dcrat | f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Size

1.8MB
MD5

8392193c5fb165f60a6c16e76cf22e7c
SHA1

142c9abfc95aeadab045c315ac8cc65539a8124e
SHA256

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216
SHA512

80328d829071ed38655eea9fcaade51244abb0f669438dd1d80b39445d663d9fda7d6bbc64a8467aa02af47d3d83d4e826488827a1125152735fce06c216d5fb
SSDEEP

49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:mgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2516	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2516	schtasks.exe	28

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exef27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exespoolsv.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1656-1-0x0000000001090000-0x000000000125E000-memory.dmp	dcrat
behavioral1/files/0x00050000000186ee-24.dat	dcrat
behavioral1/files/0x000d000000015d5c-104.dat	dcrat
behavioral1/files/0x0006000000019384-127.dat	dcrat
behavioral1/files/0x0006000000019346-208.dat	dcrat
behavioral1/memory/1184-210-0x0000000000380000-0x000000000054E000-memory.dmp	dcrat
behavioral1/memory/1728-221-0x0000000001050000-0x000000000121E000-memory.dmp	dcrat
behavioral1/memory/2168-233-0x0000000000030000-0x00000000001FE000-memory.dmp	dcrat
behavioral1/files/0x00070000000193a2-238.dat	dcrat
behavioral1/memory/904-246-0x0000000001270000-0x000000000143E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1528	powershell.exe
1640	powershell.exe
2792	powershell.exe
1496	powershell.exe
1804	powershell.exe
2332	powershell.exe
2392	powershell.exe
1892	powershell.exe
2284	powershell.exe
2200	powershell.exe
904	powershell.exe
896	powershell.exe
2316	powershell.exe
1436	powershell.exe

Executes dropped EXE 5 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	Process
1184	spoolsv.exe
1728	spoolsv.exe
2168	spoolsv.exe
904	spoolsv.exe
1564	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exespoolsv.exespoolsv.exef27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exespoolsv.exespoolsv.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Program Files directory 24 IoCs

Processes:

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\audiodg.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\7-Zip\Lang\explorer.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\7-Zip\Lang\7a0fd90576e088	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files (x86)\Google\Temp\spoolsv.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\DVD Maker\b75386f1303e64	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCX93A9.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX961A.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\Windows Portable Devices\audiodg.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\Windows Portable Devices\42af1c969fbb7b	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\Idle.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\6ccacd8608530f	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files (x86)\Google\Temp\f3b6ecef712a24	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files\DVD Maker\taskhost.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX9C92.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXAC23.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\0a1fd5f707cd16	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\RCX981E.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\Idle.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\spoolsv.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\DVD Maker\RCXAE94.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\DVD Maker\taskhost.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Program Files\7-Zip\Lang\explorer.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe

Drops file in Windows directory 8 IoCs

Processes:

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe

description	ioc	Process
File created	C:\Windows\Logs\explorer.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Windows\Logs\7a0fd90576e088	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX9E96.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\Offline Web Pages\spoolsv.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\Logs\RCXA4A2.tmp	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File opened for modification	C:\Windows\Logs\explorer.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Windows\Offline Web Pages\spoolsv.exe	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
File created	C:\Windows\Offline Web Pages\f3b6ecef712a24	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1676	schtasks.exe
2592	schtasks.exe
2408	schtasks.exe
2236	schtasks.exe
2336	schtasks.exe
2040	schtasks.exe
2556	schtasks.exe
2952	schtasks.exe
2664	schtasks.exe
2456	schtasks.exe
2356	schtasks.exe
2364	schtasks.exe
1624	schtasks.exe
2712	schtasks.exe
2956	schtasks.exe
2716	schtasks.exe
1808	schtasks.exe
2220	schtasks.exe
2004	schtasks.exe
2340	schtasks.exe
768	schtasks.exe
572	schtasks.exe
2800	schtasks.exe
2460	schtasks.exe
3056	schtasks.exe
2480	schtasks.exe
2440	schtasks.exe
2352	schtasks.exe
2020	schtasks.exe
2744	schtasks.exe
2780	schtasks.exe
480	schtasks.exe
2588	schtasks.exe
1040	schtasks.exe
636	schtasks.exe
308	schtasks.exe
2196	schtasks.exe
2768	schtasks.exe
1744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	Process
1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
1436	powershell.exe
1496	powershell.exe
2792	powershell.exe
904	powershell.exe
2392	powershell.exe
1804	powershell.exe
1528	powershell.exe
2316	powershell.exe
896	powershell.exe
2200	powershell.exe
2332	powershell.exe
1892	powershell.exe
2284	powershell.exe
1640	powershell.exe
1184	spoolsv.exe
1728	spoolsv.exe
2168	spoolsv.exe
904	spoolsv.exe
1564	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1184	spoolsv.exe
Token: SeDebugPrivilege	1728	spoolsv.exe
Token: SeDebugPrivilege	2168	spoolsv.exe
Token: SeDebugPrivilege	904	spoolsv.exe
Token: SeDebugPrivilege	1564	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.execmd.exespoolsv.exeWScript.exespoolsv.exe

description	pid	Process	procid_target
PID 1656 wrote to memory of 1436	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	68
PID 1656 wrote to memory of 1436	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	68
PID 1656 wrote to memory of 1436	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	68
PID 1656 wrote to memory of 904	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	69
PID 1656 wrote to memory of 904	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	69
PID 1656 wrote to memory of 904	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	69
PID 1656 wrote to memory of 896	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	70
PID 1656 wrote to memory of 896	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	70
PID 1656 wrote to memory of 896	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	70
PID 1656 wrote to memory of 2332	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	71
PID 1656 wrote to memory of 2332	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	71
PID 1656 wrote to memory of 2332	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	71
PID 1656 wrote to memory of 1804	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	72
PID 1656 wrote to memory of 1804	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	72
PID 1656 wrote to memory of 1804	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	72
PID 1656 wrote to memory of 2392	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	74
PID 1656 wrote to memory of 2392	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	74
PID 1656 wrote to memory of 2392	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	74
PID 1656 wrote to memory of 1528	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	75
PID 1656 wrote to memory of 1528	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	75
PID 1656 wrote to memory of 1528	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	75
PID 1656 wrote to memory of 1640	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	76
PID 1656 wrote to memory of 1640	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	76
PID 1656 wrote to memory of 1640	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	76
PID 1656 wrote to memory of 2792	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	77
PID 1656 wrote to memory of 2792	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	77
PID 1656 wrote to memory of 2792	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	77
PID 1656 wrote to memory of 1496	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	78
PID 1656 wrote to memory of 1496	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	78
PID 1656 wrote to memory of 1496	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	78
PID 1656 wrote to memory of 1892	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	79
PID 1656 wrote to memory of 1892	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	79
PID 1656 wrote to memory of 1892	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	79
PID 1656 wrote to memory of 2284	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	80
PID 1656 wrote to memory of 2284	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	80
PID 1656 wrote to memory of 2284	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	80
PID 1656 wrote to memory of 2200	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	81
PID 1656 wrote to memory of 2200	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	81
PID 1656 wrote to memory of 2200	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	81
PID 1656 wrote to memory of 2316	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	82
PID 1656 wrote to memory of 2316	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	82
PID 1656 wrote to memory of 2316	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	82
PID 1656 wrote to memory of 2452	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	96
PID 1656 wrote to memory of 2452	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	96
PID 1656 wrote to memory of 2452	1656	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe	96
PID 2452 wrote to memory of 1128	2452	cmd.exe	98
PID 2452 wrote to memory of 1128	2452	cmd.exe	98
PID 2452 wrote to memory of 1128	2452	cmd.exe	98
PID 2452 wrote to memory of 1184	2452	cmd.exe	99
PID 2452 wrote to memory of 1184	2452	cmd.exe	99
PID 2452 wrote to memory of 1184	2452	cmd.exe	99
PID 1184 wrote to memory of 2172	1184	spoolsv.exe	102
PID 1184 wrote to memory of 2172	1184	spoolsv.exe	102
PID 1184 wrote to memory of 2172	1184	spoolsv.exe	102
PID 1184 wrote to memory of 852	1184	spoolsv.exe	103
PID 1184 wrote to memory of 852	1184	spoolsv.exe	103
PID 1184 wrote to memory of 852	1184	spoolsv.exe	103
PID 2172 wrote to memory of 1728	2172	WScript.exe	104
PID 2172 wrote to memory of 1728	2172	WScript.exe	104
PID 2172 wrote to memory of 1728	2172	WScript.exe	104
PID 1728 wrote to memory of 2908	1728	spoolsv.exe	105
PID 1728 wrote to memory of 2908	1728	spoolsv.exe	105
PID 1728 wrote to memory of 2908	1728	spoolsv.exe	105
PID 1728 wrote to memory of 796	1728	spoolsv.exe	106

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exef27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exespoolsv.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe
"C:\Users\Admin\AppData\Local\Temp\f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I6qW9WFuUn.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1128
- - C:\Program Files (x86)\Google\Temp\spoolsv.exe
    "C:\Program Files (x86)\Google\Temp\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1184
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee5a3000-d9a2-4764-aabb-7e6333c53f2d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Program Files (x86)\Google\Temp\spoolsv.exe
        
        "C:\Program Files (x86)\Google\Temp\spoolsv.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1728
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fdff4f6-b1c8-45e3-aefd-84bb1d4b3a2c.vbs"
        6⤵
        
        PID:2908
        
        C:\Program Files (x86)\Google\Temp\spoolsv.exe
        
        "C:\Program Files (x86)\Google\Temp\spoolsv.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfffeb9d-aec3-4de5-aae4-0ff43c344b51.vbs"
        8⤵
        
        PID:2996
        
        C:\Program Files (x86)\Google\Temp\spoolsv.exe
        
        "C:\Program Files (x86)\Google\Temp\spoolsv.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e912a71f-5351-466b-b980-a3f096f3a7f9.vbs"
        10⤵
        
        PID:1744
        
        C:\Program Files (x86)\Google\Temp\spoolsv.exe
        
        "C:\Program Files (x86)\Google\Temp\spoolsv.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f47cb8c0-567b-4984-a65d-e3f34636355e.vbs"
        12⤵
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f39570c1-de00-469f-9f67-9dd02287abe1.vbs"
        12⤵
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76574600-74ba-492d-8a92-8c120b673875.vbs"
        10⤵
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ecf4f65-29a4-4f16-a960-cf9c3b0e110a.vbs"
        8⤵
        
        PID:1472
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc51c40d-6e4f-4e3e-a544-bcdd8d3a0baa.vbs"
        6⤵
        
        PID:796
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1d55809-5560-4a6b-b320-bbab91af0f66.vbs"
      4⤵
      PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\spoolsv.exe

Filesize
1.8MB

MD5
4b61d266c52f70b4b0f440dbffbad856

SHA1
2fab16e65a031ce43897432f684a9ba74216f6e5

SHA256
e52853ff68e70047af543535c96264ed7a5190a3056af816bf9afcb01f15bb23

SHA512
5e3d71266f2d04d661b57168800a1b2ed9f9e312af148484409c883fd7037f0c53e29e8aa5dc22a3378b5293c7c8a0569ec3507553cc7b4bf8bd79545c38030b

Download Submit
C:\Program Files\7-Zip\Lang\explorer.exe

Filesize
1.8MB

MD5
8392193c5fb165f60a6c16e76cf22e7c

SHA1
142c9abfc95aeadab045c315ac8cc65539a8124e

SHA256
f27b3b5adfa411aedf6daabe9e962d8a83fa3185ac9544de6191b3c64a9bd216

SHA512
80328d829071ed38655eea9fcaade51244abb0f669438dd1d80b39445d663d9fda7d6bbc64a8467aa02af47d3d83d4e826488827a1125152735fce06c216d5fb

Download Submit
C:\Program Files\DVD Maker\RCXAE94.tmp

Filesize
1.8MB

MD5
4d71e5d074691a14c3d941a9e733849f

SHA1
ed2b4a3b2a3318d548e60f6014bb5aab8ca6365b

SHA256
25a99b8090e2e364e6ee5dcbf1a873ae7e11ee521c36c67903796c86feb20121

SHA512
44177c8609a2c38b078b244194fbdebfb54578cd51aa34ce0ec26806e127acc3fad59ae9c9c832538dc94c02cc5f85bdf4deade145d42f53940338616e1a3510

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fdff4f6-b1c8-45e3-aefd-84bb1d4b3a2c.vbs

Filesize
722B

MD5
a0d6d149cd234ec416429925679c1d93

SHA1
43e3ed473b808bace800bf8624a756f4dea61645

SHA256
00f968243f659670ceacfbffb6ee537926a17489084ed7f30cc3faa8dfda9405

SHA512
de3f03d20c925c565faa3fe4380bcd09c47e84b8055e78c8ea8ed4840e1fcd6bbc6cbb06e74637d7a39dff6d907224266280e2b8ed144a4839d8f00be1a5710b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I6qW9WFuUn.bat

Filesize
211B

MD5
7a3be6d350768eebfd6cd9e7373a9fb1

SHA1
6c3ab647a000c59e7477ce9404271695f0ff82ef

SHA256
0cd72539b0cc4d6249dbe47ff685b64b62db6e8b7578a8e5c67ff5a60e51c2e9

SHA512
3acf09de024bf457f3529d054edb88734a9681f2375a08601101284c6fed9d371a7d46f29da21e789324430a68351cf3df30725098ef264c0688e8cddb1e03eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1d55809-5560-4a6b-b320-bbab91af0f66.vbs

Filesize
498B

MD5
82e97ef96e3a8e179223856ae2faa43d

SHA1
b23481561684af96e06f1e517b5f5667b322776d

SHA256
8596180ede78a5e6ea9e7e49948910f1ec9553f68f66e2cab93a0315c68d06ea

SHA512
443cc2db1dead0e815f7451972b96099dbc7a7bf491bf2f74594311075d0dd9d4398cfc77249ca2f58fe7c2321436aaebaa17523c1287109a0348f24aff6bad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9eccb4b5bc4ac518b15ed7f68dd7a41eefe901e.exe

Filesize
1.8MB

MD5
2b44e5fb9d68d2cbf25a07821619aff2

SHA1
9656299c01d453040c55fee9bda1cc453bd2209c

SHA256
77cac94aae4dba823297ea53f3b379b0c558e98da2437199652d29c6b2ed4121

SHA512
431ca4540eeebd2aafd721f76c3ed322cc8c8c296939a38afaee1169e1c0a9b64cc7c9d60688589181e231d71597486d003577b8bc403f16a4e4821773302561

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfffeb9d-aec3-4de5-aae4-0ff43c344b51.vbs

Filesize
722B

MD5
8b5f5278cfef1e47cf414a940cad5a2a

SHA1
8b2aedd795352e5e27e61064674af662f8a3d991

SHA256
d1af8351f177d265f4d5c73bc8bf63c7672a432193832524f324ee087aec8829

SHA512
a2ebaa5d092ca369927c51360e7b0ea2991c22e7b3839ead9a124df5217ab997b7b014f189df75af8a8e6c258f3df028338c1b22e6d97702fa263801609fca46

Download Submit
C:\Users\Admin\AppData\Local\Temp\e912a71f-5351-466b-b980-a3f096f3a7f9.vbs

Filesize
721B

MD5
76bac267e4575f83b734b1f8fe0239bb

SHA1
3ffd114d1fe18653eb761296e7c3b66cd5325521

SHA256
5067882e2ec0b271564681dd80a06a32013bd104f0aa975c07e6d45c6f0e6034

SHA512
af774793d733f4bf561f1dbad471d10069b9a67244658979b406a577e86055bc8ace2d68bb268878b1e5fbdfa2ae58e7aec8fc85771aad8b73caf46c1990cda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee5a3000-d9a2-4764-aabb-7e6333c53f2d.vbs

Filesize
722B

MD5
130038722a0cc60b8fe09f060eb709e5

SHA1
22a0114951f32af077a80d3b654888c94707a23d

SHA256
ebccb7663c55faac36fd68bb2a8c4260f80c62a2e9f2eb1bd75e7ab8df635379

SHA512
9716b44d9254863ef90f5b24ce5b2b53f8957221da625770f8a5231a00cb3ecc164e7a83be01aaf61a0b68cef51a7401e6222e0bc86438c184108d934e3b3a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f47cb8c0-567b-4984-a65d-e3f34636355e.vbs

Filesize
722B

MD5
a9acfcb92beaf8c90ffed8fe28ddb239

SHA1
5cb773e99650b5633e31e6e4e91e01f9e9b9cb07

SHA256
926f5d8798d82eb700d787bef0b960a7aeeca8b38bfe5ca5cd1dfe133824208d

SHA512
c683e84650a3d385fc71dd8c9c33329b1928256f021a0e4abb43599ec5d649c8ea585077bb06fe07e7f1ef7b0daf4fd4f36f1132878fbd743ee3be143e2ee938

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9fd827ba776fb441e3dfadc28e84be28

SHA1
8fd9a2b1213daa6d94887e3369b3181f7f31552e

SHA256
76500e0bd439951382ab8c13eb927a194dfcc2f5d0fd5c3eb33d52bf64a51a55

SHA512
7230a1b94f8bed2fe866dce84263df46afc11cf6e0570a1380d2990653c5e96f307696ffb863307f765c91b46c147dfe87bce9a55050f156cf429796edf470eb

Download Submit
C:\Windows\Logs\explorer.exe

Filesize
1.8MB

MD5
5dac3bc1d4264c4dd0c3220f5c1254dd

SHA1
c104c43f7a54b74ab521610b6f023854ec6d6557

SHA256
b82631cbdb476c4f7e862f6a9e1fcdd0119f537bec63483fcc2c1c78f597cbe3

SHA512
7e1313c29cb2d9e1220717aaaf66ada2f0362a66d784063d832413911cd21d8ce4423e6f1d96b54821c3af95fa6f56b98d29578e3be2755be2e0c7814f238089

Download Submit
memory/904-246-0x0000000001270000-0x000000000143E000-memory.dmp

Filesize
1.8MB

Download
memory/1184-210-0x0000000000380000-0x000000000054E000-memory.dmp

Filesize
1.8MB

Download
memory/1436-165-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/1436-145-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1656-7-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1656-5-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1656-133-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

Filesize
4KB

Download
memory/1656-9-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/1656-15-0x00000000008D0000-0x00000000008DC000-memory.dmp

Filesize
48KB

Download
memory/1656-14-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/1656-206-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/1656-10-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/1656-6-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/1656-13-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/1656-0-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

Filesize
4KB

Download
memory/1656-8-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/1656-11-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/1656-4-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/1656-1-0x0000000001090000-0x000000000125E000-memory.dmp

Filesize
1.8MB

Download
memory/1656-12-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/1656-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/1656-2-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/1728-221-0x0000000001050000-0x000000000121E000-memory.dmp

Filesize
1.8MB

Download
memory/2168-234-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/2168-233-0x0000000000030000-0x00000000001FE000-memory.dmp

Filesize
1.8MB

Download