dcrat | f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Size

4.9MB
MD5

d23ffc0a1e7c61633ee5553fe28c8af0
SHA1

a9e6e784905bfc569f1ea5fe2f8fb15f8adad833
SHA256

f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23
SHA512

47725fb3cb5dc467e2a215582565be359e1bba1b9a07278d16544fef4388c91ea958ae3139bea74e41041148dd45d528f89d94f4a5c57b9ee69169ac07324b0b
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2616	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2616	schtasks.exe	28

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1672-3-0x000000001BA40000-0x000000001BB6E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1328	powershell.exe
1560	powershell.exe
2924	powershell.exe
1632	powershell.exe
2396	powershell.exe
2448	powershell.exe
2004	powershell.exe
620	powershell.exe
2248	powershell.exe
1320	powershell.exe
1940	powershell.exe
1536	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
380	sppsvc.exe
812	sppsvc.exe
2592	sppsvc.exe
2544	sppsvc.exe
1984	sppsvc.exe
2360	sppsvc.exe
3048	sppsvc.exe
696	sppsvc.exe
2392	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\dwm.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\dwm.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\6ccacd8608530f	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCX6FFA.tmp	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\101b941d020240	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\6203df4a6bafc7	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCX69EF.tmp	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\6cb0b6c459d5d3	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCX647F.tmp	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX6693.tmp	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\security\database\dwm.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Windows\security\database\dwm.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Windows\security\database\6cb0b6c459d5d3	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Windows\security\database\RCX627B.tmp	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2484	schtasks.exe
2032	schtasks.exe
2872	schtasks.exe
2672	schtasks.exe
2516	schtasks.exe
380	schtasks.exe
1108	schtasks.exe
1808	schtasks.exe
2892	schtasks.exe
1720	schtasks.exe
2620	schtasks.exe
560	schtasks.exe
1644	schtasks.exe
2852	schtasks.exe
2760	schtasks.exe
2684	schtasks.exe
1748	schtasks.exe
808	schtasks.exe
2896	schtasks.exe
1152	schtasks.exe
1556	schtasks.exe
2744	schtasks.exe
3020	schtasks.exe
3040	schtasks.exe
1640	schtasks.exe
1396	schtasks.exe
2636	schtasks.exe
2792	schtasks.exe
1864	schtasks.exe
2600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
1632	powershell.exe
1328	powershell.exe
1560	powershell.exe
2396	powershell.exe
1536	powershell.exe
2448	powershell.exe
1320	powershell.exe
620	powershell.exe
2248	powershell.exe
2924	powershell.exe
1940	powershell.exe
2004	powershell.exe
380	sppsvc.exe
812	sppsvc.exe
2592	sppsvc.exe
2544	sppsvc.exe
1984	sppsvc.exe
2360	sppsvc.exe
696	sppsvc.exe
2392	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	380	sppsvc.exe
Token: SeDebugPrivilege	812	sppsvc.exe
Token: SeDebugPrivilege	2592	sppsvc.exe
Token: SeDebugPrivilege	2544	sppsvc.exe
Token: SeDebugPrivilege	1984	sppsvc.exe
Token: SeDebugPrivilege	2360	sppsvc.exe
Token: SeDebugPrivilege	696	sppsvc.exe
Token: SeDebugPrivilege	2392	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1328	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	59
PID 1672 wrote to memory of 1328	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	59
PID 1672 wrote to memory of 1328	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	59
PID 1672 wrote to memory of 1560	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	60
PID 1672 wrote to memory of 1560	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	60
PID 1672 wrote to memory of 1560	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	60
PID 1672 wrote to memory of 1632	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	62
PID 1672 wrote to memory of 1632	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	62
PID 1672 wrote to memory of 1632	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	62
PID 1672 wrote to memory of 2924	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	63
PID 1672 wrote to memory of 2924	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	63
PID 1672 wrote to memory of 2924	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	63
PID 1672 wrote to memory of 2004	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	65
PID 1672 wrote to memory of 2004	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	65
PID 1672 wrote to memory of 2004	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	65
PID 1672 wrote to memory of 1536	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	66
PID 1672 wrote to memory of 1536	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	66
PID 1672 wrote to memory of 1536	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	66
PID 1672 wrote to memory of 2248	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	67
PID 1672 wrote to memory of 2248	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	67
PID 1672 wrote to memory of 2248	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	67
PID 1672 wrote to memory of 620	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	69
PID 1672 wrote to memory of 620	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	69
PID 1672 wrote to memory of 620	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	69
PID 1672 wrote to memory of 1940	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	71
PID 1672 wrote to memory of 1940	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	71
PID 1672 wrote to memory of 1940	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	71
PID 1672 wrote to memory of 2448	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	72
PID 1672 wrote to memory of 2448	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	72
PID 1672 wrote to memory of 2448	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	72
PID 1672 wrote to memory of 1320	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	73
PID 1672 wrote to memory of 1320	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	73
PID 1672 wrote to memory of 1320	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	73
PID 1672 wrote to memory of 2396	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	74
PID 1672 wrote to memory of 2396	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	74
PID 1672 wrote to memory of 2396	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	74
PID 1672 wrote to memory of 380	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	83
PID 1672 wrote to memory of 380	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	83
PID 1672 wrote to memory of 380	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	83
PID 1672 wrote to memory of 380	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	83
PID 1672 wrote to memory of 380	1672	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	83
PID 380 wrote to memory of 2480	380	sppsvc.exe	84
PID 380 wrote to memory of 2480	380	sppsvc.exe	84
PID 380 wrote to memory of 2480	380	sppsvc.exe	84
PID 380 wrote to memory of 2292	380	sppsvc.exe	85
PID 380 wrote to memory of 2292	380	sppsvc.exe	85
PID 380 wrote to memory of 2292	380	sppsvc.exe	85
PID 2480 wrote to memory of 812	2480	WScript.exe	86
PID 2480 wrote to memory of 812	2480	WScript.exe	86
PID 2480 wrote to memory of 812	2480	WScript.exe	86
PID 2480 wrote to memory of 812	2480	WScript.exe	86
PID 2480 wrote to memory of 812	2480	WScript.exe	86
PID 812 wrote to memory of 2564	812	sppsvc.exe	87
PID 812 wrote to memory of 2564	812	sppsvc.exe	87
PID 812 wrote to memory of 2564	812	sppsvc.exe	87
PID 812 wrote to memory of 2972	812	sppsvc.exe	88
PID 812 wrote to memory of 2972	812	sppsvc.exe	88
PID 812 wrote to memory of 2972	812	sppsvc.exe	88
PID 2564 wrote to memory of 2592	2564	WScript.exe	91
PID 2564 wrote to memory of 2592	2564	WScript.exe	91
PID 2564 wrote to memory of 2592	2564	WScript.exe	91
PID 2564 wrote to memory of 2592	2564	WScript.exe	91
PID 2564 wrote to memory of 2592	2564	WScript.exe	91
PID 2592 wrote to memory of 2768	2592	sppsvc.exe	92

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
"C:\Users\Admin\AppData\Local\Temp\f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
  "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:380
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32105d3a-2f00-4913-b152-ce7c54283312.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
      C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:812
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b9400fd-adac-4996-b408-fa282d2c1cbc.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59632873-4ed5-4e92-ac7d-05518afae358.vbs"
        7⤵
        
        PID:2768
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db4d0e49-1650-42dc-8de1-6d1c9b378d71.vbs"
        9⤵
        
        PID:620
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\937698a1-c540-4e64-b663-a57a5daca2f5.vbs"
        11⤵
        
        PID:1760
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ec33b5a-dfc6-42cd-87f1-2da1c872d2e0.vbs"
        13⤵
        
        PID:780
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40b08658-9012-4687-ab0a-7253d27066e3.vbs"
        15⤵
        
        PID:2748
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f216421d-6314-4f30-8f0c-2b39a59d1277.vbs"
        17⤵
        
        PID:2920
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf9503c5-6ff6-40cd-9c10-01fcd6a2b8b9.vbs"
        19⤵
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\084892c5-ee92-49ab-bacb-1e5e14427e85.vbs"
        19⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bcb58bd-1bf6-43a2-ac79-1e04cc371049.vbs"
        17⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87f13beb-e142-4139-97b2-6f52b22eaeea.vbs"
        15⤵
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b29d99ff-2aea-4795-abe7-92aaa9424661.vbs"
        13⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42b37318-4253-409a-ad69-829342d81774.vbs"
        11⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20fe2236-f183-48df-aa3a-352b9e6571da.vbs"
        9⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df9388ce-0ba5-45e0-838e-91b4616701a5.vbs"
        7⤵
        
        PID:3044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9c40705-5f47-400d-a315-80afe7b9c347.vbs"
        5⤵
        
        PID:2972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\608c0d07-69ac-49c5-a5fb-22efe7254094.vbs"
    3⤵
    PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\security\database\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\security\database\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\security\database\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\it-IT\RCX6FFA.tmp

Filesize
4.9MB

MD5
2e1f0c271962fdf5ffc63abf5b4d22b8

SHA1
377fd5c238ca6c3420ab5e2a02db3ef9feb9a369

SHA256
299c0a1089debddbd56713a7a9f59b162d97b5a750a66539d881d1dc8aede783

SHA512
05a92246ab7333a645997374810a699c6757864c7c8c76f595288c48dd25ee72ebd2077f9dca09cb9950f7b138e8672008dc5f639c3d7950b5452e8e653c220d

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

Filesize
4.9MB

MD5
d23ffc0a1e7c61633ee5553fe28c8af0

SHA1
a9e6e784905bfc569f1ea5fe2f8fb15f8adad833

SHA256
f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23

SHA512
47725fb3cb5dc467e2a215582565be359e1bba1b9a07278d16544fef4388c91ea958ae3139bea74e41041148dd45d528f89d94f4a5c57b9ee69169ac07324b0b

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe

Filesize
4.9MB

MD5
f1b36ac5a174371fe175b2eb771ae6ad

SHA1
c935b0420bf2671491ca605d2e62b9feea3c11e8

SHA256
50ffae3bdc39aa6556d56ca030d59acbcc0f7a77a84fe31e8f469f6913b138d4

SHA512
d756d846fd52dfbd361c7ef72f94fa4001be46ff764d1795cfb45a69b7ea3a7614d5a2bc907989578fce168ac5259d83efad9b622ba224b88f957e8502910a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\32105d3a-2f00-4913-b152-ce7c54283312.vbs

Filesize
734B

MD5
1cf61def68023b291495ec41214f3cd5

SHA1
8a46b1222c734b7ab3b71ade57257388d53372fb

SHA256
ce093147d13ab1014e9a8994a7c3fba239b9cb772ada16a3f1f41fdbf075cef3

SHA512
f6bf89f8dbfd4f99d766f5d3f327b6f87c56960ccc43b36b30cc9d8b817f9cd0bc5f4cfb064557a3c8da2df3fdb5d4dc1e5ac106a364e83c66bfadb953b8ca94

Download Submit
C:\Users\Admin\AppData\Local\Temp\59632873-4ed5-4e92-ac7d-05518afae358.vbs

Filesize
735B

MD5
4ee490751d84b0723c6019b202a04184

SHA1
7f218f3b36322ae50756249d8c7f6d901a4f53b1

SHA256
2e47b27c00a8a09008be8ffba33d2903536314eee5e5c572930306136bd40d28

SHA512
447f63b09d8433ad46ae3447b09ec6be2316ab300eb3a6dd0ab4deae1b923f4557dcff16baea63006e41c33fac282211eeaec32bc3ab75252a2e8e89de22be69

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ec33b5a-dfc6-42cd-87f1-2da1c872d2e0.vbs

Filesize
735B

MD5
05551529f39b9c4c1c25a9b859f595a2

SHA1
7fea5909e9ba5e58317bc64d97abe3f907f30f15

SHA256
53cd412526a30098b22acbb4247e44591b4e04387e78e93470f40371303e9af7

SHA512
45175e6d07d24dbbe68a76477baa87818afc577a9936f88cf200ba4f0301f971b00016cdd87bfbad6e23aa2472c18d47a4c10fd68ab5a31bdd6943e1386dc1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\608c0d07-69ac-49c5-a5fb-22efe7254094.vbs

Filesize
511B

MD5
2676bbac12fe08db7f4484a366a41a9c

SHA1
4bb9851784dd75700b1107818c228817b22af7d4

SHA256
a8503bcc797a97b7f9346707738406c101279796e314bb243ce34480fc1dd8cc

SHA512
0015f483b16397d2a2626bd6b90b1c5f336dd2dab9c2ccda88bb433a5272df531fdffecf3ff8f939fc71869a24d63f96dc6a49f642e8267c03ef4980128935bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b9400fd-adac-4996-b408-fa282d2c1cbc.vbs

Filesize
734B

MD5
ae752270a0c08626eb276077aa48b9f7

SHA1
f99c52f2d071f32ee081e7e3fa70afe3cb615982

SHA256
461beaf9fa29bd67591d8c3e8083e61a22c0613ca90f59360efba8147457d9ce

SHA512
e2f1a36933e8445e3154b3e63221e8a08f1011caed61b016f8db5b87fdcb52c8c5952a23010228e8d1d7ef4ad6154fe1f96d4acb8852cead369aac4dad948487

Download Submit
C:\Users\Admin\AppData\Local\Temp\937698a1-c540-4e64-b663-a57a5daca2f5.vbs

Filesize
735B

MD5
cffa1c123d481902fa5ade195d295530

SHA1
816b06db6a45ea1b1b6da142fa0d2580c28d1830

SHA256
f92799bc5b06533baff66d36770ba9646d77a1ffb45fd2d72d4269a70336aff1

SHA512
6c484ccf21f641f64157c9e74016bdfe99de0044a5e9a9f3eb1090377f05ee049ed112d681a85810d10635f147ad82536a441763e3c3d75a682d3790222ec750

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf9503c5-6ff6-40cd-9c10-01fcd6a2b8b9.vbs

Filesize
735B

MD5
e98b70a82e844784189c2311c7347582

SHA1
a96ea30e9142e05b9a9ea2e85428322e0aa8ca2a

SHA256
6e0cbc02d55bf86664b3d16772f92440d8a7ca2d35af92ee4dec5bb47eb3968f

SHA512
140cd2b383c62625d3569001e3abc33c754f454e325588894a8c7af2c76bbed31483a20549ddf7cc11b5111c04b6aabfe6d3474256b902c16ae2fc4f26e8d24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db4d0e49-1650-42dc-8de1-6d1c9b378d71.vbs

Filesize
735B

MD5
d6461d6087cf1c1983d90ed48d3d1ac9

SHA1
a9bb263a84cf122ac5d0370388df746dedfb75ff

SHA256
1e6b4a5c305fd95889dea29740977e23344ab7d9117bb9228cfac9127bd54939

SHA512
4c17cff367160f95e49ea9dd6a86b594ba01a1af46f1029235071f1fbcb5cf71e8bdd8e6e0b5b5e55f1f4a95286965b6f5784b7ff07bb091594797430575e6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f216421d-6314-4f30-8f0c-2b39a59d1277.vbs

Filesize
734B

MD5
e752386e74c8bd2397dcdc89acbf4d93

SHA1
1ba4b0f06fed2a33b5a175c4fad7d32fd47c2b78

SHA256
ec9f244804124fcb711e5a30952331f956a3c2db129a64eb5e14d6fb77c6a688

SHA512
6068a156003ba144231984d1342cd3511f38f69da7b49599ebb6678b56f51da6d0b83de0437021b970fdd49551f40c00e33904e168584de0df4e37c49a1102f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AA3.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
046cadd2537cde87f3232360372d9d41

SHA1
21a9a5ccd6f2c86402493db26eb61276c6f9a442

SHA256
a3f6950d2583cf213094d6828d363ec0c5b18d27c4d8fb100224813bf85dda79

SHA512
0f7840cf33be3992bdd9c02260ccb6352a0639c076e5fdf7be671b551ef45e296dc6770d1fe6ee3c5d0eb9fdb91f18cb31b2ede32426eda0861a3cbc527899f5

Download Submit
memory/380-176-0x0000000000B90000-0x0000000001084000-memory.dmp

Filesize
5.0MB

Download
memory/696-265-0x00000000010A0000-0x0000000001594000-memory.dmp

Filesize
5.0MB

Download
memory/1632-126-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1632-127-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/1672-9-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/1672-3-0x000000001BA40000-0x000000001BB6E000-memory.dmp

Filesize
1.2MB

Download
memory/1672-12-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/1672-14-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/1672-10-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/1672-15-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/1672-177-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-11-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/1672-4-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/1672-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/1672-5-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/1672-1-0x0000000000F30000-0x0000000001424000-memory.dmp

Filesize
5.0MB

Download
memory/1672-7-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/1672-8-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/1672-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1672-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-13-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/1672-16-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2360-248-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download
memory/2392-280-0x00000000010F0000-0x00000000015E4000-memory.dmp

Filesize
5.0MB

Download
memory/2592-205-0x0000000001000000-0x00000000014F4000-memory.dmp

Filesize
5.0MB

Download