dcrat | 6ff9d724f6dfa99f6a30343e9dc543fc864da291eff05a391850329f94be6f9e

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84450ece99d5ebe3557daa586d2d1650N.exe
Size

4.9MB
MD5

84450ece99d5ebe3557daa586d2d1650
SHA1

9241cf6c4f37fcc63732c728cedb408afd3d8369
SHA256

6ff9d724f6dfa99f6a30343e9dc543fc864da291eff05a391850329f94be6f9e
SHA512

eb9cd446fc1735a9a0ebafcd04e64903708e84baab0ee465290752bb2d5ee32fb7fe209e8621dce8ed8ebd12b90351a01fe07e7a81789780edef0892a49ec6c4
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2840	schtasks.exe

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

smss.exesmss.exe84450ece99d5ebe3557daa586d2d1650N.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84450ece99d5ebe3557daa586d2d1650N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	84450ece99d5ebe3557daa586d2d1650N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	84450ece99d5ebe3557daa586d2d1650N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2136-3-0x000000001B920000-0x000000001BA4E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2956	powershell.exe
1616	powershell.exe
1704	powershell.exe
520	powershell.exe
2144	powershell.exe
2940	powershell.exe
2920	powershell.exe
3056	powershell.exe
336	powershell.exe
1620	powershell.exe
2916	powershell.exe
2908	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid process

936 smss.exe
2096 smss.exe
2876 smss.exe
1144 smss.exe
1800 smss.exe
2248 smss.exe
2100 smss.exe
1968 smss.exe

pid	process
936	smss.exe
2096	smss.exe
2876	smss.exe
1144	smss.exe
1800	smss.exe
2248	smss.exe
2100	smss.exe
1968	smss.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

smss.exesmss.exe84450ece99d5ebe3557daa586d2d1650N.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84450ece99d5ebe3557daa586d2d1650N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84450ece99d5ebe3557daa586d2d1650N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops file in Program Files directory 20 IoCs

Processes:

84450ece99d5ebe3557daa586d2d1650N.exe

description	ioc	process
File created	C:\Program Files\Google\audiodg.exe	84450ece99d5ebe3557daa586d2d1650N.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\1610b97d3ab4a7	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\RCXB35D.tmp	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXB83F.tmp	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXC0CB.tmp	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\RCXC520.tmp	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\OSPPSVC.exe	84450ece99d5ebe3557daa586d2d1650N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\84450ece99d5ebe3557daa586d2d1650N.exe	84450ece99d5ebe3557daa586d2d1650N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\685e28b76c9d56	84450ece99d5ebe3557daa586d2d1650N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe	84450ece99d5ebe3557daa586d2d1650N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\24dbde2999530e	84450ece99d5ebe3557daa586d2d1650N.exe
File created	C:\Program Files\Google\42af1c969fbb7b	84450ece99d5ebe3557daa586d2d1650N.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\OSPPSVC.exe	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\84450ece99d5ebe3557daa586d2d1650N.exe	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe	84450ece99d5ebe3557daa586d2d1650N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe	84450ece99d5ebe3557daa586d2d1650N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\1610b97d3ab4a7	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Program Files\Google\RCXBC85.tmp	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Program Files\Google\audiodg.exe	84450ece99d5ebe3557daa586d2d1650N.exe

Drops file in Windows directory 4 IoCs

Processes:

84450ece99d5ebe3557daa586d2d1650N.exe

description	ioc	process
File created	C:\Windows\PLA\Rules\explorer.exe	84450ece99d5ebe3557daa586d2d1650N.exe
File created	C:\Windows\PLA\Rules\7a0fd90576e088	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Windows\PLA\Rules\RCXBEA8.tmp	84450ece99d5ebe3557daa586d2d1650N.exe
File opened for modification	C:\Windows\PLA\Rules\explorer.exe	84450ece99d5ebe3557daa586d2d1650N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2468	schtasks.exe
2200	schtasks.exe
1624	schtasks.exe
2408	schtasks.exe
972	schtasks.exe
2412	schtasks.exe
1052	schtasks.exe
1220	schtasks.exe
2820	schtasks.exe
2228	schtasks.exe
3044	schtasks.exe
2004	schtasks.exe
2732	schtasks.exe
2780	schtasks.exe
2032	schtasks.exe
1084	schtasks.exe
2060	schtasks.exe
868	schtasks.exe
2788	schtasks.exe
1800	schtasks.exe
1956	schtasks.exe
2764	schtasks.exe
2972	schtasks.exe
2320	schtasks.exe
1228	schtasks.exe
2180	schtasks.exe
2284	schtasks.exe
952	schtasks.exe
2356	schtasks.exe
2932	schtasks.exe
2976	schtasks.exe
2796	schtasks.exe
1968	schtasks.exe
2720	schtasks.exe
1056	schtasks.exe
3060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

84450ece99d5ebe3557daa586d2d1650N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
2136	84450ece99d5ebe3557daa586d2d1650N.exe
2136	84450ece99d5ebe3557daa586d2d1650N.exe
2136	84450ece99d5ebe3557daa586d2d1650N.exe
2136	84450ece99d5ebe3557daa586d2d1650N.exe
2136	84450ece99d5ebe3557daa586d2d1650N.exe
520	powershell.exe
2144	powershell.exe
1704	powershell.exe
1616	powershell.exe
2940	powershell.exe
2956	powershell.exe
2920	powershell.exe
336	powershell.exe
1620	powershell.exe
2916	powershell.exe
2908	powershell.exe
3056	powershell.exe
936	smss.exe
2096	smss.exe
2876	smss.exe
1144	smss.exe
1800	smss.exe
2248	smss.exe
2100	smss.exe
1968	smss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2136	84450ece99d5ebe3557daa586d2d1650N.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	936	smss.exe
Token: SeDebugPrivilege	2096	smss.exe
Token: SeDebugPrivilege	2876	smss.exe
Token: SeDebugPrivilege	1144	smss.exe
Token: SeDebugPrivilege	1800	smss.exe
Token: SeDebugPrivilege	2248	smss.exe
Token: SeDebugPrivilege	2100	smss.exe
Token: SeDebugPrivilege	1968	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

84450ece99d5ebe3557daa586d2d1650N.execmd.exesmss.exeWScript.exesmss.exeWScript.exesmss.exe

description	pid	process	target process
PID 2136 wrote to memory of 1616	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 1616	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 1616	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 1620	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 1620	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 1620	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 1704	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 1704	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 1704	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 520	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 520	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 520	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2144	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2144	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2144	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2916	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2916	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2916	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2940	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2940	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2940	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2920	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2920	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2920	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2956	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2956	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2956	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2908	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2908	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 2908	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 3056	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 3056	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 3056	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 336	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 336	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 336	2136	84450ece99d5ebe3557daa586d2d1650N.exe	powershell.exe
PID 2136 wrote to memory of 3036	2136	84450ece99d5ebe3557daa586d2d1650N.exe	cmd.exe
PID 2136 wrote to memory of 3036	2136	84450ece99d5ebe3557daa586d2d1650N.exe	cmd.exe
PID 2136 wrote to memory of 3036	2136	84450ece99d5ebe3557daa586d2d1650N.exe	cmd.exe
PID 3036 wrote to memory of 2412	3036	cmd.exe	w32tm.exe
PID 3036 wrote to memory of 2412	3036	cmd.exe	w32tm.exe
PID 3036 wrote to memory of 2412	3036	cmd.exe	w32tm.exe
PID 3036 wrote to memory of 936	3036	cmd.exe	smss.exe
PID 3036 wrote to memory of 936	3036	cmd.exe	smss.exe
PID 3036 wrote to memory of 936	3036	cmd.exe	smss.exe
PID 936 wrote to memory of 1668	936	smss.exe	WScript.exe
PID 936 wrote to memory of 1668	936	smss.exe	WScript.exe
PID 936 wrote to memory of 1668	936	smss.exe	WScript.exe
PID 936 wrote to memory of 2832	936	smss.exe	WScript.exe
PID 936 wrote to memory of 2832	936	smss.exe	WScript.exe
PID 936 wrote to memory of 2832	936	smss.exe	WScript.exe
PID 1668 wrote to memory of 2096	1668	WScript.exe	smss.exe
PID 1668 wrote to memory of 2096	1668	WScript.exe	smss.exe
PID 1668 wrote to memory of 2096	1668	WScript.exe	smss.exe
PID 2096 wrote to memory of 2120	2096	smss.exe	WScript.exe
PID 2096 wrote to memory of 2120	2096	smss.exe	WScript.exe
PID 2096 wrote to memory of 2120	2096	smss.exe	WScript.exe
PID 2096 wrote to memory of 1700	2096	smss.exe	WScript.exe
PID 2096 wrote to memory of 1700	2096	smss.exe	WScript.exe
PID 2096 wrote to memory of 1700	2096	smss.exe	WScript.exe
PID 2120 wrote to memory of 2876	2120	WScript.exe	smss.exe
PID 2120 wrote to memory of 2876	2120	WScript.exe	smss.exe
PID 2120 wrote to memory of 2876	2120	WScript.exe	smss.exe
PID 2876 wrote to memory of 1704	2876	smss.exe	WScript.exe

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe84450ece99d5ebe3557daa586d2d1650N.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84450ece99d5ebe3557daa586d2d1650N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	84450ece99d5ebe3557daa586d2d1650N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	84450ece99d5ebe3557daa586d2d1650N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\84450ece99d5ebe3557daa586d2d1650N.exe
"C:\Users\Admin\AppData\Local\Temp\84450ece99d5ebe3557daa586d2d1650N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZnhMCmO6P2.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2412

C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
"C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:936

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69f8252e-d35f-48be-92b3-d53b14fc0bec.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2096

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8945a34d-9dfb-4422-bfcd-4a6d64bf826f.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2876

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d3aa829-1298-45ff-b44e-583022249b28.vbs"
8⤵
PID:1704

C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1144

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86764c2b-b085-497b-81c2-2c1152abcec8.vbs"
10⤵
PID:336

C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1800

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fae83e3-c60e-43dc-8946-af0ef1a38336.vbs"
12⤵
PID:952

C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2248

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98fba045-3337-44c1-aa85-05511d5f1415.vbs"
14⤵
PID:2236

C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cb67e6d-ca64-4e0f-8079-eae367a83680.vbs"
16⤵
PID:1868

C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1968

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfd6e341-7b43-4259-bb0a-f8ae3604593d.vbs"
18⤵
PID:2364

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb0a73ef-5cc4-405d-8c16-f44105744ee7.vbs"
18⤵
PID:1144

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7db504d9-2345-4678-bfdd-c2ed902faab9.vbs"
16⤵
PID:2952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78931fe5-1d1d-497b-94cd-633ce2444265.vbs"
14⤵
PID:1628

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b74403b-835c-482d-b761-53550c97bfa1.vbs"
12⤵
PID:560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e922e07d-c82f-4c05-a78d-29543b2312f9.vbs"
10⤵
PID:2756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\046c2608-aa28-4c17-8496-d94c47898616.vbs"
8⤵
PID:1544

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e71135eb-4f4e-49dc-a54d-041a85373778.vbs"
6⤵
PID:1700

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83c9f1dd-596d-4e6e-aac3-3f3e6fff37e5.vbs"
4⤵
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "84450ece99d5ebe3557daa586d2d1650N8" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\84450ece99d5ebe3557daa586d2d1650N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "84450ece99d5ebe3557daa586d2d1650N" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\84450ece99d5ebe3557daa586d2d1650N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "84450ece99d5ebe3557daa586d2d1650N8" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\84450ece99d5ebe3557daa586d2d1650N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Rules\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Rules\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\OSPPSVC.exe
Filesize
4.9MB

MD5
9a40c2a8c5413b6f5d2c098d8bb93f52

SHA1
e4f4f4f01de1860ba17483fa893983cf4f39b26c

SHA256
c1e1cb3dc1bf16bbb5dbd4f88f1774790d94709d66e9482e384238cf2b9cc88d

SHA512
72fba8df782570bcc5f3f0752e0bc6ebd306e5473badac5e6ff29a7ae3ecc52bc7c8e05053954154115dec0c1fa3a8f31388309f10aaf9603900f3d28a814bef

Download Submit
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
Filesize
4.9MB

MD5
84450ece99d5ebe3557daa586d2d1650

SHA1
9241cf6c4f37fcc63732c728cedb408afd3d8369

SHA256
6ff9d724f6dfa99f6a30343e9dc543fc864da291eff05a391850329f94be6f9e

SHA512
eb9cd446fc1735a9a0ebafcd04e64903708e84baab0ee465290752bb2d5ee32fb7fe209e8621dce8ed8ebd12b90351a01fe07e7a81789780edef0892a49ec6c4

Download Submit
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\smss.exe
Filesize
4.9MB

MD5
f585d37abe10bf38a33c4d1f8ff7feb3

SHA1
54856f68cb8ee2d9c26f1254d8e224d8dfec8cd3

SHA256
6d79067efc11b5d40a3936e25a8a597f26dcb4968921e0cd328a6170e545347e

SHA512
676e6d72e873b20e4e17b664240dd7326b3902d6b3a1935774d1f9f17bc4abc1ed4861da3219d682a7a6afebe5d11f99f24c3037132caf45e66a74dc39de16b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cb67e6d-ca64-4e0f-8079-eae367a83680.vbs
Filesize
733B

MD5
8ead90ce4a7679200b4b1038c1d0a25b

SHA1
eef4560d1ff07bc4d1a24ccd08b1b1fdc4fc71ad

SHA256
e1ce13771d6747b247c111c89f987e989f98fd82692b99748bb7756c32f1bd50

SHA512
0edeea5bc74f0cfdc725d9bfe17d66762f3bb6b726855f9f064749d1aceb02f9902b0e24e5dab16e87a684a463a9d43ad2d1e6aea548c0725ef036191ff97c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d3aa829-1298-45ff-b44e-583022249b28.vbs
Filesize
733B

MD5
2737db26bdfcebd80c7332d6c47239f9

SHA1
1ffd01b17893db85770d82df9a01719ba7c4c217

SHA256
ffe437a07ec0f86da35356766e71943f51d09556cca3b27356589cfb4758328d

SHA512
5dc142f66313e6d1aeda737ae742621d5365f20864a8f5cea8519fc4f6901933d53dd317261b83108e4986907005116c6560dab0f5e356b5022fcee7d44172d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\69f8252e-d35f-48be-92b3-d53b14fc0bec.vbs
Filesize
732B

MD5
865e88adc07d7fa4f27063d129fc3c40

SHA1
6e4c2b1a35700b5fe43b0b99dc6d6cee9f0a8b34

SHA256
bb3356f8416ff2f69574f0ec3e05d9a3b2142b35a79ec2cf5dfe62944582cf4e

SHA512
ec645baadce32196199040439433b880d3b8111e1b29bd2a5731fd43a06e630faf49176486f65ca889a4df5d627bef7cc6112204e867dd5653468cef57ce5ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fae83e3-c60e-43dc-8946-af0ef1a38336.vbs
Filesize
733B

MD5
18b6a6423ef1d3b80a0e2f0192b5a3d5

SHA1
6f91bd0e91c98fb6196fd07e26c4a457fae42e25

SHA256
67f8a4622e2ca15a3d6b78f5fff62829135e34c0c28037247f1a3a3fafe6def9

SHA512
fc60029454f128d2230a965804b25e1ce8b1c0d0e1d9088884b96fcbb5c8a4be6ed5434f13a630bd4b50cbb6ed13a935ff6a3c9efdfd703b1262034043322f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\83c9f1dd-596d-4e6e-aac3-3f3e6fff37e5.vbs
Filesize
509B

MD5
7d18b6b96e699fd9e6cfb6a0db3eabc5

SHA1
9ab16a1f3c22f18c5b2629e238290a258e3e8d7b

SHA256
f28cecafdf618217c7e7962738da39447828322f0938c12f33bbca91133ab30f

SHA512
bbd03569acec8927beb49a8afce13a4c8408ef9e918e00a17a1c3d75dd4301373c4589ddc999ac24521f30344c8356a761b7b9bea20174ca72d1e88738829993

Download Submit
C:\Users\Admin\AppData\Local\Temp\86764c2b-b085-497b-81c2-2c1152abcec8.vbs
Filesize
733B

MD5
b3c29497ab656d8c12d68dd9273fcfde

SHA1
09435803859221edde3430a9fea0a2f2da8cfd98

SHA256
0b1069cba9ab32e73f91c83ec2df28a6a1a1365e48e82cb74c47c707f3510496

SHA512
9f9d598d324c080747d844d960f14dd0123166ba1d6ffecd2d1effff1f43c7f28a46b4e33191ff6eaec1f62d86d70f6152cea36c0fbd29409d1c6038d16f43a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8945a34d-9dfb-4422-bfcd-4a6d64bf826f.vbs
Filesize
733B

MD5
5e0f6bb7724073a6662c583951f204fb

SHA1
8474c03fd491c554cdc45d7a02759cd405c9774f

SHA256
510124cf86e2392432223c3e6f0fb13bb0e4d416a9f9f75b6af8c66ba53984c9

SHA512
94f730ae5e70705cf2fbff0ea87ff4d09cb489cd16689f36a9371c283cd2d0a87e9eea76a5326d4b0631730f94f919bf5eab928c1bb1252d3859d2742858cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\98fba045-3337-44c1-aa85-05511d5f1415.vbs
Filesize
733B

MD5
ae9dc7640883aad845f1e42c564cafd9

SHA1
043484d5916fd99c1ece1cc992fe0d037272efda

SHA256
dfc6037dd6b3a73745522af07ce9fc29b06e82911f974ded7238bdfe9b2a97c1

SHA512
51208e43d355feafb37c22eebf451484226d36d697f0aa8138be6f71ec0bd459d2a143ccd3f2a11fbed485a99b4ff6e634de92cbb80eb3690226f1cd48fbd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZnhMCmO6P2.bat
Filesize
222B

MD5
8b98c0db1b3d1b4c72a70e133d1bfdd0

SHA1
260c7535f05fbe3398b302d68f4c7acf8b69d08c

SHA256
4e94101178b79b861fc21871b8397f07c2671175b89f392d7a89672b0e87110e

SHA512
d678791381f60724d4513d830b6c0b0e381e09e60d25ef5be8dcf3061f58b8b2125bdb9e5c01a205c228d9c35387b6daa3fed461ef497cfafa7647e68fa04d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfd6e341-7b43-4259-bb0a-f8ae3604593d.vbs
Filesize
733B

MD5
27a7e6b916a0c80d0c953828c6cc727b

SHA1
6173ceea92f3a1d19c37b9dbef3e5e7cc684b3e9

SHA256
25a20f737c043ea558c5ff381471e2e5a64cfb90c0fe3af19ed8c1c72983c13d

SHA512
1abf5c927dac5ba88c443dc9bd53a6952121a4332526f745ced9af02c3d0a3cc3bcdf26a1415e56c11dc9c9278c3e941dda82be0ce9c851022e392976443ca67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF21C.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2d4e3b5e7c796ad8da967f1c347da48d

SHA1
10bbaa0d3cf3c0b9f31d3b9d4713c1876822f1fb

SHA256
21bce57c1b53e69e839a5d4dfc35d3a1d743b801db8bc631ee87d971ec51e1d5

SHA512
dea9f46f313a873a0cb9ec15c837b36b44fbde1fb254d12da03b5091970d90786facd3e9e7acfd19e5af118f588d362dde5d09aaa2e16b10a73ba31adb206ccf

Download Submit
C:\Windows\PLA\Rules\RCXBEA8.tmp
Filesize
4.9MB

MD5
1f19d5a1908e9763fe9b1202e2ca8d00

SHA1
e6e10ff40016e327408c94df34283878349a3d15

SHA256
e1e54b096186c40b3e887f0793074b919ac9a8e566fe99ff17bfaaa7c5e53a76

SHA512
4f13f59d31de94fda5ab2829ec5f9c4284e040d2be06b0e05460d08bc16873ff67b64199957beb22847ae7c690fb72657266926a8fce8f9a039540635a7cca9d

Download Submit
memory/520-154-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/520-153-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/936-194-0x00000000012E0000-0x00000000017D4000-memory.dmp

Filesize
5.0MB

Download
memory/2100-279-0x0000000001230000-0x0000000001724000-memory.dmp

Filesize
5.0MB

Download
memory/2136-6-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2136-7-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2136-86-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/2136-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x0000000000CC0000-0x00000000011B4000-memory.dmp

Filesize
5.0MB

Download
memory/2136-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2136-3-0x000000001B920000-0x000000001BA4E000-memory.dmp

Filesize
1.2MB

Download
memory/2136-170-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2136-4-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2136-5-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/2136-16-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/2136-101-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2136-8-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2136-9-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/2136-10-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2136-11-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2136-14-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2136-12-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2136-13-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/2136-15-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2248-264-0x0000000000150000-0x0000000000644000-memory.dmp

Filesize
5.0MB

Download