp

Filesize
1.2MB

Download
memory/876-183-0x0000000000FF0000-0x000000000112E000-memory.dmp

Filesize
1.2MB

Download
memory/1056-97-0x0000000000180000-0x00000000002BE000-memory.dmp

Filesize
1.2MB

Download
memory/1076-206-0x0000000001100000-0x000000000123E000-memory.dmp

Filesize
1.2MB

Download
memory/1320-110-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/1320-109-0x0000000000F50000-0x000000000108E000-memory.dmp

Filesize
1.2MB

Download
memory/1604-135-0x0000000000C00000-0x0000000000D3E000-memory.dmp

Filesize
1.2MB

Download
memory/1696-52-0x0000000001240000-0x000000000137E000-memory.dmp

Filesize
1.2MB

Download
memory/1900-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/1900-11-0x00000000021E0000-0x00000000021EE000-memory.dmp

Filesize
56KB

Download
memory/1900-10-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/1900-12-0x00000000021F0000-0x00000000021F8000-memory.dmp

Filesize
32KB

Download
memory/1900-9-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/1900-1-0x0000000000B90000-0x0000000000CCE000-memory.dmp

Filesize
1.2MB

Download
memory/1900-13-0x00000000022B0000-0x00000000022BA000-memory.dmp

Filesize
40KB

Download
memory/1900-5-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/1900-7-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/1900-8-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/1900-2-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/1900-4-0x00000000001D0000-0x00000000001DA000-memory.dmp

Filesize
40KB

Download
memory/1900-14-0x00000000022C0000-0x00000000022CC000-memory.dmp

Filesize
48KB

Download
memory/1900-40-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/1900-6-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/1900-3-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2128-147-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2496-123-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2496-122-0x00000000002D0000-0x000000000040E000-memory.dmp

Filesize
1.2MB

Download
memory/2916-39-0x0000000000280000-0x00000000003BE000-memory.dmp

Filesize
1.2MB

Download
memory/2916-41-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download