dcrat | 6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890

Analysis

max time kernel
118s
max time network
117s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Size

4.9MB
MD5

98f6d1c7482e03953bd88b57feb7d6b0
SHA1

437f469f92fea1fe222fb031353065152eb4d95e
SHA256

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890
SHA512

240e23c6a92008588b5e70969bbc94b2adfb12fb74e5f31ee4d3fc3b918b160bb13868ab29f14b29029a5889f0aff635a97507c6c1ae13dcadaaa6998d6f8165
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2852	schtasks.exe	29

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Idle.exeIdle.exeIdle.exeIdle.exeIdle.exe6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2540-2-0x000000001B4B0000-0x000000001B5DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2896	powershell.exe
3040	powershell.exe
972	powershell.exe
2456	powershell.exe
3056	powershell.exe
2112	powershell.exe
2188	powershell.exe
2108	powershell.exe
1296	powershell.exe
3048	powershell.exe
2160	powershell.exe
2380	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

Idle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

pid	Process
1864	Idle.exe
1624	Idle.exe
2452	Idle.exe
604	Idle.exe
2960	Idle.exe
2320	Idle.exe
2696	Idle.exe
2308	Idle.exe
2084	Idle.exe
2344	Idle.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Idle.exe6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 16 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\RCXE410.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\f3b6ecef712a24	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\6ccacd8608530f	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXDFDA.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\smss.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Google\Temp\smss.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Google\Temp\69ddcba757bf72	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCXDBB3.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\0a1fd5f707cd16	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXE1FD.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe

Drops file in Windows directory 4 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\lsm.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\lsm.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\101b941d020240	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\RCXD77D.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2764	schtasks.exe
2688	schtasks.exe
648	schtasks.exe
2912	schtasks.exe
2952	schtasks.exe
2720	schtasks.exe
2736	schtasks.exe
2656	schtasks.exe
2680	schtasks.exe
2980	schtasks.exe
1036	schtasks.exe
2020	schtasks.exe
308	schtasks.exe
2668	schtasks.exe
1616	schtasks.exe
2916	schtasks.exe
2632	schtasks.exe
2216	schtasks.exe
2252	schtasks.exe
2012	schtasks.exe
2856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

pid	Process
2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
2896	powershell.exe
2108	powershell.exe
3040	powershell.exe
1296	powershell.exe
3056	powershell.exe
972	powershell.exe
2456	powershell.exe
2160	powershell.exe
2112	powershell.exe
3048	powershell.exe
2380	powershell.exe
2188	powershell.exe
1864	Idle.exe
1624	Idle.exe
2452	Idle.exe
604	Idle.exe
2960	Idle.exe
2320	Idle.exe
2696	Idle.exe
2308	Idle.exe
2084	Idle.exe
2344	Idle.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1864	Idle.exe
Token: SeDebugPrivilege	1624	Idle.exe
Token: SeDebugPrivilege	2452	Idle.exe
Token: SeDebugPrivilege	604	Idle.exe
Token: SeDebugPrivilege	2960	Idle.exe
Token: SeDebugPrivilege	2320	Idle.exe
Token: SeDebugPrivilege	2696	Idle.exe
Token: SeDebugPrivilege	2308	Idle.exe
Token: SeDebugPrivilege	2084	Idle.exe
Token: SeDebugPrivilege	2344	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exeIdle.exeWScript.exeIdle.exeWScript.exeIdle.exeWScript.exe

description	pid	Process	procid_target
PID 2540 wrote to memory of 2108	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	51
PID 2540 wrote to memory of 2108	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	51
PID 2540 wrote to memory of 2108	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	51
PID 2540 wrote to memory of 2896	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	52
PID 2540 wrote to memory of 2896	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	52
PID 2540 wrote to memory of 2896	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	52
PID 2540 wrote to memory of 3040	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	54
PID 2540 wrote to memory of 3040	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	54
PID 2540 wrote to memory of 3040	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	54
PID 2540 wrote to memory of 2188	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	55
PID 2540 wrote to memory of 2188	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	55
PID 2540 wrote to memory of 2188	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	55
PID 2540 wrote to memory of 2112	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	56
PID 2540 wrote to memory of 2112	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	56
PID 2540 wrote to memory of 2112	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	56
PID 2540 wrote to memory of 2380	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	57
PID 2540 wrote to memory of 2380	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	57
PID 2540 wrote to memory of 2380	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	57
PID 2540 wrote to memory of 1296	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	58
PID 2540 wrote to memory of 1296	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	58
PID 2540 wrote to memory of 1296	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	58
PID 2540 wrote to memory of 3056	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	59
PID 2540 wrote to memory of 3056	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	59
PID 2540 wrote to memory of 3056	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	59
PID 2540 wrote to memory of 3048	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	60
PID 2540 wrote to memory of 3048	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	60
PID 2540 wrote to memory of 3048	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	60
PID 2540 wrote to memory of 2456	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	61
PID 2540 wrote to memory of 2456	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	61
PID 2540 wrote to memory of 2456	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	61
PID 2540 wrote to memory of 2160	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	62
PID 2540 wrote to memory of 2160	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	62
PID 2540 wrote to memory of 2160	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	62
PID 2540 wrote to memory of 972	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	64
PID 2540 wrote to memory of 972	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	64
PID 2540 wrote to memory of 972	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	64
PID 2540 wrote to memory of 1864	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	75
PID 2540 wrote to memory of 1864	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	75
PID 2540 wrote to memory of 1864	2540	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe	75
PID 1864 wrote to memory of 2808	1864	Idle.exe	76
PID 1864 wrote to memory of 2808	1864	Idle.exe	76
PID 1864 wrote to memory of 2808	1864	Idle.exe	76
PID 1864 wrote to memory of 2324	1864	Idle.exe	77
PID 1864 wrote to memory of 2324	1864	Idle.exe	77
PID 1864 wrote to memory of 2324	1864	Idle.exe	77
PID 2808 wrote to memory of 1624	2808	WScript.exe	78
PID 2808 wrote to memory of 1624	2808	WScript.exe	78
PID 2808 wrote to memory of 1624	2808	WScript.exe	78
PID 1624 wrote to memory of 392	1624	Idle.exe	79
PID 1624 wrote to memory of 392	1624	Idle.exe	79
PID 1624 wrote to memory of 392	1624	Idle.exe	79
PID 1624 wrote to memory of 2464	1624	Idle.exe	80
PID 1624 wrote to memory of 2464	1624	Idle.exe	80
PID 1624 wrote to memory of 2464	1624	Idle.exe	80
PID 392 wrote to memory of 2452	392	WScript.exe	81
PID 392 wrote to memory of 2452	392	WScript.exe	81
PID 392 wrote to memory of 2452	392	WScript.exe	81
PID 2452 wrote to memory of 1704	2452	Idle.exe	82
PID 2452 wrote to memory of 1704	2452	Idle.exe	82
PID 2452 wrote to memory of 1704	2452	Idle.exe	82
PID 2452 wrote to memory of 2224	2452	Idle.exe	83
PID 2452 wrote to memory of 2224	2452	Idle.exe	83
PID 2452 wrote to memory of 2224	2452	Idle.exe	83
PID 1704 wrote to memory of 604	1704	WScript.exe	84

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe
"C:\Users\Admin\AppData\Local\Temp\6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1864
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5cb4b74-e648-4bb6-902d-3b020c408c35.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1624
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8124eb9e-079e-4b16-b4a0-6716dea38139.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:392
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93c0acd7-9749-48f5-9240-10004a126af4.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbd77be1-9ecd-40e2-87f3-6a1bd92ec463.vbs"
        9⤵
        
        PID:2472
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2532592-78e3-4313-b2f0-5b4de3c7a29b.vbs"
        11⤵
        
        PID:2964
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ace2761-f928-4da9-82d9-2280836b132d.vbs"
        13⤵
        
        PID:1628
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\854342e1-5564-48b0-a3ce-750ba27c7120.vbs"
        15⤵
        
        PID:936
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1123e3f8-baf3-40d2-83f6-448bb9e2a3c9.vbs"
        17⤵
        
        PID:2516
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c6925f5-f4b8-45ff-a742-8addcd98ccdf.vbs"
        19⤵
        
        PID:2660
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f60098e-107b-4098-a680-534d51bb7ad3.vbs"
        21⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d046c1b3-efe6-44e4-9e11-55523447002f.vbs"
        21⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55e23548-52f4-4c93-9476-0ef8fb72a77f.vbs"
        19⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e45317f-42bf-4f07-a6de-e3e4e42339f4.vbs"
        17⤵
        
        PID:276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c8c8cc2-f66d-4814-aa80-493a80c34a89.vbs"
        15⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13f427da-a376-4b8d-bb2d-3d7e92fa5908.vbs"
        13⤵
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b083b82a-b4b3-4433-b628-849f42ec0055.vbs"
        11⤵
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87ecc39d-4311-4359-9fad-0010014eaa77.vbs"
        9⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5a3919e-7905-4bdf-88df-eb441034c8c0.vbs"
        7⤵
        
        PID:2224
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70b36856-cd01-4469-a3ef-9ec749c1bfd7.vbs"
        5⤵
        
        PID:2464
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b28e273-db49-4599-900d-d45a81bcb8f2.vbs"
    3⤵
    PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N6" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N6" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\smss.exe

Filesize
4.9MB

MD5
98f6d1c7482e03953bd88b57feb7d6b0

SHA1
437f469f92fea1fe222fb031353065152eb4d95e

SHA256
6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890

SHA512
240e23c6a92008588b5e70969bbc94b2adfb12fb74e5f31ee4d3fc3b918b160bb13868ab29f14b29029a5889f0aff635a97507c6c1ae13dcadaaa6998d6f8165

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ace2761-f928-4da9-82d9-2280836b132d.vbs

Filesize
738B

MD5
524c4a6df2deea7a7fcef627c0be7a0b

SHA1
42fc8a6e392eb50b8bace9d7871e7490eb19be8b

SHA256
9c3f185c3391f4b110f0e2b1706eaed027ac66582a1bda3cb4e5f4e13dcd7a37

SHA512
6b80a379b8275cc551d5848d8a9de3e0d903deefd45d067fba39be6048d0da9f54509e1ada72e9b2e14212fed337d45ad4490067f0d8010a18ef53afdc62e702

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f60098e-107b-4098-a680-534d51bb7ad3.vbs

Filesize
738B

MD5
6664b0e079f4462bef16a9021c73ff83

SHA1
cce341cfeaac54d730b72a0964eedb0ef8dceed3

SHA256
587bcec5ec82a9ae2bea2389670b5d06efe12c3c29f42f719c46bd026b31f263

SHA512
1077b854b17effc6e4edbe38fea05538efbfc8230b49164bd2d98f9fdc0e4990d07b68a1f3518c611fd8be97ca593e69955fab3584a6603d7c7642e04debc391

Download Submit
C:\Users\Admin\AppData\Local\Temp\1123e3f8-baf3-40d2-83f6-448bb9e2a3c9.vbs

Filesize
738B

MD5
e2fe46c3df3cc2f16a328adc2ac01c0b

SHA1
cdbdabe226042560784519cd6a0077b7ae7e5ab3

SHA256
a9ceed8b1ade4d947449811b4a32c9afd3cb1abddee1a071a3c03fad8db3d6ca

SHA512
a5e4dfa4eff5cbef615835d8718d1103e5b0b3336b4910330473ff476ae71b430320e7af58a9364e7b4d7c4869213422e8092cf72905bd96d1b49fe7ef76153b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c6925f5-f4b8-45ff-a742-8addcd98ccdf.vbs

Filesize
738B

MD5
10b9675e8a4bbf088d19eecc6583cece

SHA1
7f9dc8e7ac87183306dcfa801a580d52d245ac4e

SHA256
38ab67475f34bb4392729aeb25c25ec85cb7bd67084044805720953e751d4752

SHA512
a7907c8685105598d76c6692ab7cf7a05cf08914e42adea7e1d24c8e50c07b11b7e04d10c71b60cca8b064e0e20b60ffbc6044e9669e0584896c041bc52a0dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8124eb9e-079e-4b16-b4a0-6716dea38139.vbs

Filesize
738B

MD5
6e2719c651bfe427f795bd1c00f3e6ef

SHA1
9c296d91e57c5cfeea661ef01cc482584a2698be

SHA256
ec9a7a2ddba2c1d29e7379c708e252a1bfd1cf8d04b476d6964606d8e0c2f76c

SHA512
d037432c182d73127d3f69bfac6a847d42024b3a9d4f8461f65069995ac0460a559546aeaf7e0b2a596c70458c1ca198f8998d44295179070942b9926eea3ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\854342e1-5564-48b0-a3ce-750ba27c7120.vbs

Filesize
738B

MD5
6fb6aa6a80f8b4686f49b70999894780

SHA1
b6584373721c84a6308d02529d9909c9decb434b

SHA256
dd9379b91f56ed4ada14170d6f4fcb2830a35abd3bbfaab5a8d2cf49dcedc313

SHA512
fea5f7366321f7f1288534a38d3d5f84fd342f73be6c777681230cd150cdcc5832a25de221f651e3f548463bd5fa35db1076a60f1c9c2addd099e0e765a57a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b28e273-db49-4599-900d-d45a81bcb8f2.vbs

Filesize
514B

MD5
375937de60a5a86cf969fe92582f66bc

SHA1
052e7ef34a95cd0fb92c4b0f5d5621f51934d787

SHA256
f5eec6fb5300dc7f72a749fabfc75c8ee91ee10ba851bb837b147a8fc60baf72

SHA512
7826386270dfefe1246479035129f50d9edf4d80b8dec94f52c86e4ca4d64be9a854fcde7ca9363d1fd04c3af4c2545bce4ad5f3184b5fc966ff183f47164e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\93c0acd7-9749-48f5-9240-10004a126af4.vbs

Filesize
738B

MD5
7f078774e9f7d0c798eab93ed4449d6f

SHA1
49b6c833527fb4fb11cfdb44259c1a3e9b9af610

SHA256
90757e130607d2dd384a33da430e2cf55a49e82d7b3c5e13a4ceed74127b0893

SHA512
2a86a87c0efcd03bffbb456a6f1c0eb9015216f9637e664c5c85d128be4dbaff0da754902907314a8b0510f8bdb019885ea2baadeda1aa197c49cf0ea8625f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5cb4b74-e648-4bb6-902d-3b020c408c35.vbs

Filesize
738B

MD5
08b77b78d4ee7d5ba492f34c89fa56b0

SHA1
14a3b725033fd5e9a0019ea194aebd85a05df08b

SHA256
ecb7936a62f2a4b1c7ca7a1f1659c96ced6163aa7352190d107f8952aed589c2

SHA512
44d6b02a3fbca1aa5c41ec2658da7fba051940283fb971074566b3e549c471fd291326c0595c43a9f99b92b39a87533e26866128029627eecc448e5e54c7f61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbd77be1-9ecd-40e2-87f3-6a1bd92ec463.vbs

Filesize
737B

MD5
4486292cbc172eb1e9974c588b8865cf

SHA1
b4af60deeedf284a94d678c881ea59e767538d91

SHA256
e636fe1c0da1c5093ac0844d858bf82c2e2bd155979e52bc122355580c91daff

SHA512
fce6ccba51c93333aab279e47d0e9aa8962eadaed870c8e11a1b2b022c5fdf733c173eb64ea097c9ebf5b925c5769a60886aac39c31b186522e2c45587f9e4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2532592-78e3-4313-b2f0-5b4de3c7a29b.vbs

Filesize
738B

MD5
0571644e74fc0ae5253dc277434576c1

SHA1
9cb5c5a70aed71ef320e20056a85875ba80719a4

SHA256
74473f15bcba4c4021120f34b8fd1a48a3082a6bf2e44f2348d20eed9d0cc13b

SHA512
b02372de2129901ef3d50526e709a50cb2d1b0411d14fe6bccd76437590f68b88bd753381fe266435a8e4f3ef7eb3613e9943cce76f2384054a80134d3a354af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
861764870d84e19acafa915740094d22

SHA1
423b33d6aba420001876cbca55527701c1d32f3c

SHA256
53c8068f10148b8669a7ad3b9748b78735f8a08787da85521d7912f082f5c8a1

SHA512
ce8788d9426ebb7a3d8d681248a8f5f7e13a19a6a9bd3bc0a595bab87ffb1551f9f459ea04134c2e65141d38e54ab4c293b46d949dc1a4d4e5fc273c40e200a5

Download Submit
memory/604-191-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/1624-162-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/1864-139-0x0000000001360000-0x0000000001854000-memory.dmp

Filesize
5.0MB

Download
memory/2084-263-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download
memory/2108-107-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/2308-248-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2344-278-0x0000000000120000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/2540-15-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/2540-5-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/2540-14-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2540-1-0x00000000012B0000-0x00000000017A4000-memory.dmp

Filesize
5.0MB

Download
memory/2540-11-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2540-13-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/2540-12-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2540-10-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2540-9-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/2540-140-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-7-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/2540-8-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2540-6-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2540-16-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2540-4-0x0000000000180000-0x000000000019C000-memory.dmp

Filesize
112KB

Download
memory/2540-3-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-2-0x000000001B4B0000-0x000000001B5DE000-memory.dmp

Filesize
1.2MB

Download
memory/2540-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

Filesize
4KB

Download
memory/2896-106-0x000000001B0C0000-0x000000001B3A2000-memory.dmp

Filesize
2.9MB

Download