dcrat | f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcaf

Analysis

max time kernel
119s
max time network
114s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
Size

4.9MB
MD5

362ac52b63b9f6608733e6da0f41b8a0
SHA1

4351bcc1035d37bc58f641fb58b08f80949f9129
SHA256

f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcaf
SHA512

8f60c2beb708deef5de53c33ee8224456ac9d9a7e3ad1eeacd786b79f2511342626910d5653b6870ea2a8c5448f6ca46ca6cfa09adb0ed1407812e7522771203
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2964	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1740-2-0x000000001B570000-0x000000001B69E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1820	powershell.exe
1544	powershell.exe
2892	powershell.exe
544	powershell.exe
2388	powershell.exe
2616	powershell.exe
2172	powershell.exe
2608	powershell.exe
2376	powershell.exe
1748	powershell.exe
1808	powershell.exe
2752	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2868	smss.exe
2880	smss.exe
2156	smss.exe
1544	smss.exe
2280	smss.exe
2356	smss.exe
1820	smss.exe
2996	smss.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXB6F5.tmp	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\lsass.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\6203df4a6bafc7	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCXBDFA.tmp	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\lsass.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\smss.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\RCXB947.tmp	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\b75386f1303e64	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\RCXC53E.tmp	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhost.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\cc11b995f2a76d	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXB494.tmp	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhost.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXC01D.tmp	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\7a0fd90576e088	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files\Windows Journal\ja-JP\smss.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files\Windows Journal\ja-JP\69ddcba757bf72	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\e15c75ee0b3582	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXB02F.tmp	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2832	schtasks.exe
2564	schtasks.exe
2996	schtasks.exe
2940	schtasks.exe
2304	schtasks.exe
3040	schtasks.exe
1248	schtasks.exe
1548	schtasks.exe
2476	schtasks.exe
2456	schtasks.exe
1644	schtasks.exe
2876	schtasks.exe
1872	schtasks.exe
452	schtasks.exe
1784	schtasks.exe
944	schtasks.exe
2860	schtasks.exe
1396	schtasks.exe
2268	schtasks.exe
2052	schtasks.exe
1532	schtasks.exe
2028	schtasks.exe
1168	schtasks.exe
2800	schtasks.exe
264	schtasks.exe
668	schtasks.exe
2676	schtasks.exe
2872	schtasks.exe
2484	schtasks.exe
1836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
2172	powershell.exe
2376	powershell.exe
2616	powershell.exe
2892	powershell.exe
1808	powershell.exe
1544	powershell.exe
1820	powershell.exe
1748	powershell.exe
544	powershell.exe
2388	powershell.exe
2752	powershell.exe
2608	powershell.exe
2868	smss.exe
2880	smss.exe
2156	smss.exe
1544	smss.exe
2280	smss.exe
2356	smss.exe
1820	smss.exe
2996	smss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2868	smss.exe
Token: SeDebugPrivilege	2880	smss.exe
Token: SeDebugPrivilege	2156	smss.exe
Token: SeDebugPrivilege	1544	smss.exe
Token: SeDebugPrivilege	2280	smss.exe
Token: SeDebugPrivilege	2356	smss.exe
Token: SeDebugPrivilege	1820	smss.exe
Token: SeDebugPrivilege	2996	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2892	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	61
PID 1740 wrote to memory of 2892	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	61
PID 1740 wrote to memory of 2892	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	61
PID 1740 wrote to memory of 2376	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	62
PID 1740 wrote to memory of 2376	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	62
PID 1740 wrote to memory of 2376	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	62
PID 1740 wrote to memory of 1748	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	63
PID 1740 wrote to memory of 1748	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	63
PID 1740 wrote to memory of 1748	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	63
PID 1740 wrote to memory of 544	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	66
PID 1740 wrote to memory of 544	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	66
PID 1740 wrote to memory of 544	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	66
PID 1740 wrote to memory of 2608	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	67
PID 1740 wrote to memory of 2608	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	67
PID 1740 wrote to memory of 2608	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	67
PID 1740 wrote to memory of 2172	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	68
PID 1740 wrote to memory of 2172	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	68
PID 1740 wrote to memory of 2172	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	68
PID 1740 wrote to memory of 2616	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	69
PID 1740 wrote to memory of 2616	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	69
PID 1740 wrote to memory of 2616	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	69
PID 1740 wrote to memory of 1544	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	70
PID 1740 wrote to memory of 1544	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	70
PID 1740 wrote to memory of 1544	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	70
PID 1740 wrote to memory of 2752	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	71
PID 1740 wrote to memory of 2752	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	71
PID 1740 wrote to memory of 2752	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	71
PID 1740 wrote to memory of 1820	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	72
PID 1740 wrote to memory of 1820	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	72
PID 1740 wrote to memory of 1820	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	72
PID 1740 wrote to memory of 1808	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	73
PID 1740 wrote to memory of 1808	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	73
PID 1740 wrote to memory of 1808	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	73
PID 1740 wrote to memory of 2388	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	74
PID 1740 wrote to memory of 2388	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	74
PID 1740 wrote to memory of 2388	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	74
PID 1740 wrote to memory of 2040	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	85
PID 1740 wrote to memory of 2040	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	85
PID 1740 wrote to memory of 2040	1740	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe	85
PID 2040 wrote to memory of 1460	2040	cmd.exe	87
PID 2040 wrote to memory of 1460	2040	cmd.exe	87
PID 2040 wrote to memory of 1460	2040	cmd.exe	87
PID 2040 wrote to memory of 2868	2040	cmd.exe	88
PID 2040 wrote to memory of 2868	2040	cmd.exe	88
PID 2040 wrote to memory of 2868	2040	cmd.exe	88
PID 2868 wrote to memory of 2264	2868	smss.exe	89
PID 2868 wrote to memory of 2264	2868	smss.exe	89
PID 2868 wrote to memory of 2264	2868	smss.exe	89
PID 2868 wrote to memory of 1656	2868	smss.exe	90
PID 2868 wrote to memory of 1656	2868	smss.exe	90
PID 2868 wrote to memory of 1656	2868	smss.exe	90
PID 2264 wrote to memory of 2880	2264	WScript.exe	91
PID 2264 wrote to memory of 2880	2264	WScript.exe	91
PID 2264 wrote to memory of 2880	2264	WScript.exe	91
PID 2880 wrote to memory of 2008	2880	smss.exe	92
PID 2880 wrote to memory of 2008	2880	smss.exe	92
PID 2880 wrote to memory of 2008	2880	smss.exe	92
PID 2880 wrote to memory of 2484	2880	smss.exe	93
PID 2880 wrote to memory of 2484	2880	smss.exe	93
PID 2880 wrote to memory of 2484	2880	smss.exe	93
PID 2008 wrote to memory of 2156	2008	WScript.exe	94
PID 2008 wrote to memory of 2156	2008	WScript.exe	94
PID 2008 wrote to memory of 2156	2008	WScript.exe	94
PID 2156 wrote to memory of 2120	2156	smss.exe	95

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe
"C:\Users\Admin\AppData\Local\Temp\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0EpYUV7rVf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1460
- - C:\Program Files\Windows Journal\ja-JP\smss.exe
    "C:\Program Files\Windows Journal\ja-JP\smss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2868
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65d9c934-ccb1-46d4-ad81-cc05d426e2fb.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Program Files\Windows Journal\ja-JP\smss.exe
        
        "C:\Program Files\Windows Journal\ja-JP\smss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2880
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab0385af-7c65-4dd9-9fc7-3ce605066610.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Program Files\Windows Journal\ja-JP\smss.exe
        
        "C:\Program Files\Windows Journal\ja-JP\smss.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37ce2d55-a30d-469a-b78d-d3f50b81ccab.vbs"
        8⤵
        
        PID:2120
        
        C:\Program Files\Windows Journal\ja-JP\smss.exe
        
        "C:\Program Files\Windows Journal\ja-JP\smss.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0801a69-6fb7-4a78-b405-de19841e11a0.vbs"
        10⤵
        
        PID:1928
        
        C:\Program Files\Windows Journal\ja-JP\smss.exe
        
        "C:\Program Files\Windows Journal\ja-JP\smss.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e88acb5f-586f-432c-9bb6-a9335c637174.vbs"
        12⤵
        
        PID:1152
        
        C:\Program Files\Windows Journal\ja-JP\smss.exe
        
        "C:\Program Files\Windows Journal\ja-JP\smss.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\607d0094-c8cf-45b0-a489-eb60253042bd.vbs"
        14⤵
        
        PID:1224
        
        C:\Program Files\Windows Journal\ja-JP\smss.exe
        
        "C:\Program Files\Windows Journal\ja-JP\smss.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb67a883-7167-4851-8475-59ffe31fb9ca.vbs"
        16⤵
        
        PID:2676
        
        C:\Program Files\Windows Journal\ja-JP\smss.exe
        
        "C:\Program Files\Windows Journal\ja-JP\smss.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d00a8001-25b8-4121-bf98-8ef2d7936fa1.vbs"
        18⤵
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5269eb75-89ae-4f06-8216-f2ef54d4355d.vbs"
        18⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bb3d616-48aa-44cb-92b7-bd0a22c819a2.vbs"
        16⤵
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd9e8af2-4281-4529-8c47-352fa3587877.vbs"
        14⤵
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4dd443ab-e86b-4fa4-aec4-72e66919eb98.vbs"
        12⤵
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffcb7729-47d1-461b-b79e-fb0db12ec5e6.vbs"
        10⤵
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f65ebb41-f330-4227-a4db-dd87b85b1d37.vbs"
        8⤵
        
        PID:2436
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbcca2ed-7ea8-467a-9075-05d3d0b2c47b.vbs"
        6⤵
        
        PID:2484
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0b27f55-043d-44d8-bb49-edac62daf534.vbs"
      4⤵
      PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafNf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafNf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcafN.exe

Filesize
4.9MB

MD5
362ac52b63b9f6608733e6da0f41b8a0

SHA1
4351bcc1035d37bc58f641fb58b08f80949f9129

SHA256
f61d38016d33a0e5e85b32545e15f8deb3c3a9313492ee05ac4cfb4a9c29bcaf

SHA512
8f60c2beb708deef5de53c33ee8224456ac9d9a7e3ad1eeacd786b79f2511342626910d5653b6870ea2a8c5448f6ca46ca6cfa09adb0ed1407812e7522771203

Download Submit
C:\Users\Admin\AppData\Local\Temp\0EpYUV7rVf.bat

Filesize
212B

MD5
bc04c7cfbce18199287c4cd8b51f4b66

SHA1
ce4c57f57ecee1666869e3b05ab379e931aad2cf

SHA256
f42697c6f2c8272a1d680d92bdbacc3afda90b1f8bb0aac7b9d1affd45967a08

SHA512
d47f7653cff12fc9c514b0a5c69daaa7445fd9d08b9f0255b64ce2505e16911a8f2cd0f5c0d9f81b53a8a6c5df077cbec103376830f658eccaf32e13871aa9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\37ce2d55-a30d-469a-b78d-d3f50b81ccab.vbs

Filesize
723B

MD5
d59fdc774bf3e2b7eaabf59f2e68246e

SHA1
5a4bdbcc000bdef7416383807885ffb9a573dd53

SHA256
1fd9f3495e3264cc7dcf9a95844af7c6e6a5869559fba55dacd948077e151a29

SHA512
1364fb335eae47a65b516e60b5c9f8b44d25f819ca0510ca893a3f7fe9f435ccd820f1096a9c5d51354003e0b161322309602b283aac84234ae7e57e74574806

Download Submit
C:\Users\Admin\AppData\Local\Temp\607d0094-c8cf-45b0-a489-eb60253042bd.vbs

Filesize
723B

MD5
bc4cb2a473cb30cd0d773e83b660f572

SHA1
0e9bfc2626390553fd29d38952257cdb74070d69

SHA256
fa1b1768cfea64ed3b25d11d415324ccd3d123227a5d6e2b4788470b723340bf

SHA512
7d648d2f9ef38be926310c2d3b34b502de0b520cb30f8e5e8ba89e678c12936f12525ea31a06636a069ff8b3f0680a96905aa5970bab4011a4503f0f7bcd751d

Download Submit
C:\Users\Admin\AppData\Local\Temp\65d9c934-ccb1-46d4-ad81-cc05d426e2fb.vbs

Filesize
723B

MD5
06a3ce8802cd79ab448caccbb11638be

SHA1
d65c73f3f8bc9470528e42b9c269fdba118c656d

SHA256
e89b65502b9f6aa15677b221c5f5c8a1adc705422d81d8d4f1b849ab732744b0

SHA512
b65cc16fe2d06a013c348c37dd5cc887ac1225373b416ba6217e845f2e0f528dc9a97c3a62febc594aea1aa9d29a3dfc59cff01906895f5f0cc614413670106b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab0385af-7c65-4dd9-9fc7-3ce605066610.vbs

Filesize
723B

MD5
e07b73e7c99e883524220f9771e1cc14

SHA1
02a74f92d5fbdd6ad5492ff12c3f532d0432b6bf

SHA256
b220b2c8382943905945b7855840b7e212055e1a861461635fbcec4d400f845e

SHA512
8a37ea23e7d2a8f1ff9c56e8a7f634960df1c041d4d291a7d6dccf0795184c1ddd7705fb3bb9c16d5432724b981dde609ad58bd78762c62d40eb6de365108b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\d00a8001-25b8-4121-bf98-8ef2d7936fa1.vbs

Filesize
723B

MD5
3938b8b6312fec2ad80766e03d4bfd4e

SHA1
baff044ee70a1724144f390c83b7dced2d067c30

SHA256
29308b0a1106a64c49fa116ec97619f342d1a233b45a1d1ec7e28da90c602d45

SHA512
9de18ae35d2b6c8b6a427f75ee395856aae01f18f0ae80c908104d70cc252271695a5cfc59e52eaab1d1a1f22f86dbb557dccd2051bff486e935232541963532

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0b27f55-043d-44d8-bb49-edac62daf534.vbs

Filesize
499B

MD5
d454376207c8cbcb93d98d094d7b845f

SHA1
2222da517cca3985a0bc84e65805825e37db737a

SHA256
e0738cd7faa6b7e918092d7fe891af52977c6a3412e03e2ff0a63561f6f3234d

SHA512
32280cfb1e76459407aba988d6ed213c45595c72683fc889c2b422ac1fa2950d2ace85caef57bc2688c6df0f6adf5668d46d902996253482ad3f12993181996b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0801a69-6fb7-4a78-b405-de19841e11a0.vbs

Filesize
723B

MD5
83d5a737a9119fa9ccb9b8959ad3dbeb

SHA1
37ca3d27fb03a5c95df22586d0fe2974ecbcb622

SHA256
143aafacf79e9ce2a774a031e7803ee1eed66bad78e97a5bce6d2461d752db8a

SHA512
0167ec2cf53b05510c4bffd6b1d46b5595cb1ae4726aee018fac01e313c521a1bc3808482bdcec098363ca891b3f289bff6bf3c79fd3c04c66420de16146a146

Download Submit
C:\Users\Admin\AppData\Local\Temp\e88acb5f-586f-432c-9bb6-a9335c637174.vbs

Filesize
723B

MD5
6753b6e09f2df6640ef6f3a46aa4a4d8

SHA1
2478c5797462fae002e47b9d015f1c053930686c

SHA256
883e39093d8dfd5379a31510756131ea9ef27d65012aa85692e50f3d268e0d50

SHA512
fe932dc981f5d07a5979b2eb02e53ab21887e9bb7b08f0205184bb4ed0420753b21fc6507800fc66eb160b45879433e55cf5ebeb5d749426526a45d6fe74ef8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb67a883-7167-4851-8475-59ffe31fb9ca.vbs

Filesize
723B

MD5
c05e3d4254eb612e6deb933ee3127a3e

SHA1
15e402eaa729ee56d4c63e7070bb138960c74df4

SHA256
660d096e77bc40c708d1adba73a51a1131408081e9a434184285a6c61bccace8

SHA512
53090d18ad56d8fca05cde5572ef616b980fb81faf1bb5a3168a28a6099bf666a60dec6c589192f97ff7a1d43cdb44fa96574f36101bb7103153dfe2e6c399d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6FC.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bbedad7ca0fa5a572e119667e15e8584

SHA1
925b231830aa6e67f0a131ffa811190176ad7f04

SHA256
0d2340ee9dbd88a977ea21db41d5f693b0e899d69f7212338d97f336077bc4b3

SHA512
daa4d57a726cdac8bc3c0819344f10a6d3c32cd5df24e548c90389c96ae211124675cf20daa0496d2dc3ff40ee7b485451ba9aab72ee487126a8837dd3815e4b

Download Submit
memory/1740-9-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/1740-10-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/1740-15-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/1740-16-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/1740-13-0x0000000002360000-0x000000000236E000-memory.dmp

Filesize
56KB

Download
memory/1740-96-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1740-110-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-12-0x0000000002350000-0x000000000235E000-memory.dmp

Filesize
56KB

Download
memory/1740-11-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/1740-1-0x0000000000220000-0x0000000000714000-memory.dmp

Filesize
5.0MB

Download
memory/1740-144-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-2-0x000000001B570000-0x000000001B69E000-memory.dmp

Filesize
1.2MB

Download
memory/1740-3-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-14-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1740-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1740-8-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/1740-7-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

Filesize
88KB

Download
memory/1740-4-0x0000000000990000-0x00000000009AC000-memory.dmp

Filesize
112KB

Download
memory/1740-5-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/1740-6-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download
memory/2156-193-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2156-192-0x0000000000EC0000-0x00000000013B4000-memory.dmp

Filesize
5.0MB

Download
memory/2172-143-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2280-222-0x0000000001320000-0x0000000001814000-memory.dmp

Filesize
5.0MB

Download
memory/2616-142-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2868-164-0x0000000000C20000-0x0000000001114000-memory.dmp

Filesize
5.0MB

Download