dcrat | dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67

Analysis

max time kernel
116s
max time network
115s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
Size

4.9MB
MD5

86234c7703eab90dc3943eb64b051570
SHA1

946db3ac233db0c9bc6c716d7c4f0dd4358a1cc6
SHA256

dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67
SHA512

2ba72804559df751023030d60b4b23e046c7fafe227c68924d1c3a3ac772de4737f8c4849e091b6734a1d7586ba8c611e6bfc8bf4a15a24769bbb2d15616c625
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	264	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exedc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2568-2-0x000000001B280000-0x000000001B3AE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1012	powershell.exe
2412	powershell.exe
2188	powershell.exe
2540	powershell.exe
2316	powershell.exe
2004	powershell.exe
676	powershell.exe
2640	powershell.exe
532	powershell.exe
2044	powershell.exe
2312	powershell.exe
1992	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	Process
2024	lsass.exe
660	lsass.exe
2260	lsass.exe
1880	lsass.exe
1716	lsass.exe
1788	lsass.exe
1976	lsass.exe
2316	lsass.exe
1120	lsass.exe
884	lsass.exe
3056	lsass.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsass.exelsass.exedc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Drops file in Program Files directory 16 IoCs

Processes:

dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\lsass.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\sppsvc.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File created	C:\Program Files (x86)\Windows Mail\csrss.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\886983d96e3d3e	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\RCXC323.tmp	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\csrss.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File created	C:\Program Files (x86)\Windows Mail\886983d96e3d3e	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File created	C:\Program Files\VideoLAN\lsass.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File created	C:\Program Files\Mozilla Firefox\defaults\0a1fd5f707cd16	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXBEAE.tmp	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File created	C:\Program Files\VideoLAN\6203df4a6bafc7	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File created	C:\Program Files\Mozilla Firefox\defaults\sppsvc.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File opened for modification	C:\Program Files\VideoLAN\RCXC0B2.tmp	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXC528.tmp	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe

Drops file in Windows directory 5 IoCs

Processes:

dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\en-US\sppsvc.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File created	C:\Windows\PolicyDefinitions\en-US\0a1fd5f707cd16	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\RCXC99D.tmp	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\sppsvc.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
File created	C:\Windows\diagnostics\index\csrss.exe	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2728	schtasks.exe
1648	schtasks.exe
2800	schtasks.exe
772	schtasks.exe
2672	schtasks.exe
2896	schtasks.exe
1552	schtasks.exe
2788	schtasks.exe
2712	schtasks.exe
2612	schtasks.exe
304	schtasks.exe
3008	schtasks.exe
2988	schtasks.exe
2804	schtasks.exe
2716	schtasks.exe
2212	schtasks.exe
2768	schtasks.exe
1352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	Process
2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
1012	powershell.exe
2412	powershell.exe
2640	powershell.exe
2004	powershell.exe
2316	powershell.exe
532	powershell.exe
2044	powershell.exe
2188	powershell.exe
676	powershell.exe
2312	powershell.exe
1992	powershell.exe
2540	powershell.exe
2024	lsass.exe
660	lsass.exe
2260	lsass.exe
1880	lsass.exe
1716	lsass.exe
1788	lsass.exe
1976	lsass.exe
2316	lsass.exe
1120	lsass.exe
884	lsass.exe
3056	lsass.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2024	lsass.exe
Token: SeDebugPrivilege	660	lsass.exe
Token: SeDebugPrivilege	2260	lsass.exe
Token: SeDebugPrivilege	1880	lsass.exe
Token: SeDebugPrivilege	1716	lsass.exe
Token: SeDebugPrivilege	1788	lsass.exe
Token: SeDebugPrivilege	1976	lsass.exe
Token: SeDebugPrivilege	2316	lsass.exe
Token: SeDebugPrivilege	1120	lsass.exe
Token: SeDebugPrivilege	884	lsass.exe
Token: SeDebugPrivilege	3056	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exelsass.exeWScript.exelsass.exeWScript.exelsass.exeWScript.exe

description	pid	Process	procid_target
PID 2568 wrote to memory of 2188	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	50
PID 2568 wrote to memory of 2188	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	50
PID 2568 wrote to memory of 2188	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	50
PID 2568 wrote to memory of 2640	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	51
PID 2568 wrote to memory of 2640	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	51
PID 2568 wrote to memory of 2640	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	51
PID 2568 wrote to memory of 532	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	52
PID 2568 wrote to memory of 532	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	52
PID 2568 wrote to memory of 532	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	52
PID 2568 wrote to memory of 2044	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	53
PID 2568 wrote to memory of 2044	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	53
PID 2568 wrote to memory of 2044	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	53
PID 2568 wrote to memory of 2540	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	54
PID 2568 wrote to memory of 2540	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	54
PID 2568 wrote to memory of 2540	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	54
PID 2568 wrote to memory of 2312	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	55
PID 2568 wrote to memory of 2312	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	55
PID 2568 wrote to memory of 2312	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	55
PID 2568 wrote to memory of 2316	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	56
PID 2568 wrote to memory of 2316	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	56
PID 2568 wrote to memory of 2316	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	56
PID 2568 wrote to memory of 2004	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	57
PID 2568 wrote to memory of 2004	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	57
PID 2568 wrote to memory of 2004	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	57
PID 2568 wrote to memory of 1992	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	58
PID 2568 wrote to memory of 1992	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	58
PID 2568 wrote to memory of 1992	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	58
PID 2568 wrote to memory of 676	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	59
PID 2568 wrote to memory of 676	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	59
PID 2568 wrote to memory of 676	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	59
PID 2568 wrote to memory of 1012	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	60
PID 2568 wrote to memory of 1012	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	60
PID 2568 wrote to memory of 1012	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	60
PID 2568 wrote to memory of 2412	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	61
PID 2568 wrote to memory of 2412	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	61
PID 2568 wrote to memory of 2412	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	61
PID 2568 wrote to memory of 2024	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	74
PID 2568 wrote to memory of 2024	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	74
PID 2568 wrote to memory of 2024	2568	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe	74
PID 2024 wrote to memory of 344	2024	lsass.exe	75
PID 2024 wrote to memory of 344	2024	lsass.exe	75
PID 2024 wrote to memory of 344	2024	lsass.exe	75
PID 2024 wrote to memory of 1344	2024	lsass.exe	76
PID 2024 wrote to memory of 1344	2024	lsass.exe	76
PID 2024 wrote to memory of 1344	2024	lsass.exe	76
PID 344 wrote to memory of 660	344	WScript.exe	77
PID 344 wrote to memory of 660	344	WScript.exe	77
PID 344 wrote to memory of 660	344	WScript.exe	77
PID 660 wrote to memory of 2516	660	lsass.exe	78
PID 660 wrote to memory of 2516	660	lsass.exe	78
PID 660 wrote to memory of 2516	660	lsass.exe	78
PID 660 wrote to memory of 272	660	lsass.exe	79
PID 660 wrote to memory of 272	660	lsass.exe	79
PID 660 wrote to memory of 272	660	lsass.exe	79
PID 2516 wrote to memory of 2260	2516	WScript.exe	80
PID 2516 wrote to memory of 2260	2516	WScript.exe	80
PID 2516 wrote to memory of 2260	2516	WScript.exe	80
PID 2260 wrote to memory of 2796	2260	lsass.exe	81
PID 2260 wrote to memory of 2796	2260	lsass.exe	81
PID 2260 wrote to memory of 2796	2260	lsass.exe	81
PID 2260 wrote to memory of 676	2260	lsass.exe	82
PID 2260 wrote to memory of 676	2260	lsass.exe	82
PID 2260 wrote to memory of 676	2260	lsass.exe	82
PID 2796 wrote to memory of 1880	2796	WScript.exe	83

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe
"C:\Users\Admin\AppData\Local\Temp\dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Program Files\VideoLAN\lsass.exe
  "C:\Program Files\VideoLAN\lsass.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2024
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\278dada5-aaa7-4dd5-b5a2-dd0a8fc59ca8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:344
  - - C:\Program Files\VideoLAN\lsass.exe
      "C:\Program Files\VideoLAN\lsass.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:660
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9f1d00c-c1ac-4095-8dcb-6166bfea0b77.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Program Files\VideoLAN\lsass.exe
        
        "C:\Program Files\VideoLAN\lsass.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ef6c829-b384-4583-ade4-c3ff8bf963f6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Program Files\VideoLAN\lsass.exe
        
        "C:\Program Files\VideoLAN\lsass.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\432c20e3-9072-43d9-93a6-84b759a14344.vbs"
        9⤵
        
        PID:268
        
        C:\Program Files\VideoLAN\lsass.exe
        
        "C:\Program Files\VideoLAN\lsass.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d60b25c-9390-494a-9c48-6ba102cba44b.vbs"
        11⤵
        
        PID:3000
        
        C:\Program Files\VideoLAN\lsass.exe
        
        "C:\Program Files\VideoLAN\lsass.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d92e02b-8de7-4174-bf71-ab3d5eedf2de.vbs"
        13⤵
        
        PID:1628
        
        C:\Program Files\VideoLAN\lsass.exe
        
        "C:\Program Files\VideoLAN\lsass.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\169c057a-14cb-43ef-ba31-240e88e8d991.vbs"
        15⤵
        
        PID:908
        
        C:\Program Files\VideoLAN\lsass.exe
        
        "C:\Program Files\VideoLAN\lsass.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ce72f12-c47f-482b-9bae-73a781c41d25.vbs"
        17⤵
        
        PID:1940
        
        C:\Program Files\VideoLAN\lsass.exe
        
        "C:\Program Files\VideoLAN\lsass.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7cdf650-3beb-4b27-be95-eb3f18dc2149.vbs"
        19⤵
        
        PID:2384
        
        C:\Program Files\VideoLAN\lsass.exe
        
        "C:\Program Files\VideoLAN\lsass.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\796666a7-e2e9-4bd7-b45a-36d063bff640.vbs"
        21⤵
        
        PID:936
        
        C:\Program Files\VideoLAN\lsass.exe
        
        "C:\Program Files\VideoLAN\lsass.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da53103a-cdc2-4698-9657-e0670268edff.vbs"
        23⤵
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b5fa804-c9c3-435d-8b7e-4991d75e97a3.vbs"
        23⤵
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fa9b127-5a29-46b7-8eb9-82790e6cee31.vbs"
        21⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ac992dc-7647-4bb5-8479-92c7995d5c15.vbs"
        19⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbde0029-200a-4521-b888-fc99b51d06a6.vbs"
        17⤵
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36a14560-f93a-4178-8af6-77999abe7ad9.vbs"
        15⤵
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\820c38e3-6907-4876-b2a8-4bab5b2e57d5.vbs"
        13⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e316fb9f-6bd2-4b9b-97db-00ac01bf37e9.vbs"
        11⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10afefb8-7b28-47cd-afe5-953c00ae2bf4.vbs"
        9⤵
        
        PID:1996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07439245-6aae-4407-b20a-cf3511ef355c.vbs"
        7⤵
        
        PID:676
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26dd731b-67dc-4f24-a569-393e3aad24cf.vbs"
        5⤵
        
        PID:272
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a2a5296-30d8-4acb-a719-50882bcc94d6.vbs"
    3⤵
    PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\audiodg.exe

Filesize
4.9MB

MD5
86234c7703eab90dc3943eb64b051570

SHA1
946db3ac233db0c9bc6c716d7c4f0dd4358a1cc6

SHA256
dc7c173446481ab87c667201b7e1963e6412bd22f7eda6e7ebe8d4cb1c632d67

SHA512
2ba72804559df751023030d60b4b23e046c7fafe227c68924d1c3a3ac772de4737f8c4849e091b6734a1d7586ba8c611e6bfc8bf4a15a24769bbb2d15616c625

Download Submit
C:\Program Files\VideoLAN\lsass.exe

Filesize
4.9MB

MD5
5d59859317da9998b784d821d7139bd4

SHA1
d2e64bc4bd668016166ed1319f22f6a91fae6ffe

SHA256
c9daaf8d5b8b7f5acecb675b41f4401a85e8f2796d31fc22ec61af8b100d0c92

SHA512
a91db93607fbe8e2417b7f52c9424045d309639d48b1391050e506321341ca4c5994fd9fb96a9a2d9b7e8cedd8c24d606e0c406cf3a10f37d5b7a509a94b2899

Download Submit
C:\Users\Admin\AppData\Local\Temp\169c057a-14cb-43ef-ba31-240e88e8d991.vbs

Filesize
711B

MD5
dc0c9b7911ea2d1caba16f3d2c39b17c

SHA1
87fd9fdf6f0ec408bfcfec568f5495caa0dc7a25

SHA256
1b21ace0033e34266eec786199e89aecbeef4f4e7391bcf1c7ea2303086bc1d2

SHA512
ea25dcbe89a23566f8f85e5f121cc8d989f48bf64110ee9dce0722152a38ab0be5cf4a98e9782775c4fa0ea7946295024a30313a2072b9568f880a6c2c41105c

Download Submit
C:\Users\Admin\AppData\Local\Temp\278dada5-aaa7-4dd5-b5a2-dd0a8fc59ca8.vbs

Filesize
711B

MD5
79f72d31d11a24acee1f9342921fc34f

SHA1
d1f9f562a292860fb51bdc7c9503f504856002c2

SHA256
6d0a3bb0ef5d0b7409623bc8e337d3add2e1918915e45fc139eadad7b7cca1c0

SHA512
e6fd7bbe90378ea7c48963f2a611d0d7670da1044f4548db691a54c3fff8407a42b59fd12e8c11562c5cc191e1247a94c64c10a5bb206a99a7c6ace09eb10853

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a2a5296-30d8-4acb-a719-50882bcc94d6.vbs

Filesize
487B

MD5
48aeb1de38ec8f837c4dff0049a4a8f1

SHA1
6cce0d9323f97d61cbfade8bc45a2a10e046ae02

SHA256
1787c8be33072981a7c2cae109082dba6ae1d85a1bb877e4f9f2829c45fee822

SHA512
c4992674e71c70889934b0a46528cd4fdecc77aa7d7a7f1df610ca40631112b19136135ab8de232fa847d1eaec670c6a4feb8618674a031aa3a686d232365abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\432c20e3-9072-43d9-93a6-84b759a14344.vbs

Filesize
711B

MD5
fa42342f71f9dff989f7d9dfe6fe1ea3

SHA1
251f39dc09a0fb5c089ef829c8b58bf21be73114

SHA256
4a231dd58ed15be3821e9be675cd7b1096a654551927f29912ca170da464dbc0

SHA512
ded95b9520ce98d45504481721e546121cf5881196de16a7bbba4b44cc5a88091ce47a31554577034d44e8bba775615332eed0857f0b8067666c7d70b71be9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d92e02b-8de7-4174-bf71-ab3d5eedf2de.vbs

Filesize
711B

MD5
08cbe91454709ce0f4d5d8b284b9757c

SHA1
7f5851b9d79ca0598e9eee339afeb989a59d32c7

SHA256
99ca1ed7e06898f1fa260a3254fe8ad3b03500f69e4f6f1368787aa140844949

SHA512
86d270ed6560c95556d17110c0e30d14b654edadaa1d0c6ef91dd2353943e941a59d8938c5518e5a79ff0af55f749621fbf62b56f8b32df7151e012e9c9de1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d60b25c-9390-494a-9c48-6ba102cba44b.vbs

Filesize
711B

MD5
67521b81fad950a2181cef1e2313282e

SHA1
31638eca0f04779b56e69990ba96cef7ef918a99

SHA256
a9b5adea9cfa5f9227d5d9ff005d925de952f7f750f8bb1c7593c7d8ee14187e

SHA512
10b5360a2c1dcd14345488548353ef2792dd6686d43934d63fb9492a1942b5d7c7a74a28e2243ece20e01bd498cf8926692fff0bcd27fab61e485b7264f49d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\796666a7-e2e9-4bd7-b45a-36d063bff640.vbs

Filesize
710B

MD5
a43f5f17e415765d60558e335c8b2fc8

SHA1
02394af2b2cf05e134cd079394774c8400220e42

SHA256
c587d932433231aeda9ac6e063fd3e3245822e40ab10103db91ab92e07c043c5

SHA512
04ee9682ed9f11e25bbbbbefbbcc0f8350ad792febd22221af92728f93cce7c7afb9fd2774c358b5541d2e13f992586568c0f1de47549f7bda4c5bc0c9d23c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ce72f12-c47f-482b-9bae-73a781c41d25.vbs

Filesize
711B

MD5
9fa633cf008e0f53af689910244a8ec2

SHA1
7d649b52e89b1c5849f557e6fbdce7552041994a

SHA256
2fea0515b246ef865ad52513e3784b54490bc542dfeda657b13eb9ad27deecc9

SHA512
1bebad31bf46384a33055912903a6da9c742f5f37adf12be1480883669fb49113a208693da330fc4a5b12fd7547ae18067cc824947fc1e7eafc791b87c5ba6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ef6c829-b384-4583-ade4-c3ff8bf963f6.vbs

Filesize
711B

MD5
85f4081feee2b3f54774649e1df7ea73

SHA1
4387fb0e62c9b706734a76152f9ed2955927447b

SHA256
e31b71f12c3ba0ab5dee15be68d8457d99efd830834c1d85e10be21e502b0ff0

SHA512
a52cae9b7932b97376b6cacde1e84d875710c47d967a14202023399a3b2d0af9c055962b02519786812d426fa6e45541e0e429f7b8659daa17a8737a196d855e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7cdf650-3beb-4b27-be95-eb3f18dc2149.vbs

Filesize
711B

MD5
f1b389b7d05d1a560be9ba2eb3a21e68

SHA1
7d009ab4894138b148c49ab5605a3a034b03c0c7

SHA256
e791e38422abb8f1cab62907fe93def604489e2c604383138cee5ec614637e5a

SHA512
25116492a783c2c7555e34bbff7219000b7410ff882ba11296e311bce1ecc6e68a1c8eace1215c499586dab08b2cc898c83326965212069beb7053842bb8b155

Download Submit
C:\Users\Admin\AppData\Local\Temp\da53103a-cdc2-4698-9657-e0670268edff.vbs

Filesize
711B

MD5
d4fe4f21f6a792bfa95907ed2b73ac31

SHA1
6e7c5c66e0ea398aaab3303742d7ccb5735cbfcc

SHA256
adc3afff1b11f38c27e1739c5ef195eda5330eb3a4602dc7e9ac4f243402751a

SHA512
b0d6ec3beb1f967207309c25a6a02674936469f87bebb7ee41c0e44926cdc570ff9236a36dbb0844534d3e0fcec3be1079ae9b21baf90a342f743f65cc3705c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9f1d00c-c1ac-4095-8dcb-6166bfea0b77.vbs

Filesize
710B

MD5
49a28d462ff6a5252cbe86bc4f491b01

SHA1
f2aedb232c5c08a320138c7708e1d3a52f89b9e5

SHA256
84afb8c3dbd1189f3069f257e00fcb48704a664c3fc0a88089ff3e54d81b065f

SHA512
472fcc7617a98a739c2e1cb9cfdd14df4a89bde8917443f76dba5a2107ae1334033c801c23fa5faf713557ecb172533e0be4a4407fd960cb2c30344ab265f0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0FC.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3e345cd3c739d507477f94085c5b5f0d

SHA1
97cf924c52543c6745adf29414da92c18ee22284

SHA256
835304de835ce98b4a2b5ea4f19f6928e1850aafd312cdd18266063be6b7dc8f

SHA512
5dfc85b860af9f415ee623e0f61bc36b8021e069c83e2a9a992fa292921d28150317a733e0a529ba0b39234b19272b80ebe23bd14a24fdb7b5f44176029ec53e

Download Submit
memory/660-155-0x0000000000E30000-0x0000000001324000-memory.dmp

Filesize
5.0MB

Download
memory/1012-105-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1716-199-0x0000000001370000-0x0000000001864000-memory.dmp

Filesize
5.0MB

Download
memory/1716-200-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/2024-140-0x0000000000110000-0x0000000000604000-memory.dmp

Filesize
5.0MB

Download
memory/2260-170-0x00000000011E0000-0x00000000016D4000-memory.dmp

Filesize
5.0MB

Download
memory/2412-116-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2568-10-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2568-1-0x0000000000B20000-0x0000000001014000-memory.dmp

Filesize
5.0MB

Download
memory/2568-141-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-15-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2568-14-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/2568-13-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/2568-12-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2568-11-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2568-16-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2568-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2568-7-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/2568-8-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2568-6-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2568-5-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2568-4-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/2568-3-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-2-0x000000001B280000-0x000000001B3AE000-memory.dmp

Filesize
1.2MB

Download
memory/2568-9-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/3056-285-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download