dcrat | 67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Size

4.9MB
MD5

a87a3e93eb8f7ee1a70c9b6204930910
SHA1

d5540d781ad24f6ebd68773fc6581a519d8c44a9
SHA256

67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227
SHA512

d8c2ea8d31db9e5f96113057fd1a43d042ca7988081c8f31ba69aef10af91098eaaa6837504c91886452dba5f4c94ba9d6054375b6044409b1ccc1b74907e19d
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2788	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

OSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1628-2-0x000000001B040000-0x000000001B16E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
444	powershell.exe
680	powershell.exe
2148	powershell.exe
2272	powershell.exe
2320	powershell.exe
2072	powershell.exe
2112	powershell.exe
1976	powershell.exe
2420	powershell.exe
2300	powershell.exe
2288	powershell.exe
1164	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

OSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

pid	Process
2772	OSPPSVC.exe
1384	OSPPSVC.exe
1060	OSPPSVC.exe
2240	OSPPSVC.exe
2832	OSPPSVC.exe
1636	OSPPSVC.exe
2652	OSPPSVC.exe
1316	OSPPSVC.exe
1948	OSPPSVC.exe
2208	OSPPSVC.exe
1008	OSPPSVC.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

OSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exeOSPPSVC.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe

Drops file in Program Files directory 8 IoCs

Processes:

67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\csrss.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCXE3C1.tmp	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Program Files\Internet Explorer\csrss.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Program Files\Internet Explorer\886983d96e3d3e	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\56085415360792	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXDD49.tmp	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe

Drops file in Windows directory 12 IoCs

Processes:

67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe

description	ioc	Process
File created	C:\Windows\Logs\CBS\42af1c969fbb7b	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Windows\twain_32\wininit.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Windows\twain_32\56085415360792	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Windows\Logs\CBS\RCXDFBA.tmp	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Windows\Logs\CBS\audiodg.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Windows\twain_32\wininit.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Windows\Registration\CRMLog\dllhost.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Windows\Registration\CRMLog\5940a34987c991	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Windows\Registration\CRMLog\dllhost.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Windows\twain_32\RCXE1BE.tmp	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File created	C:\Windows\Logs\CBS\audiodg.exe	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXDB25.tmp	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2832	schtasks.exe
1332	schtasks.exe
1996	schtasks.exe
2964	schtasks.exe
2456	schtasks.exe
2976	schtasks.exe
868	schtasks.exe
2852	schtasks.exe
2900	schtasks.exe
2944	schtasks.exe
2264	schtasks.exe
2768	schtasks.exe
1740	schtasks.exe
2324	schtasks.exe
2924	schtasks.exe
2688	schtasks.exe
2760	schtasks.exe
2764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

pid	Process
1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
2112	powershell.exe
2272	powershell.exe
2288	powershell.exe
680	powershell.exe
2300	powershell.exe
1976	powershell.exe
2320	powershell.exe
2148	powershell.exe
2420	powershell.exe
444	powershell.exe
2072	powershell.exe
1164	powershell.exe
2772	OSPPSVC.exe
1384	OSPPSVC.exe
1060	OSPPSVC.exe
2240	OSPPSVC.exe
2832	OSPPSVC.exe
1636	OSPPSVC.exe
2652	OSPPSVC.exe
1316	OSPPSVC.exe
1948	OSPPSVC.exe
2208	OSPPSVC.exe
1008	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2772	OSPPSVC.exe
Token: SeDebugPrivilege	1384	OSPPSVC.exe
Token: SeDebugPrivilege	1060	OSPPSVC.exe
Token: SeDebugPrivilege	2240	OSPPSVC.exe
Token: SeDebugPrivilege	2832	OSPPSVC.exe
Token: SeDebugPrivilege	1636	OSPPSVC.exe
Token: SeDebugPrivilege	2652	OSPPSVC.exe
Token: SeDebugPrivilege	1316	OSPPSVC.exe
Token: SeDebugPrivilege	1948	OSPPSVC.exe
Token: SeDebugPrivilege	2208	OSPPSVC.exe
Token: SeDebugPrivilege	1008	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exeOSPPSVC.exeWScript.exeOSPPSVC.exeWScript.exeOSPPSVC.exeWScript.exe

description	pid	Process	procid_target
PID 1628 wrote to memory of 2288	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	50
PID 1628 wrote to memory of 2288	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	50
PID 1628 wrote to memory of 2288	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	50
PID 1628 wrote to memory of 2112	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	51
PID 1628 wrote to memory of 2112	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	51
PID 1628 wrote to memory of 2112	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	51
PID 1628 wrote to memory of 2072	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	52
PID 1628 wrote to memory of 2072	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	52
PID 1628 wrote to memory of 2072	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	52
PID 1628 wrote to memory of 2320	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	55
PID 1628 wrote to memory of 2320	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	55
PID 1628 wrote to memory of 2320	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	55
PID 1628 wrote to memory of 2272	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	56
PID 1628 wrote to memory of 2272	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	56
PID 1628 wrote to memory of 2272	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	56
PID 1628 wrote to memory of 2300	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	57
PID 1628 wrote to memory of 2300	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	57
PID 1628 wrote to memory of 2300	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	57
PID 1628 wrote to memory of 2148	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	59
PID 1628 wrote to memory of 2148	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	59
PID 1628 wrote to memory of 2148	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	59
PID 1628 wrote to memory of 2420	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	60
PID 1628 wrote to memory of 2420	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	60
PID 1628 wrote to memory of 2420	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	60
PID 1628 wrote to memory of 1976	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	61
PID 1628 wrote to memory of 1976	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	61
PID 1628 wrote to memory of 1976	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	61
PID 1628 wrote to memory of 444	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	62
PID 1628 wrote to memory of 444	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	62
PID 1628 wrote to memory of 444	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	62
PID 1628 wrote to memory of 1164	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	63
PID 1628 wrote to memory of 1164	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	63
PID 1628 wrote to memory of 1164	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	63
PID 1628 wrote to memory of 680	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	64
PID 1628 wrote to memory of 680	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	64
PID 1628 wrote to memory of 680	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	64
PID 1628 wrote to memory of 2772	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	74
PID 1628 wrote to memory of 2772	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	74
PID 1628 wrote to memory of 2772	1628	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe	74
PID 2772 wrote to memory of 2368	2772	OSPPSVC.exe	75
PID 2772 wrote to memory of 2368	2772	OSPPSVC.exe	75
PID 2772 wrote to memory of 2368	2772	OSPPSVC.exe	75
PID 2772 wrote to memory of 1436	2772	OSPPSVC.exe	76
PID 2772 wrote to memory of 1436	2772	OSPPSVC.exe	76
PID 2772 wrote to memory of 1436	2772	OSPPSVC.exe	76
PID 2368 wrote to memory of 1384	2368	WScript.exe	77
PID 2368 wrote to memory of 1384	2368	WScript.exe	77
PID 2368 wrote to memory of 1384	2368	WScript.exe	77
PID 1384 wrote to memory of 2536	1384	OSPPSVC.exe	78
PID 1384 wrote to memory of 2536	1384	OSPPSVC.exe	78
PID 1384 wrote to memory of 2536	1384	OSPPSVC.exe	78
PID 1384 wrote to memory of 1028	1384	OSPPSVC.exe	79
PID 1384 wrote to memory of 1028	1384	OSPPSVC.exe	79
PID 1384 wrote to memory of 1028	1384	OSPPSVC.exe	79
PID 2536 wrote to memory of 1060	2536	WScript.exe	80
PID 2536 wrote to memory of 1060	2536	WScript.exe	80
PID 2536 wrote to memory of 1060	2536	WScript.exe	80
PID 1060 wrote to memory of 2384	1060	OSPPSVC.exe	81
PID 1060 wrote to memory of 2384	1060	OSPPSVC.exe	81
PID 1060 wrote to memory of 2384	1060	OSPPSVC.exe	81
PID 1060 wrote to memory of 1796	1060	OSPPSVC.exe	82
PID 1060 wrote to memory of 1796	1060	OSPPSVC.exe	82
PID 1060 wrote to memory of 1796	1060	OSPPSVC.exe	82
PID 2384 wrote to memory of 2240	2384	WScript.exe	83

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

OSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe
"C:\Users\Admin\AppData\Local\Temp\67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Users\Admin\Pictures\OSPPSVC.exe
  "C:\Users\Admin\Pictures\OSPPSVC.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2772
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\564b3e70-2f67-495d-b1dd-561dc0e3a749.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Users\Admin\Pictures\OSPPSVC.exe
      C:\Users\Admin\Pictures\OSPPSVC.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1384
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\403db9f9-4dbb-483c-adf3-b00f3c17b015.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Users\Admin\Pictures\OSPPSVC.exe
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c5d486e-e601-48d8-8bd5-ebbf06041ce1.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b125d86-86f3-4145-ab9a-e986034441c9.vbs"
        9⤵
        
        PID:1724
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b24c7efa-29db-43af-946a-3fdbea554659.vbs"
        11⤵
        
        PID:548
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75322e93-185c-4143-a180-28f828a9e90d.vbs"
        13⤵
        
        PID:2828
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d5e6332-db6d-4529-afe3-39b9e9dfff2d.vbs"
        15⤵
        
        PID:2892
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c424e5e1-98cc-442b-bb95-f38ec8caf16f.vbs"
        17⤵
        
        PID:1500
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b500ff16-99f5-4c62-85ed-71bc079975d9.vbs"
        19⤵
        
        PID:2484
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\622cf4e6-9987-4c74-a173-6c6781e3bb4d.vbs"
        21⤵
        
        PID:2680
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        
        C:\Users\Admin\Pictures\OSPPSVC.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e69721b2-9e51-4177-b4ab-e470e94c9ce0.vbs"
        23⤵
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf626866-1359-4f4c-8582-accd962f098f.vbs"
        23⤵
        
        PID:1388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\892bca0b-f060-4428-9486-4ebb55b7b120.vbs"
        21⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ceeec734-a155-4917-ae80-b07889c4d700.vbs"
        19⤵
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7271e4d7-e2c9-4fa2-81e5-b17faf7f3ba6.vbs"
        17⤵
        
        PID:596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75233046-1b96-4438-8d9e-8026d80436ff.vbs"
        15⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c77e0cd5-f272-41fa-b81c-df399914eb61.vbs"
        13⤵
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfb6e228-5a81-4cc4-9fc0-db6b833e33f3.vbs"
        11⤵
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0205fea-e67b-4c6f-8e8d-e3f4e9e2faab.vbs"
        9⤵
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5711e9c-b2d8-49f7-93b5-60f02d1a300a.vbs"
        7⤵
        
        PID:1796
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dc4b05f-bfef-4830-b158-cffb4ea2dedc.vbs"
        5⤵
        
        PID:1028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ed43b49-413a-4d2c-84d7-b3eff6f16a56.vbs"
    3⤵
    PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\CBS\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\CBS\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ed43b49-413a-4d2c-84d7-b3eff6f16a56.vbs

Filesize
487B

MD5
a814077b7db858e92002e47c1d1e8bca

SHA1
0d2410d83c79de5bf5cb9a5c7453ebf87c059113

SHA256
bd4abe52a19e19089c32d1246ab5d0248c6d83c998d174f603da9d17f1d73c77

SHA512
007afd1ae26528f9aea5c052302bca1b074cde02dfa74ee78b39c91e9969e3c65be2bc072e9b35076303442eb1c56e51b840fc4bcf44b084a5b58b9f351fe766

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d5e6332-db6d-4529-afe3-39b9e9dfff2d.vbs

Filesize
711B

MD5
b1fff3e75c913478e6ab30f22f5bb996

SHA1
2b80dec3ea198f67a9ac3f54714a69ed6a530368

SHA256
d4a4779feaa1c7fe6a4e0edea319a7fc4d0f2b3d219a6b1075948ec59f0a3ccc

SHA512
6dbdc08e37e7f13d31af8803e43c63848af7ba7bfda0497f2fd2c87f2af3ac43de9dfc11d7921ab58445a6f7000fcd0998d791ccc06c44b558e6205cefc44c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\403db9f9-4dbb-483c-adf3-b00f3c17b015.vbs

Filesize
711B

MD5
e58ef81073a8770093bbd61471b49081

SHA1
d1fa5045305ab30f781163e58e5094b6c69f0eda

SHA256
477279c0d0edb4a70a9f3b375757c7e153ec061fd003f921ae3794f6318521b6

SHA512
e41b4e0a2ad42626cc2c6d0c9930248a6e80e85a8bfe5f391fedad49314aaeb4041aded2382497fc33b22e55d2b2d95d9f4e18f22260747e80bbe2d9bfc1989c

Download Submit
C:\Users\Admin\AppData\Local\Temp\564b3e70-2f67-495d-b1dd-561dc0e3a749.vbs

Filesize
711B

MD5
69c1b5316ceb482f389256f9f508af8e

SHA1
964bd5c47ff6695a9d631df7bdc7a0810f6cda99

SHA256
c6bd60e0e225fb508debc21fa22ccfa92452f67c32c2a9854fca8aefe87f69d0

SHA512
7f9550be7b791c91ce01bf1224a7caae499a45de7fc9c83733d7941a984b999116f320fb96d6bcc7108325507e70cbaf5794d160dd661512170029c161e43410

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b125d86-86f3-4145-ab9a-e986034441c9.vbs

Filesize
711B

MD5
42cf2ef8b11f86b0c80c976f4a56888b

SHA1
3edd88c9e1d1c80e96ab31e2c5014654d5f79077

SHA256
81c6ff174e903362049c342d297204fe1ffb3820e2c72053e503aa52c17aae51

SHA512
a15e46ae0691c3eaa1cdac95249db386b26132b162ebfe306cdd62a5df04556342455431f441cbad2337e2f2f629fc4a4744e24e7617fd19843d4f3fed113d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\622cf4e6-9987-4c74-a173-6c6781e3bb4d.vbs

Filesize
711B

MD5
f20c1a6648128e62d483a3f7509bf001

SHA1
43f0b69b11d51574e9cf65c67a31d64e35c2767b

SHA256
b9f98ff109c8a1c0366e31720fb3bd6c92a2295aa34a4e9a55ea455d847a157a

SHA512
28cfbe2c5957b678c093f7fcc68125fe233449438e09774030c6227577cd0a51c9c7f6d40a4f62fb8cace244b810566c571b7b1fbd5e081ee4af4d3d35a7d9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c5d486e-e601-48d8-8bd5-ebbf06041ce1.vbs

Filesize
711B

MD5
c9d2333d29c8c8d8b0c59574f1f030cb

SHA1
a18918799a0e4db59c9e21c40df886315fa73be0

SHA256
7b8d4526d457a51fd07002cd9ca3a51b9fbe87716deaf85d58a4a78d304ff6b3

SHA512
0574be9df32dcc71c570161064a49d2dd33764af336cb9a933b88af609fa47eb1d0dc73f658363abf84617df677e8cae1aadf8678082d3e05573ec23517215f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\75322e93-185c-4143-a180-28f828a9e90d.vbs

Filesize
711B

MD5
76093ac881f95e8efb105a8a2ec13a6f

SHA1
7a9cfe71f939c246b105fe30b53b6ab416599252

SHA256
06831dbf6a2d065ff6ab39c12449e45e4f23f8e60eaa84339031044a406ad294

SHA512
b5e1021a13c821d2f498d8e116ebd2c3e1d433ab18a816a73638bfbc393e4491f9fa9f449cb1f0414aeb6885423418074ff30f40454f89121081ac0ef15a373b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b24c7efa-29db-43af-946a-3fdbea554659.vbs

Filesize
711B

MD5
979d1a84bfbe277ae73885f918e7a6bb

SHA1
19096cbefcea47d37530d7209f83151a4c4685be

SHA256
86f15093760432c6d86b57b3473e38a00e78481240c73b8199f2fa692c0f3634

SHA512
f372479c8ddb7bee153944238d3586c8e6f8ceade45305358017589012d2132c15ecabac6684b96018ca68bcf370530688db00b3beb157acde45a7ff92d3e19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b500ff16-99f5-4c62-85ed-71bc079975d9.vbs

Filesize
711B

MD5
1cd767ef933801b1cb570bfd73cb4d3e

SHA1
7a25365d4f02a049ed0aed67695ee718eed1b203

SHA256
befbe9a102395a6695440129829753d9083fdb20365a40826df8c1bf6719d856

SHA512
97dbcc54109aab1f46c8e1bc97d48d26ee3c3daecb251b51b0d4af1ce73192b52877a0bccde2d99cfa4723df5409340d4a24e89d5af40f431649c32ad07a07d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c424e5e1-98cc-442b-bb95-f38ec8caf16f.vbs

Filesize
711B

MD5
b2bf1505a59241e164bd7fffea998a3c

SHA1
542a9a77de35e0582a92bfa6ee09a6aedafbaa53

SHA256
e6e2c5b7392177117d5f363f86cf5ef35b6c6f83c4a9166141b58417e8601b1e

SHA512
7e2583e4c4d70a7a41b86b4704a999d8d10284598b087718862b0acffaa30034b5caf947a2a563b2a48ce2b5903d7f067b4ea46aae787e8ef76b7440ef7fdc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\e69721b2-9e51-4177-b4ab-e470e94c9ce0.vbs

Filesize
711B

MD5
85cc6b8d90c0c37e6c4d820dcf87338b

SHA1
668d75cfc4cc4ded84c0f8a5bcac4cd9cbb2cb69

SHA256
66618d2ff614ee187b5bf0f4ede0a9c099448cffb17e8d0e4ebd1ca7bd97c574

SHA512
3c965038426bf21e2f98d5774437ee1ec90505579f17298a7bef4a04efe00ab12627b97637fef6827d6aacf34d1d5ca2726aa311bc3c8fe0b692f88bda7c8273

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFEF8.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
33f0935029bba6e3b9ccd7687b168bec

SHA1
e4a7eac9ec28bbff37ea119292523b21524bb983

SHA256
5b16986220f33eec7d66ce5cd26ace6c15f22245ccfd4062d6d3ae77d3e38d3b

SHA512
c4f84f3f121a14503b5d88182771790c6326b8375e116a50f7ecc13533c00c3ca78997d89b2b8dc0a727f15f6bd0e09281779841c3c288a923a6ad32a2233cb6

Download Submit
C:\Users\Admin\Pictures\OSPPSVC.exe

Filesize
4.9MB

MD5
a1d9f1a779cd0caa216afeb6409037a3

SHA1
96f57a763ca03f137cb7f99115531e6d2e295e3d

SHA256
29b8354d6f04b5ba066e2f274182eb49c2f477021bafafe7ac182a7158637b6d

SHA512
1582c78b2d5268b6f8295a14b0cef4dcde6344e6ac218e23d290bd76f9e14b7507ec6570240cbc43e32cb7b8eaa22aaae9970600bfd5edc17b2df9b5a1a6a1be

Download Submit
C:\Windows\twain_32\wininit.exe

Filesize
4.9MB

MD5
a87a3e93eb8f7ee1a70c9b6204930910

SHA1
d5540d781ad24f6ebd68773fc6581a519d8c44a9

SHA256
67801c6458505230f9b814761cab327585213e9dd9d5f04777142bcb77c5b227

SHA512
d8c2ea8d31db9e5f96113057fd1a43d042ca7988081c8f31ba69aef10af91098eaaa6837504c91886452dba5f4c94ba9d6054375b6044409b1ccc1b74907e19d

Download Submit
memory/1008-294-0x0000000000D00000-0x00000000011F4000-memory.dmp

Filesize
5.0MB

Download
memory/1008-295-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/1060-172-0x0000000000100000-0x00000000005F4000-memory.dmp

Filesize
5.0MB

Download
memory/1384-157-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/1384-156-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download
memory/1628-13-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/1628-6-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/1628-141-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-1-0x0000000000C20000-0x0000000001114000-memory.dmp

Filesize
5.0MB

Download
memory/1628-2-0x000000001B040000-0x000000001B16E000-memory.dmp

Filesize
1.2MB

Download
memory/1628-3-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-16-0x0000000002520000-0x000000000252C000-memory.dmp

Filesize
48KB

Download
memory/1628-15-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/1628-14-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/1628-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

Filesize
4KB

Download
memory/1628-12-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/1628-11-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/1628-4-0x0000000000740000-0x000000000075C000-memory.dmp

Filesize
112KB

Download
memory/1628-5-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/1628-10-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/1628-7-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download
memory/1628-9-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/1628-8-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/1636-218-0x0000000001010000-0x0000000001504000-memory.dmp

Filesize
5.0MB

Download
memory/1636-219-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/1948-264-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/1948-263-0x0000000000330000-0x0000000000824000-memory.dmp

Filesize
5.0MB

Download
memory/2112-90-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2208-279-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download
memory/2240-187-0x0000000000AD0000-0x0000000000FC4000-memory.dmp

Filesize
5.0MB

Download
memory/2240-188-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/2272-92-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2652-234-0x00000000011E0000-0x00000000016D4000-memory.dmp

Filesize
5.0MB

Download
memory/2772-140-0x0000000000B80000-0x0000000001074000-memory.dmp

Filesize
5.0MB

Download
memory/2772-142-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/2832-203-0x0000000000B00000-0x0000000000FF4000-memory.dmp

Filesize
5.0MB

Download