dcrat | b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Size

4.9MB
MD5

dc0f33684dad2fbdd9801489c2a24150
SHA1

6c2f859577d7f959f4f0056c9f5a6b2c22ef3333
SHA256

b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55
SHA512

e333c6592b0bb816c1a5c1baa5ea22249eed4fcad54dc5c3e898df00e36390ab025d163136f41ad4a0bb8cc933159b93ad0d15e100ba7dcd3248cfd709152650
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2916	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2916	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2400-2-0x000000001B5A0000-0x000000001B6CE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2528	powershell.exe
1532	powershell.exe
1240	powershell.exe
756	powershell.exe
1628	powershell.exe
1924	powershell.exe
2552	powershell.exe
2640	powershell.exe
1816	powershell.exe
316	powershell.exe
2012	powershell.exe
752	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2280	winlogon.exe
1152	winlogon.exe
2268	winlogon.exe
1532	winlogon.exe
2736	winlogon.exe
2556	winlogon.exe
1304	winlogon.exe
1788	winlogon.exe
2472	winlogon.exe
2240	winlogon.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Dism\ja-JP\smss.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Windows\System32\Dism\ja-JP\69ddcba757bf72	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Windows\System32\Dism\ja-JP\RCXD423.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Windows\System32\Dism\ja-JP\smss.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\en-US\c5b4cb5e9653cc	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Google\Temp\winlogon.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXD21F.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXE182.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCXD82B.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files\Internet Explorer\en-US\services.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Google\Temp\cc11b995f2a76d	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXDA9C.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\RCXDD0D.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\services.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files\Windows Journal\ja-JP\cc11b995f2a76d	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\be448d5f0000fe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\winlogon.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\winlogon.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files\Windows Journal\ja-JP\winlogon.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Boot\Fonts\csrss.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Windows\AppCompat\Programs\lsm.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Windows\AppCompat\Programs\101b941d020240	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXDF7E.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Windows\AppCompat\Programs\lsm.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe
1772	schtasks.exe
2988	schtasks.exe
2924	schtasks.exe
1036	schtasks.exe
1060	schtasks.exe
1744	schtasks.exe
780	schtasks.exe
2820	schtasks.exe
2972	schtasks.exe
2076	schtasks.exe
1708	schtasks.exe
2840	schtasks.exe
2692	schtasks.exe
2732	schtasks.exe
2728	schtasks.exe
2508	schtasks.exe
2968	schtasks.exe
1028	schtasks.exe
2220	schtasks.exe
2884	schtasks.exe
2956	schtasks.exe
300	schtasks.exe
1560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
1240	powershell.exe
752	powershell.exe
1628	powershell.exe
2012	powershell.exe
1532	powershell.exe
2552	powershell.exe
2640	powershell.exe
2528	powershell.exe
756	powershell.exe
1816	powershell.exe
1924	powershell.exe
316	powershell.exe
2280	winlogon.exe
1152	winlogon.exe
2268	winlogon.exe
1532	winlogon.exe
2736	winlogon.exe
2556	winlogon.exe
1304	winlogon.exe
1788	winlogon.exe
2472	winlogon.exe
2240	winlogon.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2280	winlogon.exe
Token: SeDebugPrivilege	1152	winlogon.exe
Token: SeDebugPrivilege	2268	winlogon.exe
Token: SeDebugPrivilege	1532	winlogon.exe
Token: SeDebugPrivilege	2736	winlogon.exe
Token: SeDebugPrivilege	2556	winlogon.exe
Token: SeDebugPrivilege	1304	winlogon.exe
Token: SeDebugPrivilege	1788	winlogon.exe
Token: SeDebugPrivilege	2472	winlogon.exe
Token: SeDebugPrivilege	2240	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1628	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	56
PID 2400 wrote to memory of 1628	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	56
PID 2400 wrote to memory of 1628	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	56
PID 2400 wrote to memory of 1924	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	57
PID 2400 wrote to memory of 1924	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	57
PID 2400 wrote to memory of 1924	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	57
PID 2400 wrote to memory of 2552	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	58
PID 2400 wrote to memory of 2552	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	58
PID 2400 wrote to memory of 2552	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	58
PID 2400 wrote to memory of 2528	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	59
PID 2400 wrote to memory of 2528	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	59
PID 2400 wrote to memory of 2528	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	59
PID 2400 wrote to memory of 316	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	60
PID 2400 wrote to memory of 316	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	60
PID 2400 wrote to memory of 316	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	60
PID 2400 wrote to memory of 1816	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	61
PID 2400 wrote to memory of 1816	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	61
PID 2400 wrote to memory of 1816	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	61
PID 2400 wrote to memory of 2640	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	62
PID 2400 wrote to memory of 2640	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	62
PID 2400 wrote to memory of 2640	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	62
PID 2400 wrote to memory of 756	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	63
PID 2400 wrote to memory of 756	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	63
PID 2400 wrote to memory of 756	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	63
PID 2400 wrote to memory of 1240	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	65
PID 2400 wrote to memory of 1240	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	65
PID 2400 wrote to memory of 1240	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	65
PID 2400 wrote to memory of 1532	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	66
PID 2400 wrote to memory of 1532	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	66
PID 2400 wrote to memory of 1532	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	66
PID 2400 wrote to memory of 2012	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	68
PID 2400 wrote to memory of 2012	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	68
PID 2400 wrote to memory of 2012	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	68
PID 2400 wrote to memory of 752	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	70
PID 2400 wrote to memory of 752	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	70
PID 2400 wrote to memory of 752	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	70
PID 2400 wrote to memory of 2280	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	80
PID 2400 wrote to memory of 2280	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	80
PID 2400 wrote to memory of 2280	2400	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	80
PID 2280 wrote to memory of 1688	2280	winlogon.exe	81
PID 2280 wrote to memory of 1688	2280	winlogon.exe	81
PID 2280 wrote to memory of 1688	2280	winlogon.exe	81
PID 2280 wrote to memory of 2776	2280	winlogon.exe	82
PID 2280 wrote to memory of 2776	2280	winlogon.exe	82
PID 2280 wrote to memory of 2776	2280	winlogon.exe	82
PID 1688 wrote to memory of 1152	1688	WScript.exe	83
PID 1688 wrote to memory of 1152	1688	WScript.exe	83
PID 1688 wrote to memory of 1152	1688	WScript.exe	83
PID 1152 wrote to memory of 1508	1152	winlogon.exe	84
PID 1152 wrote to memory of 1508	1152	winlogon.exe	84
PID 1152 wrote to memory of 1508	1152	winlogon.exe	84
PID 1152 wrote to memory of 1960	1152	winlogon.exe	85
PID 1152 wrote to memory of 1960	1152	winlogon.exe	85
PID 1152 wrote to memory of 1960	1152	winlogon.exe	85
PID 1508 wrote to memory of 2268	1508	WScript.exe	86
PID 1508 wrote to memory of 2268	1508	WScript.exe	86
PID 1508 wrote to memory of 2268	1508	WScript.exe	86
PID 2268 wrote to memory of 2388	2268	winlogon.exe	87
PID 2268 wrote to memory of 2388	2268	winlogon.exe	87
PID 2268 wrote to memory of 2388	2268	winlogon.exe	87
PID 2268 wrote to memory of 924	2268	winlogon.exe	88
PID 2268 wrote to memory of 924	2268	winlogon.exe	88
PID 2268 wrote to memory of 924	2268	winlogon.exe	88
PID 2388 wrote to memory of 1532	2388	WScript.exe	89

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
"C:\Users\Admin\AppData\Local\Temp\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Program Files (x86)\Google\Temp\winlogon.exe
  "C:\Program Files (x86)\Google\Temp\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2280
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\756990eb-c7a2-4e73-a4d7-62e25a8d98d8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Program Files (x86)\Google\Temp\winlogon.exe
      "C:\Program Files (x86)\Google\Temp\winlogon.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1152
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdc022fe-e241-4435-b5a1-fcdcf6f5b158.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Program Files (x86)\Google\Temp\winlogon.exe
        
        "C:\Program Files (x86)\Google\Temp\winlogon.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69afd02f-04dd-4635-b237-bdd99625857f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Program Files (x86)\Google\Temp\winlogon.exe
        
        "C:\Program Files (x86)\Google\Temp\winlogon.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bd82a02-ee31-48a7-8aa2-550514d461a5.vbs"
        9⤵
        
        PID:2508
        
        C:\Program Files (x86)\Google\Temp\winlogon.exe
        
        "C:\Program Files (x86)\Google\Temp\winlogon.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eff8f51a-6ad3-49e0-91db-79f02200fc60.vbs"
        11⤵
        
        PID:1696
        
        C:\Program Files (x86)\Google\Temp\winlogon.exe
        
        "C:\Program Files (x86)\Google\Temp\winlogon.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee1972c5-9987-4285-b0d5-1898a9b0e9aa.vbs"
        13⤵
        
        PID:2384
        
        C:\Program Files (x86)\Google\Temp\winlogon.exe
        
        "C:\Program Files (x86)\Google\Temp\winlogon.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bfe24db-2322-47b3-82d3-c9d0c07b6fdf.vbs"
        15⤵
        
        PID:3024
        
        C:\Program Files (x86)\Google\Temp\winlogon.exe
        
        "C:\Program Files (x86)\Google\Temp\winlogon.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\759191d7-d3d3-4244-9dd9-e8ccb128c045.vbs"
        17⤵
        
        PID:2536
        
        C:\Program Files (x86)\Google\Temp\winlogon.exe
        
        "C:\Program Files (x86)\Google\Temp\winlogon.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bf666c2-f41e-4825-b5d9-242a25b112cf.vbs"
        19⤵
        
        PID:1996
        
        C:\Program Files (x86)\Google\Temp\winlogon.exe
        
        "C:\Program Files (x86)\Google\Temp\winlogon.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3a32ac3-4b99-40d5-b4c5-e8dc768dbd9e.vbs"
        19⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dce785b-d300-4be6-99e9-9c0ad9061a67.vbs"
        17⤵
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b0b0e69-8394-43f1-9b64-64fe4082b9f9.vbs"
        15⤵
        
        PID:320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c304cda-4b9e-4387-9ef9-2c280c1358cc.vbs"
        13⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d04934d-25be-4ffb-a79c-69f117c4bc3a.vbs"
        11⤵
        
        PID:2204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc4e7a87-d090-4661-b379-c944e665173d.vbs"
        9⤵
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6109e4e9-1508-49fd-a56a-f5842f1d65f6.vbs"
        7⤵
        
        PID:924
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67aa363a-3848-4819-b164-c5ddbe1b7ca0.vbs"
        5⤵
        
        PID:1960
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7d30566-d2b7-4309-8ceb-8f39f7148afa.vbs"
    3⤵
    PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\Dism\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\Dism\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\Dism\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55Nb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55Nb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\winlogon.exe

Filesize
4.9MB

MD5
dc0f33684dad2fbdd9801489c2a24150

SHA1
6c2f859577d7f959f4f0056c9f5a6b2c22ef3333

SHA256
b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55

SHA512
e333c6592b0bb816c1a5c1baa5ea22249eed4fcad54dc5c3e898df00e36390ab025d163136f41ad4a0bb8cc933159b93ad0d15e100ba7dcd3248cfd709152650

Download Submit
C:\Program Files (x86)\Google\Temp\winlogon.exe

Filesize
4.9MB

MD5
8eb1e925fade01b71f6b3f0a10c36c9c

SHA1
4ade4756f3e00d2bf439fd8b1a62336e1a355cdf

SHA256
a38fb26825ede8831504ea9e789b3fb10de05ee4ef264f6070e9259b7e435d0a

SHA512
bf0224c4b6d0476c3359338c9cee124c0ac15f5faa963c51291aff377c6dd3486b8662e9adb7f72a712f4c9ac9f24abe2bb319e00df57aa196ef60e6e8ec07e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0bd82a02-ee31-48a7-8aa2-550514d461a5.vbs

Filesize
723B

MD5
c06fb95d7bf69f6a311b84769e5bf317

SHA1
aa352e40ede7e635f89c05360db34a96e5685a40

SHA256
3ed884caab201d31a3d4d6f23ea546560fbaa82b9406b3049d694c7737acd23a

SHA512
9b55a8e38725cb6a760e4d1d493bcbe9baa1b0fe4b78852a45cfc64a7f46707b9b54c462522efea5092de11c0c92864d1a1f4d36970631bf51392f004523ff48

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bf666c2-f41e-4825-b5d9-242a25b112cf.vbs

Filesize
723B

MD5
82069a5ec532404882f77de311c4f953

SHA1
af587d0765ecec9f94dd874df5d7f794d3fc0bf1

SHA256
a12eaf31489dade05b65aaf5bcd9f92709cc47b170dd3e20f577f01484a77d83

SHA512
93b4c74063d15f954487a99938bb725d0f3ec28c3582c6abc7e3b8a1e84deb4aaa87d9fd37e285d5719338490b00a5c3ca1b7cbd1dbee9977b6938de90c2c2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bfe24db-2322-47b3-82d3-c9d0c07b6fdf.vbs

Filesize
723B

MD5
3dbaae45107b32fe2d29fba6237e2992

SHA1
bd138902bf01c5fa4084123540c5667c10dbfb26

SHA256
7f365aeee3bce2d2ce2d61e6bbdce9e0a9e550fabeba0fbe4f15e7e684541ab3

SHA512
686244d8089cd46ca138808d24b5dc94adee532555b612f5c14d247bd1db7d6ee38c8fba41c886b9c7072d2c20c303b619577b48680f5c7b5155c3e5de7dc133

Download Submit
C:\Users\Admin\AppData\Local\Temp\69afd02f-04dd-4635-b237-bdd99625857f.vbs

Filesize
723B

MD5
57e37c7ee26f04681e8d47b9ad90360c

SHA1
f427e7467c5dd9a4e858237c2983a492395b00c9

SHA256
eb5fcea12453706a67f28b21cdd162234b3d77448f2c2933a8233487ac94984c

SHA512
8172f4e61079993db17028483b1ae24cc9edef425882f7833636120b02323572a2d7283a04ef7e7d5667d61d43889f4793a47f09c9ce706c2edc3889f2fb17ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\756990eb-c7a2-4e73-a4d7-62e25a8d98d8.vbs

Filesize
723B

MD5
072bfb65dfab7e20793fe8fe388cf77b

SHA1
83894dc8ac05377817f31d8752cd5a7af93d98dc

SHA256
e77fc8c23649567806bf3bf362dde71921c6ecd618c838646e0cd94927bdbf10

SHA512
734a6a530d6896146672c8153f7d7adfa495ff0c886c877b3ba152973c075134c35aa35405cb397c6cd983ba2819e505701abe592d1ef60dba89aa965f036cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\759191d7-d3d3-4244-9dd9-e8ccb128c045.vbs

Filesize
723B

MD5
0e11b90d08631d47cc9ab76189fdb56f

SHA1
bc83fd23fc0f626faabf2e873764e593bad14ace

SHA256
27be1bd9507b8b3b89c9e1a58600574717414daa8b0b1ba5155923e9c518c20a

SHA512
07238fe868701f9dfb729590d49d719ab5b7758361f85c83140293ce6281600ac4018d67b95aa81bec88ffcf5d44d4a0570c75fd8a9faab853d604c3492acf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7d30566-d2b7-4309-8ceb-8f39f7148afa.vbs

Filesize
499B

MD5
578791aaee2300652ef435dffb724ec3

SHA1
68de9a985beea8269af510ca67db48d01cbb5136

SHA256
b67313aef429d214758055a5ffb71f53954f82aa17b8d176dd86609ea9d65f3d

SHA512
fa72e5cf41008ee5e7da420d5541e8339a42d4b429a7b0985aa8fd3be63557dd2a3e65439a98b5204c7662c5002413194cedcd9160702167e3d0aefeddd190c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee1972c5-9987-4285-b0d5-1898a9b0e9aa.vbs

Filesize
723B

MD5
5fb57cb9b95182d83120446924a9d6e2

SHA1
7c6c7f1a8c722cca2df00a5ac332e0744f1e65ab

SHA256
daee908e7104f7314fc60b1db0b30028908734b5090bb6195c31e630d65ebbcf

SHA512
033b4d731dd59cce10963b687ecb462366d94f0cb92fe24f2890b33662095e8f109ab84c328fc1da59ce474eaa091b529422fdf294989f2b8a454af0ba489f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\eff8f51a-6ad3-49e0-91db-79f02200fc60.vbs

Filesize
723B

MD5
58b305c1a98dca84951363e6480d6f42

SHA1
6f4b09f044e614ee32077df9987c062bc7095b15

SHA256
663e083cd3acedcaede5f11bf2a3150754e2d4a142b375c3dce995f2ec6b4bdd

SHA512
f1249ba34db24a092965ed0028ef542cb01e8199e477fc2dd8ae5a20d550e38c01164000b9c8a481335e7c465081574631b259893c6930a1acb4aedc2d6ba415

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdc022fe-e241-4435-b5a1-fcdcf6f5b158.vbs

Filesize
723B

MD5
e42208f5acbabf9c3423f97f62483834

SHA1
9fc1b8e19f052554d35741db6c13d44952dda512

SHA256
abffde9c0451d8e5289c05b89ceb36afd040972c16e0330f991c5ff79dbb7806

SHA512
320e56fd708249c0067980a4d679f3d0963d1ba9cb9da0b9597c74046b30c4729bfe4b271c631f8065b77f4fe6b4b0d7b1d3f5a0db3a48e403344ad5cd8072e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1DE.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d07878b75ae873ec11a6db026975f50

SHA1
2688d7a2ea175755b9e4a4fc4e1decd007cb79b9

SHA256
983f72201b66c87e9a96a5941c481c44ff2e0a81b7c6747299370deab5d754f7

SHA512
79ea3e14dc63899e2a8e54e57978e8193027c3b62d127a766ffd8e113013b0605075f7b8b5ead70a72c44f31956948d115f56a819ed2b950737955829726ee9b

Download Submit
memory/1152-173-0x0000000000E60000-0x0000000001354000-memory.dmp

Filesize
5.0MB

Download
memory/1240-102-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/1240-103-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1532-202-0x0000000000ED0000-0x00000000013C4000-memory.dmp

Filesize
5.0MB

Download
memory/2280-96-0x0000000000280000-0x0000000000774000-memory.dmp

Filesize
5.0MB

Download
memory/2280-159-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2400-9-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2400-3-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-15-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/2400-14-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2400-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/2400-13-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/2400-12-0x00000000005D0000-0x00000000005DE000-memory.dmp

Filesize
56KB

Download
memory/2400-8-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2400-1-0x00000000013A0000-0x0000000001894000-memory.dmp

Filesize
5.0MB

Download
memory/2400-113-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-11-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/2400-7-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/2400-6-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/2400-10-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2400-5-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2400-2-0x000000001B5A0000-0x000000001B6CE000-memory.dmp

Filesize
1.2MB

Download
memory/2400-4-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/2400-16-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2556-232-0x00000000010F0000-0x00000000015E4000-memory.dmp

Filesize
5.0MB

Download
memory/2736-217-0x0000000000F40000-0x0000000001434000-memory.dmp

Filesize
5.0MB

Download