dcrat | 07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9

Analysis

max time kernel
146s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
Size

4.9MB
MD5

ab6d303ac15ff3436948bc28e5b25170
SHA1

91573b8083258e57d17d8e42be88568d3c7b5596
SHA256

07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9
SHA512

bf2bb5d63cee62e6c16812b655030bb5054a87f4496667114d69f0758ced3f992989cf263522e425d210a7f7dfc8052499dda334d7fd70b993739ff0cd17d33a
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2760	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2444-3-0x000000001B190000-0x000000001B2BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2480	powershell.exe
3056	powershell.exe
2996	powershell.exe
2944	powershell.exe
2264	powershell.exe
2116	powershell.exe
2200	powershell.exe
2684	powershell.exe
408	powershell.exe
2336	powershell.exe
2220	powershell.exe
2656	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1484	csrss.exe
2360	csrss.exe
3052	csrss.exe
1932	csrss.exe
2656	csrss.exe
1356	csrss.exe
2500	csrss.exe
1380	csrss.exe
1068	csrss.exe
2128	csrss.exe
1140	csrss.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\WmiPrvSE.exe	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\f3b6ecef712a24	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCXDB0A.tmp	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\smss.exe	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File created	C:\Program Files\Uninstall Information\24dbde2999530e	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\56085415360792	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\smss.exe	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File opened for modification	C:\Program Files\Uninstall Information\WmiPrvSE.exe	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\RCXD628.tmp	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\69ddcba757bf72	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCXD899.tmp	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXD220.tmp	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\RCXD01C.tmp	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File created	C:\Windows\addins\csrss.exe	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File opened for modification	C:\Windows\addins\csrss.exe	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
File created	C:\Windows\addins\886983d96e3d3e	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2868	schtasks.exe
2672	schtasks.exe
1356	schtasks.exe
1524	schtasks.exe
2848	schtasks.exe
460	schtasks.exe
2780	schtasks.exe
2612	schtasks.exe
1484	schtasks.exe
2356	schtasks.exe
2772	schtasks.exe
2752	schtasks.exe
2664	schtasks.exe
3068	schtasks.exe
352	schtasks.exe
1768	schtasks.exe
1912	schtasks.exe
2640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
3056	powershell.exe
2684	powershell.exe
2480	powershell.exe
2264	powershell.exe
2200	powershell.exe
408	powershell.exe
2116	powershell.exe
2996	powershell.exe
2336	powershell.exe
2220	powershell.exe
2944	powershell.exe
2656	powershell.exe
1484	csrss.exe
2360	csrss.exe
3052	csrss.exe
1932	csrss.exe
2656	csrss.exe
1356	csrss.exe
2500	csrss.exe
1380	csrss.exe
1068	csrss.exe
2128	csrss.exe
1140	csrss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1484	csrss.exe
Token: SeDebugPrivilege	2360	csrss.exe
Token: SeDebugPrivilege	3052	csrss.exe
Token: SeDebugPrivilege	1932	csrss.exe
Token: SeDebugPrivilege	2656	csrss.exe
Token: SeDebugPrivilege	1356	csrss.exe
Token: SeDebugPrivilege	2500	csrss.exe
Token: SeDebugPrivilege	1380	csrss.exe
Token: SeDebugPrivilege	1068	csrss.exe
Token: SeDebugPrivilege	2128	csrss.exe
Token: SeDebugPrivilege	1140	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2684	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	50
PID 2444 wrote to memory of 2684	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	50
PID 2444 wrote to memory of 2684	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	50
PID 2444 wrote to memory of 3056	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	51
PID 2444 wrote to memory of 3056	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	51
PID 2444 wrote to memory of 3056	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	51
PID 2444 wrote to memory of 2200	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	52
PID 2444 wrote to memory of 2200	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	52
PID 2444 wrote to memory of 2200	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	52
PID 2444 wrote to memory of 2480	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	54
PID 2444 wrote to memory of 2480	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	54
PID 2444 wrote to memory of 2480	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	54
PID 2444 wrote to memory of 2656	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	55
PID 2444 wrote to memory of 2656	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	55
PID 2444 wrote to memory of 2656	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	55
PID 2444 wrote to memory of 2116	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	58
PID 2444 wrote to memory of 2116	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	58
PID 2444 wrote to memory of 2116	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	58
PID 2444 wrote to memory of 2220	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	59
PID 2444 wrote to memory of 2220	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	59
PID 2444 wrote to memory of 2220	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	59
PID 2444 wrote to memory of 2264	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	61
PID 2444 wrote to memory of 2264	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	61
PID 2444 wrote to memory of 2264	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	61
PID 2444 wrote to memory of 2944	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	62
PID 2444 wrote to memory of 2944	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	62
PID 2444 wrote to memory of 2944	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	62
PID 2444 wrote to memory of 2996	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	64
PID 2444 wrote to memory of 2996	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	64
PID 2444 wrote to memory of 2996	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	64
PID 2444 wrote to memory of 2336	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	65
PID 2444 wrote to memory of 2336	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	65
PID 2444 wrote to memory of 2336	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	65
PID 2444 wrote to memory of 408	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	66
PID 2444 wrote to memory of 408	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	66
PID 2444 wrote to memory of 408	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	66
PID 2444 wrote to memory of 1360	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	74
PID 2444 wrote to memory of 1360	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	74
PID 2444 wrote to memory of 1360	2444	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe	74
PID 1360 wrote to memory of 2884	1360	cmd.exe	76
PID 1360 wrote to memory of 2884	1360	cmd.exe	76
PID 1360 wrote to memory of 2884	1360	cmd.exe	76
PID 1360 wrote to memory of 1484	1360	cmd.exe	77
PID 1360 wrote to memory of 1484	1360	cmd.exe	77
PID 1360 wrote to memory of 1484	1360	cmd.exe	77
PID 1484 wrote to memory of 1984	1484	csrss.exe	78
PID 1484 wrote to memory of 1984	1484	csrss.exe	78
PID 1484 wrote to memory of 1984	1484	csrss.exe	78
PID 1484 wrote to memory of 2604	1484	csrss.exe	79
PID 1484 wrote to memory of 2604	1484	csrss.exe	79
PID 1484 wrote to memory of 2604	1484	csrss.exe	79
PID 1984 wrote to memory of 2360	1984	WScript.exe	80
PID 1984 wrote to memory of 2360	1984	WScript.exe	80
PID 1984 wrote to memory of 2360	1984	WScript.exe	80
PID 2360 wrote to memory of 2272	2360	csrss.exe	81
PID 2360 wrote to memory of 2272	2360	csrss.exe	81
PID 2360 wrote to memory of 2272	2360	csrss.exe	81
PID 2360 wrote to memory of 2156	2360	csrss.exe	82
PID 2360 wrote to memory of 2156	2360	csrss.exe	82
PID 2360 wrote to memory of 2156	2360	csrss.exe	82
PID 2272 wrote to memory of 3052	2272	WScript.exe	83
PID 2272 wrote to memory of 3052	2272	WScript.exe	83
PID 2272 wrote to memory of 3052	2272	WScript.exe	83
PID 3052 wrote to memory of 2792	3052	csrss.exe	84

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe
"C:\Users\Admin\AppData\Local\Temp\07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kC7PmA6IDk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2884
- - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
    "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1484
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48fb43ef-28db-4a61-8d5a-a30c5f80c87c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2360
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a099742-c3d4-4dc6-aa7a-68e43a802a73.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90c00b08-6430-4099-aaf2-1c811858b4ad.vbs"
        8⤵
        
        PID:2792
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\700dd820-965d-444a-9c31-ac2b741d02d9.vbs"
        10⤵
        
        PID:1536
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a318e556-ff93-4e2b-8f9e-e9f4b1809be0.vbs"
        12⤵
        
        PID:2004
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31799d53-0612-41e7-8359-dfb76def958c.vbs"
        14⤵
        
        PID:1580
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66eb1316-bd86-46d3-bd0a-36237a5ae457.vbs"
        16⤵
        
        PID:2772
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96377d4a-69bd-4a2c-960f-848cae7052a9.vbs"
        18⤵
        
        PID:372
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d97493e-5588-4920-89c7-5fa7bf867690.vbs"
        20⤵
        
        PID:2656
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\deb2bc73-7a75-44f0-b7ef-98ed16e6695b.vbs"
        22⤵
        
        PID:2880
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f0b848a-417a-42a0-bff5-90874f20e933.vbs"
        24⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93159cd9-3ab4-4ed5-9d56-65f2ed47aeb1.vbs"
        24⤵
        
        PID:1224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e262798-7955-4689-a8b2-1e3090651ffd.vbs"
        22⤵
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51d97dc5-0127-4c7b-8a7e-89ba301a4a68.vbs"
        20⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5c7219d-8ae1-4036-9521-e027e6e5c98c.vbs"
        18⤵
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aad796fe-3ebe-4757-b19d-29f6cb0038c9.vbs"
        16⤵
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cd80e71-0df4-4cef-9ce8-c73fd5670225.vbs"
        14⤵
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e65baa35-6103-405e-8ea0-a46e1100e696.vbs"
        12⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef07e4b6-623b-4719-be27-4873f9578b4b.vbs"
        10⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b176eda-01b6-45a4-a6ae-92c803116e5d.vbs"
        8⤵
        
        PID:2552
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60e35ce4-ed2c-4865-bae3-ce990e2be15b.vbs"
        6⤵
        
        PID:2156
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43b35bec-ee19-4524-99a4-e8e42e0687f2.vbs"
      4⤵
      PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\spoolsv.exe

Filesize
4.9MB

MD5
ab6d303ac15ff3436948bc28e5b25170

SHA1
91573b8083258e57d17d8e42be88568d3c7b5596

SHA256
07239df2545f3b65580d86b799fb241dfb127988754e206dc66e30645af7c3f9

SHA512
bf2bb5d63cee62e6c16812b655030bb5054a87f4496667114d69f0758ced3f992989cf263522e425d210a7f7dfc8052499dda334d7fd70b993739ff0cd17d33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d97493e-5588-4920-89c7-5fa7bf867690.vbs

Filesize
734B

MD5
5453a43cb6415e45d6dace0d0aec9245

SHA1
7e691b1488e41abdc6d3780348bb2daedab29581

SHA256
b6de0775052cd8c5fc68ad2f81a92b41c7148db8ec8429ce44d29793f81f2177

SHA512
bc6f8757ea51ba4369572658a7cf30f740f76b56a85ba09500eb4998de247063bef05bb6e5467d507a4960850a03d9ede255b68c0af6f3d7d38cfb105d97b056

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a099742-c3d4-4dc6-aa7a-68e43a802a73.vbs

Filesize
734B

MD5
bcfbf6bba75a7c822aff78551258f207

SHA1
3db7071348e2d95b9ca7fb9a2dadd07af8b539b5

SHA256
792c7525eb68524991f61480e23f4a60ff0b4eab71b598aa6909f9eab10a1645

SHA512
23e07c5043b020d7a4c0c5d8a9bf7f582ecf521f0bb6de45f86c6b28af7869d087926716766b0a1943fa4f0bd3d1fd653a657f05557ddeb292eeb918e07f133e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31799d53-0612-41e7-8359-dfb76def958c.vbs

Filesize
734B

MD5
5adef4ebe6e871488ec30165833c3d7c

SHA1
956260c0b09f606644535528c0846a074a7d6f34

SHA256
52d919dd8ca958f173f5a0037250b7c75bd4bccd2a857cf1431834e7332cfe6f

SHA512
6204d94907aebb559b91ea6d7fdaa58af479026f2c0cf12a50f0a135ecf0689d991527f418d6c1411ab4c04b9471880f267a6d447abbc9a3ffd04c67c505bc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\43b35bec-ee19-4524-99a4-e8e42e0687f2.vbs

Filesize
510B

MD5
b5f1eae32390dd0f5924c02f256e01fe

SHA1
9cb7940f8e52d72db71af9af8ce5f56e23c0444b

SHA256
fe6c0e9a4004a51d7612f704a8202d1596f46737547eb8c811afb2b4a1547232

SHA512
782a1f4ab7d1197050689bad51a9a201a511e6cd34a5d4bd203cd420a7970d2d9b618964774000325ed102e49bc672b4a718bd593b65fd9fbcabe9c3d1be4319

Download Submit
C:\Users\Admin\AppData\Local\Temp\48fb43ef-28db-4a61-8d5a-a30c5f80c87c.vbs

Filesize
734B

MD5
d353c8d3d49690f5c190acb04acba57d

SHA1
447684affa34fbad03a5dc1d5808481ccb04ca44

SHA256
336fec7683310885ac6c623df3292a58654913cdf6e4d939b77512f711e0cbb8

SHA512
34806d8ca180b54a52a12f12b96051bf1b0f6c5a0bc9e2c2186c482072243dadfddbb465d881a7b4d92fa76e89864defbce41ecd3b1c8e744dc804eb768caa0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f0b848a-417a-42a0-bff5-90874f20e933.vbs

Filesize
734B

MD5
7cf5ab8ae60c43eb5aaa0581f57bedcf

SHA1
0586654c3e867d70367d783621245d6c749145f2

SHA256
d745e819a51981c400ec69a2bcc93cf9c892e183359f08d19cb9ceb5d2645af0

SHA512
0b687c07522f86833d1f95381c32ae82bd04ec381326c7a301a8a29e928816f2f43e93ec99f86c005a75406691c197fae427624aa6b8f87c5c6b0f484f9e502b

Download Submit
C:\Users\Admin\AppData\Local\Temp\66eb1316-bd86-46d3-bd0a-36237a5ae457.vbs

Filesize
734B

MD5
f4d5e557508da6208532d8df63ef917d

SHA1
b1d4a9cecc7cb577a36b5c3e2c10773c7a798b20

SHA256
212a1d8c4666c9641c30aa98c980f1dd75d2dae654d3d07a2911be3176b336da

SHA512
5575ed658ba7c830918fc73fab2f698bf3611936117b10facb70f05dcfcad1c84318315ac492e786e41ad9290b9ae2d80bd18ea3fbc8af17365c2f25ca0e02aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\700dd820-965d-444a-9c31-ac2b741d02d9.vbs

Filesize
734B

MD5
5a7950b188bfa53b89fe1e708b76bad1

SHA1
d4a33167cf8e42a57c0f545796ae583463ad6362

SHA256
3391205a21dd2d7e8a9c581fe428937608587760442e4f18f5b92b83bac058e4

SHA512
92e3f48a09374d1062e121971df976b5e96d2083efc5cf19fcc0d48bd83602367e8bed5efa6120652796d55c95289c86560a088a57c79a0519e075c5f6afb4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\90c00b08-6430-4099-aaf2-1c811858b4ad.vbs

Filesize
734B

MD5
21fc89d0bcaf5f5c5673ef1aca6679ad

SHA1
0d8ee836129e5edf19611fbd2b9ea3d0cc2da3a5

SHA256
d68f6be7b0591ce7ff2907ec65e861770c3d2f7a2b95a0c87049fcefe788f0af

SHA512
f3920fb4e39c3c80e0a0f9987b5c674786aaa07d3740017b6408871d9e8fedb057c15ca94601a03e181c699a1fe571e5d7d06a7d4e21bde4f6871fe5f37fa9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\96377d4a-69bd-4a2c-960f-848cae7052a9.vbs

Filesize
734B

MD5
a8ce12f6b62100ee26ab35297f54731d

SHA1
afea5d91202688da586018fe1f95971ab0cf578f

SHA256
6b81c4fea9d6ccdae6c5e1cc5225c500b9fe203192823266eb518d21e12286ce

SHA512
6cdafd92cd3a527888d730d6b3d91eb01499cf32992f9f629325cc6310f0a9b92828aae1f73079f9a53f370c5594d948b1763fef42b91b8118d5eca0539cf8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a318e556-ff93-4e2b-8f9e-e9f4b1809be0.vbs

Filesize
734B

MD5
edf6eaf3f3d22211e81a322d1058635c

SHA1
dffcfe6e7bdf7a4eac58e68b5adf2baf8b84e0d0

SHA256
dd8ec1242ec919d92969c4e8800a91a1a5fd9e387d82c7d5f2b0f638166cbe64

SHA512
b42fa0e71e1ac9b85c559f2af497f08bcdb9f9a0ebadf88117505a3bf5b7cf1411cd20295fdacb381668e72c53664c1b8f4bda5f6e426ac4f3167013cddede4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\deb2bc73-7a75-44f0-b7ef-98ed16e6695b.vbs

Filesize
734B

MD5
c6322b8cfb917624067e7b7bfaf7eb81

SHA1
987969804885c5243fc8ec451d1862b0fcc7676b

SHA256
95f8263c7b570c9ca7e9c3c6550e4bceae6c973c67067282619d8787779c03f2

SHA512
3017f90491e7104bf52238ed87dbad6b4d0a151c1ca95245722e46d9b563b317d2eb1e36300ef7c359922a9b84d0f0ae511bc457dbc003721e0f7f210f97cedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kC7PmA6IDk.bat

Filesize
223B

MD5
e6fc1a73034cdb8910997b319784b99d

SHA1
cb64db09cec4cf5384ee863b181680be410c0919

SHA256
5a8cd90f3fec3479b2e0057cdbbc3ffe33e5019f6ff94f8c54e37131cf74c4db

SHA512
aca03272bd2f9858f8d8f0c9595a4eef7eee95ebe24f004b17a464c5da09042f3886aeb769217d3dd3acc399998d2e9fea2ebf8a61bbdaca0067da12b5934787

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp657.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7793249efde4278906f86c951855863b

SHA1
aab0253c4ed811c745da48bb4409f1178c590dcf

SHA256
8e1bde823ef7e639741b6bb0f053e8e15a2e61595a681284a9ac4caba99ddbcd

SHA512
457ba6272136bf27aca6c58b22f08f029623c1674f855e2b1d8c1bd2dbf55b4c2326c79ca5f7463c4081e6a0617c5fe0ae407348318f8deb9abf0f85d95881f6

Download Submit
memory/1484-144-0x0000000000240000-0x0000000000734000-memory.dmp

Filesize
5.0MB

Download
memory/1932-188-0x00000000000F0000-0x00000000005E4000-memory.dmp

Filesize
5.0MB

Download
memory/2128-275-0x0000000001340000-0x0000000001834000-memory.dmp

Filesize
5.0MB

Download
memory/2360-158-0x0000000000E50000-0x0000000001344000-memory.dmp

Filesize
5.0MB

Download
memory/2444-10-0x000000001AA50000-0x000000001AA62000-memory.dmp

Filesize
72KB

Download
memory/2444-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2444-88-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2444-1-0x0000000000A60000-0x0000000000F54000-memory.dmp

Filesize
5.0MB

Download
memory/2444-16-0x000000001AAB0000-0x000000001AABC000-memory.dmp

Filesize
48KB

Download
memory/2444-15-0x000000001AAA0000-0x000000001AAA8000-memory.dmp

Filesize
32KB

Download
memory/2444-14-0x000000001AA90000-0x000000001AA98000-memory.dmp

Filesize
32KB

Download
memory/2444-13-0x000000001AA80000-0x000000001AA8E000-memory.dmp

Filesize
56KB

Download
memory/2444-12-0x000000001AA70000-0x000000001AA7E000-memory.dmp

Filesize
56KB

Download
memory/2444-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2444-11-0x000000001AA60000-0x000000001AA6A000-memory.dmp

Filesize
40KB

Download
memory/2444-3-0x000000001B190000-0x000000001B2BE000-memory.dmp

Filesize
1.2MB

Download
memory/2444-9-0x000000001AA40000-0x000000001AA4A000-memory.dmp

Filesize
40KB

Download
memory/2444-4-0x0000000002360000-0x000000000237C000-memory.dmp

Filesize
112KB

Download
memory/2444-8-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/2444-7-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2444-5-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2444-6-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2500-232-0x00000000010A0000-0x0000000001594000-memory.dmp

Filesize
5.0MB

Download
memory/2656-203-0x0000000000F50000-0x0000000001444000-memory.dmp

Filesize
5.0MB

Download
memory/3052-173-0x0000000000010000-0x0000000000504000-memory.dmp

Filesize
5.0MB

Download
memory/3056-87-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/3056-89-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download