dcrat | 0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

голые фотографии акима.exe
Size

3.7MB
MD5

934f077da68d3fda26839f06286b71e4
SHA1

f805ec2e43d7518d420b94b954fd6b4e640ef64d
SHA256

0e1ea55667ec6d7ed658718be1528ce3f5e5ac464113e114a96379004137787b
SHA512

85e2bff55ce5aa6569d50146a3d95c611f774605fa9a8ee041cede3a928bf7585943e63aaf9eb5b14dc4d25fe6bee3e57d58c9b586653322300aaa67e87dd714
SSDEEP

49152:UbA30FDlon6ZtXRUNAtf3zkDcpigc4Jp8+bF5BxiLFHqzQ6yQH2lJwtYv2:UbZ7tXyNAtf3Rigc4n58xHqzQ6TH2Lel

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1308	schtasks.exe
		960	schtasks.exe
		620	schtasks.exe
		1976	schtasks.exe
		3060	schtasks.exe
		2428	schtasks.exe
		1564	schtasks.exe
		844	schtasks.exe
File created	C:\Windows\Help\Help\es-ES\101b941d020240		hyperblockDll.exe
		2620	schtasks.exe
		1708	schtasks.exe
		584	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		голые фотографии акима.exe
File created	C:\Program Files (x86)\Reference Assemblies\101b941d020240		hyperblockDll.exe
		2140	schtasks.exe
		2344	schtasks.exe
		2324	schtasks.exe
		484	schtasks.exe
		1768	schtasks.exe
		1284	schtasks.exe
		1976	schtasks.exe
		2648	schtasks.exe
		2684	schtasks.exe
		2896	schtasks.exe
		2212	schtasks.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\69ddcba757bf72		hyperblockDll.exe
		2888	schtasks.exe
		2052	schtasks.exe
		2320	schtasks.exe
		1052	schtasks.exe
		2528	schtasks.exe
		1612	schtasks.exe
		2740	schtasks.exe
		352	schtasks.exe
		2340	schtasks.exe
		1756	schtasks.exe
		1460	schtasks.exe
		2508	schtasks.exe
		2908	schtasks.exe
		2076	schtasks.exe
File created	C:\Program Files\DVD Maker\cc11b995f2a76d		hyperblockDll.exe
		2628	schtasks.exe
		1684	schtasks.exe
		1524	schtasks.exe
		2904	schtasks.exe
		2800	schtasks.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\b75386f1303e64		hyperblockDll.exe
		848	schtasks.exe
		2480	schtasks.exe
		2028	schtasks.exe
		1792	schtasks.exe
		376	schtasks.exe
		2568	schtasks.exe
		2700	schtasks.exe
		2524	schtasks.exe
		2016	schtasks.exe
		548	schtasks.exe
		2296	schtasks.exe
		1532	schtasks.exe
		1132	schtasks.exe
		2364	schtasks.exe
		764	schtasks.exe
		2488	schtasks.exe
		1956	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1484	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1484	schtasks.exe	36

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016141-17.dat	dcrat
behavioral1/memory/1800-18-0x0000000000B00000-0x0000000000E6A000-memory.dmp	dcrat
behavioral1/memory/1704-118-0x0000000000DA0000-0x000000000110A000-memory.dmp	dcrat

Executes dropped EXE 7 IoCs

pid	Process
1800	hyperblockDll.exe
1040	hyperblockDll.exe
1704	taskhost.exe
1700	taskhost.exe
3048	taskhost.exe
1384	taskhost.exe
2880	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	cmd.exe
2824	cmd.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hyperblockDll.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\b75386f1303e64	hyperblockDll.exe
File created	C:\Program Files\DVD Maker\winlogon.exe	hyperblockDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\lsm.exe	hyperblockDll.exe
File created	C:\Program Files\DVD Maker\en-US\6203df4a6bafc7	hyperblockDll.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe	hyperblockDll.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\taskhost.exe	hyperblockDll.exe
File created	C:\Program Files\DVD Maker\cc11b995f2a76d	hyperblockDll.exe
File created	C:\Program Files\Windows Defender\es-ES\56085415360792	hyperblockDll.exe
File created	C:\Program Files\DVD Maker\en-US\lsass.exe	hyperblockDll.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\69ddcba757bf72	hyperblockDll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	hyperblockDll.exe
File created	C:\Program Files\Windows Defender\es-ES\wininit.exe	hyperblockDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\101b941d020240	hyperblockDll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	hyperblockDll.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\Help\es-ES\lsm.exe	hyperblockDll.exe
File created	C:\Windows\Help\Help\es-ES\101b941d020240	hyperblockDll.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..n-cmdline.resources_31bf3856ad364e35_6.1.7600.16385_es-es_922ed88ee5a660d1\csrss.exe	hyperblockDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	голые фотографии акима.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2648	schtasks.exe
1308	schtasks.exe
2568	schtasks.exe
2896	schtasks.exe
1612	schtasks.exe
2356	schtasks.exe
484	schtasks.exe
1708	schtasks.exe
1720	schtasks.exe
1792	schtasks.exe
2488	schtasks.exe
1956	schtasks.exe
2820	schtasks.exe
2700	schtasks.exe
2684	schtasks.exe
1460	schtasks.exe
1564	schtasks.exe
2908	schtasks.exe
2800	schtasks.exe
1104	schtasks.exe
960	schtasks.exe
2444	schtasks.exe
3016	schtasks.exe
2076	schtasks.exe
2244	schtasks.exe
352	schtasks.exe
3020	schtasks.exe
1684	schtasks.exe
1284	schtasks.exe
1244	schtasks.exe
2344	schtasks.exe
2528	schtasks.exe
2016	schtasks.exe
584	schtasks.exe
2628	schtasks.exe
3068	schtasks.exe
2248	schtasks.exe
376	schtasks.exe
2564	schtasks.exe
2508	schtasks.exe
2140	schtasks.exe
3064	schtasks.exe
1976	schtasks.exe
2740	schtasks.exe
3060	schtasks.exe
2520	schtasks.exe
1524	schtasks.exe
1284	schtasks.exe
1768	schtasks.exe
2324	schtasks.exe
1640	schtasks.exe
2620	schtasks.exe
1052	schtasks.exe
1976	schtasks.exe
2340	schtasks.exe
844	schtasks.exe
1384	schtasks.exe
1756	schtasks.exe
2212	schtasks.exe
2524	schtasks.exe
2364	schtasks.exe
764	schtasks.exe
2904	schtasks.exe
2428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1800	hyperblockDll.exe
1040	hyperblockDll.exe
1040	hyperblockDll.exe
1040	hyperblockDll.exe
1040	hyperblockDll.exe
1040	hyperblockDll.exe
1040	hyperblockDll.exe
1040	hyperblockDll.exe
1704	taskhost.exe
1704	taskhost.exe
1704	taskhost.exe
1704	taskhost.exe
1704	taskhost.exe
1704	taskhost.exe
1704	taskhost.exe
3048	taskhost.exe
3048	taskhost.exe
3048	taskhost.exe
3048	taskhost.exe
3048	taskhost.exe
3048	taskhost.exe
3048	taskhost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	hyperblockDll.exe
Token: SeDebugPrivilege	1040	hyperblockDll.exe
Token: SeDebugPrivilege	1704	taskhost.exe
Token: SeDebugPrivilege	3048	taskhost.exe
Token: SeDebugPrivilege	1700	taskhost.exe
Token: SeDebugPrivilege	2880	taskhost.exe
Token: SeDebugPrivilege	1384	taskhost.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2080	2448	голые фотографии акима.exe	31
PID 2448 wrote to memory of 2080	2448	голые фотографии акима.exe	31
PID 2448 wrote to memory of 2080	2448	голые фотографии акима.exe	31
PID 2448 wrote to memory of 2080	2448	голые фотографии акима.exe	31
PID 2448 wrote to memory of 2340	2448	голые фотографии акима.exe	32
PID 2448 wrote to memory of 2340	2448	голые фотографии акима.exe	32
PID 2448 wrote to memory of 2340	2448	голые фотографии акима.exe	32
PID 2448 wrote to memory of 2340	2448	голые фотографии акима.exe	32
PID 2080 wrote to memory of 2824	2080	WScript.exe	33
PID 2080 wrote to memory of 2824	2080	WScript.exe	33
PID 2080 wrote to memory of 2824	2080	WScript.exe	33
PID 2080 wrote to memory of 2824	2080	WScript.exe	33
PID 2824 wrote to memory of 1800	2824	cmd.exe	35
PID 2824 wrote to memory of 1800	2824	cmd.exe	35
PID 2824 wrote to memory of 1800	2824	cmd.exe	35
PID 2824 wrote to memory of 1800	2824	cmd.exe	35
PID 1800 wrote to memory of 1040	1800	hyperblockDll.exe	94
PID 1800 wrote to memory of 1040	1800	hyperblockDll.exe	94
PID 1800 wrote to memory of 1040	1800	hyperblockDll.exe	94
PID 1040 wrote to memory of 1704	1040	hyperblockDll.exe	119
PID 1040 wrote to memory of 1704	1040	hyperblockDll.exe	119
PID 1040 wrote to memory of 1704	1040	hyperblockDll.exe	119
PID 1704 wrote to memory of 2696	1704	taskhost.exe	120
PID 1704 wrote to memory of 2696	1704	taskhost.exe	120
PID 1704 wrote to memory of 2696	1704	taskhost.exe	120
PID 1704 wrote to memory of 2076	1704	taskhost.exe	121
PID 1704 wrote to memory of 2076	1704	taskhost.exe	121
PID 1704 wrote to memory of 2076	1704	taskhost.exe	121
PID 1704 wrote to memory of 1936	1704	taskhost.exe	122
PID 1704 wrote to memory of 1936	1704	taskhost.exe	122
PID 1704 wrote to memory of 1936	1704	taskhost.exe	122
PID 1936 wrote to memory of 2596	1936	cmd.exe	124
PID 1936 wrote to memory of 2596	1936	cmd.exe	124
PID 1936 wrote to memory of 2596	1936	cmd.exe	124
PID 1936 wrote to memory of 1700	1936	cmd.exe	125
PID 1936 wrote to memory of 1700	1936	cmd.exe	125
PID 1936 wrote to memory of 1700	1936	cmd.exe	125
PID 2696 wrote to memory of 3048	2696	WScript.exe	126
PID 2696 wrote to memory of 3048	2696	WScript.exe	126
PID 2696 wrote to memory of 3048	2696	WScript.exe	126
PID 3048 wrote to memory of 1528	3048	taskhost.exe	127
PID 3048 wrote to memory of 1528	3048	taskhost.exe	127
PID 3048 wrote to memory of 1528	3048	taskhost.exe	127
PID 3048 wrote to memory of 1612	3048	taskhost.exe	128
PID 3048 wrote to memory of 1612	3048	taskhost.exe	128
PID 3048 wrote to memory of 1612	3048	taskhost.exe	128
PID 1612 wrote to memory of 1104	1612	cmd.exe	130
PID 1612 wrote to memory of 1104	1612	cmd.exe	130
PID 1612 wrote to memory of 1104	1612	cmd.exe	130
PID 1612 wrote to memory of 1384	1612	cmd.exe	131
PID 1612 wrote to memory of 1384	1612	cmd.exe	131
PID 1612 wrote to memory of 1384	1612	cmd.exe	131
PID 1528 wrote to memory of 2880	1528	WScript.exe	132
PID 1528 wrote to memory of 2880	1528	WScript.exe	132
PID 1528 wrote to memory of 2880	1528	WScript.exe	132

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	hyperblockDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\голые фотографии акима.exe
"C:\Users\Admin\AppData\Local\Temp\голые фотографии акима.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgehyperchainportAgent\lcZ6MvLb.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BridgehyperchainportAgent\akmRZ8KYIwqCrue04KkAUPxFzhoyZ.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\BridgehyperchainportAgent\hyperblockDll.exe
      "C:\BridgehyperchainportAgent\hyperblockDll.exe"
      4⤵
      DcRat
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1800
    - - C:\BridgehyperchainportAgent\hyperblockDll.exe
        
        "C:\BridgehyperchainportAgent\hyperblockDll.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1040
      - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9255c53-f4a5-49e7-89fb-e088e05dfccb.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22d6f8c0-bcc7-4486-91a4-ef02514d6c7c.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KK8tOjD9dO.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1104
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87711f05-240e-4d5d-a666-bffba69934e1.vbs"
        7⤵
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WY8ttHjbX9.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2596
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgehyperchainportAgent\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\BridgehyperchainportAgent\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\BridgehyperchainportAgent\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperblockDllh" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\hyperblockDll.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperblockDll" /sc ONLOGON /tr "'C:\MSOCache\All Users\hyperblockDll.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperblockDllh" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\hyperblockDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Help\es-ES\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Help\Help\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\Help\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\BridgehyperchainportAgent\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\BridgehyperchainportAgent\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\BridgehyperchainportAgent\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\BridgehyperchainportAgent\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\BridgehyperchainportAgent\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\BridgehyperchainportAgent\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\BridgehyperchainportAgent\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\BridgehyperchainportAgent\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\lsass.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\BridgehyperchainportAgent\WmiPrvSE.exe'" /f
1⤵
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\BridgehyperchainportAgent\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\BridgehyperchainportAgent\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgehyperchainportAgent\24dbde2999530e

Filesize
144B

MD5
be7be7d8a0173882284deb7fce18353f

SHA1
b1524bd555528890d7da2e006b551d16b47119e3

SHA256
180408b10e4aa74bfed1208dc490d3ca57e319754b6313789f36eb501802c7f9

SHA512
5d353b939c21520d3b3d23545c13b84340813878ea60e1e072575fa85456f130d395b723faeec601030d8b7fa5b454b349a8aaeaf25269442e995def984bebe2

Download Submit
C:\BridgehyperchainportAgent\akmRZ8KYIwqCrue04KkAUPxFzhoyZ.bat

Filesize
48B

MD5
efb9b32455839f2f1e46065e13aeb93f

SHA1
cae49ccdd500a9808ac144387b15ad6ced46c036

SHA256
611d9c30bfabaaa6e9aee5c75025b71dca9116c45300ac325febeefe2d5b0e24

SHA512
351d053f36e497238add089f19e30f164c1110be7826d58e7fb71705b06a7d6d51789add692ac08af4c1e613e3f9c54789a5c8f707ad302a70bcd379645cff1c

Download Submit
C:\BridgehyperchainportAgent\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\BridgehyperchainportAgent\hyperblockDll.exe

Filesize
3.4MB

MD5
df6d3aff42df48d0830227cae92e6bd6

SHA1
bf7f75fd82694b2a44098df2b28c2db35e7ea142

SHA256
05b5df5bc84e193fba3aa26d1b20cb81faa7b176a24a8df2238c8ed61e6e583a

SHA512
07163831729582397fdbdcef5d921750b2968b9d555fd0b881913ae1b283573e4efc827d0eb51552882743b541e44ff2a8dbf0d99a4e5c3f47228a4536bab64a

Download Submit
C:\BridgehyperchainportAgent\lcZ6MvLb.vbe

Filesize
231B

MD5
05a47a3e17c29bf5b8bc6949a26ccb44

SHA1
87e896625a30943a252a839ba3e22507422bbb04

SHA256
85f873ac1def74dea8180c0cce0084490505d2bc213abf34d3a95fda4b92c63f

SHA512
72ef9bb092cfbc824341aa0075ee594b410e9afea3a8ae40c0f1743a4cb2528005701099ef156dc0f2a2da4474809f1d5995e01d12c6ac36f0cc7ae6baf8f64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\22d6f8c0-bcc7-4486-91a4-ef02514d6c7c.vbs

Filesize
737B

MD5
4529e73719d0cac1804f56344e05dd25

SHA1
ffe9ef4a0be752b5d7f5a21201b31feb601c856e

SHA256
e0acccd5f2c708c89d7589502b6036dcbb188800efc0a6d3b1aeee511ba24267

SHA512
09972261477d8bc8c2e8207b8e9b0db6187ec2f79f11e38e5c4ef311d5e150c6f3bbdbd2908ca556116b43970272400f289eeeb30f209f08adb66df6297dbed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\87711f05-240e-4d5d-a666-bffba69934e1.vbs

Filesize
513B

MD5
13ce9fe9684f1c8e8b044d02d2964fa9

SHA1
75c51aff3463727dcb41bacd9352ab8c48fa6d6e

SHA256
f494bf45b5350c86d65f4e91c6da82e6402225627a41946e9dd800a0499824db

SHA512
0da57d5836b8577a84a69206fba469b932bc4f87c570a91cb94245f506f595c7e6a2238992ac43c5ee3d08cdd0c0bfd5019f68d4ac2ba0f579833715d0bc16a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KK8tOjD9dO.bat

Filesize
226B

MD5
77ee7a2dd27872e40567d80d9054080a

SHA1
c1992f87162fb775de57657b6f93d53d1a76e8fd

SHA256
29fe910c31d3562991448a3dd57955d5e5e4d85fa21f7040bbea9d3f36a9d031

SHA512
25769d543789009a0eeb781cc7baf87b94d1af33463af2b87bfd0d0005167506d27245b409d4b3c68cf356d1ce2a5cbb0ceae73dc11b5b170d2afc027b322302

Download Submit
C:\Users\Admin\AppData\Local\Temp\WY8ttHjbX9.bat

Filesize
226B

MD5
584bdd837f50ea3cbc1cdbd99a59a2bc

SHA1
7887f6de027378b31748f212f720a8b77da05c9a

SHA256
1014fe70de70a022a372ebccd6bf12463b2ff15b9f186d8967d09ce6bcbc51cd

SHA512
ffdf1da01ad993d1d06013cb1008e14b0ef1fe1bb00a980d9b87dc77b7769a9c82179ffac3dd30b6bdfa3c8a343d824a9bf6210abb5fa34333758cd4c79f074d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9255c53-f4a5-49e7-89fb-e088e05dfccb.vbs

Filesize
737B

MD5
505b03a542862f007734ec930691ce1d

SHA1
a2e2e8cca28ac77c89f0c1f7de6406ee8cf92a0b

SHA256
96c0aa5034a69388e084322f3bcc1b18232725b83c9da6fd7e9c2112b6ec5eaa

SHA512
2ba0f75ee60b038b3853131c6ec9a0948a55cd785e9119b5ef2878a63bdab172e1cbb1a3ef9a9feaa80f698a81e87422ae1d754c05a9be86827479238eef9214

Download Submit
memory/1040-93-0x000000001AE10000-0x000000001AE66000-memory.dmp

Filesize
344KB

Download
memory/1704-118-0x0000000000DA0000-0x000000000110A000-memory.dmp

Filesize
3.4MB

Download
memory/1704-119-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/1800-35-0x0000000002280000-0x000000000228C000-memory.dmp

Filesize
48KB

Download
memory/1800-43-0x000000001AD50000-0x000000001AD58000-memory.dmp

Filesize
32KB

Download
memory/1800-26-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/1800-27-0x0000000000780000-0x0000000000792000-memory.dmp

Filesize
72KB

Download
memory/1800-28-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/1800-29-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/1800-30-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/1800-31-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/1800-32-0x00000000023A0000-0x00000000023F6000-memory.dmp

Filesize
344KB

Download
memory/1800-33-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/1800-34-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/1800-24-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/1800-36-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1800-37-0x000000001A900000-0x000000001A912000-memory.dmp

Filesize
72KB

Download
memory/1800-38-0x000000001A930000-0x000000001A93C000-memory.dmp

Filesize
48KB

Download
memory/1800-39-0x000000001A940000-0x000000001A94C000-memory.dmp

Filesize
48KB

Download
memory/1800-40-0x000000001AD20000-0x000000001AD28000-memory.dmp

Filesize
32KB

Download
memory/1800-41-0x000000001AD30000-0x000000001AD3C000-memory.dmp

Filesize
48KB

Download
memory/1800-42-0x000000001AD40000-0x000000001AD4C000-memory.dmp

Filesize
48KB

Download
memory/1800-25-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download
memory/1800-44-0x000000001AD60000-0x000000001AD6C000-memory.dmp

Filesize
48KB

Download
memory/1800-45-0x000000001ADF0000-0x000000001ADFA000-memory.dmp

Filesize
40KB

Download
memory/1800-46-0x000000001AE80000-0x000000001AE8E000-memory.dmp

Filesize
56KB

Download
memory/1800-47-0x000000001AE90000-0x000000001AE98000-memory.dmp

Filesize
32KB

Download
memory/1800-48-0x000000001B0F0000-0x000000001B0FE000-memory.dmp

Filesize
56KB

Download
memory/1800-49-0x000000001B100000-0x000000001B108000-memory.dmp

Filesize
32KB

Download
memory/1800-50-0x000000001B110000-0x000000001B11C000-memory.dmp

Filesize
48KB

Download
memory/1800-23-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/1800-22-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/1800-21-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1800-20-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/1800-51-0x000000001B120000-0x000000001B128000-memory.dmp

Filesize
32KB

Download
memory/1800-52-0x000000001B130000-0x000000001B13A000-memory.dmp

Filesize
40KB

Download
memory/1800-53-0x000000001B140000-0x000000001B14C000-memory.dmp

Filesize
48KB

Download
memory/1800-18-0x0000000000B00000-0x0000000000E6A000-memory.dmp

Filesize
3.4MB

Download
memory/1800-19-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/3048-137-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/3048-136-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download