dcrat | c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79ccc

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
Size

4.9MB
MD5

a0f7a7c23f4328406cd5e9c3048ac530
SHA1

f0182c24eb6c86b592e92ccabf50abb48bfb92ce
SHA256

c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79ccc
SHA512

7f439594403da5e99de6e4ba5a388ba3ce61571c7589a34040f8dc36ccab3e0ea28193b94852fa3d00c22f9ac32aab454cd569e8ba38175a5be56a25f5b86dbf
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2688	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2688	schtasks.exe	31

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2136-3-0x000000001B620000-0x000000001B74E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2952	powershell.exe
2552	powershell.exe
2596	powershell.exe
2984	powershell.exe
2820	powershell.exe
3056	powershell.exe
2720	powershell.exe
2684	powershell.exe
2960	powershell.exe
2388	powershell.exe
2692	powershell.exe
2424	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
696	smss.exe
2020	smss.exe
1964	smss.exe
2260	smss.exe
948	smss.exe
2992	smss.exe
1792	smss.exe
3000	smss.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pt-PT\dllhost.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Windows\SysWOW64\pt-PT\5940a34987c991	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Windows\SysWOW64\pt-PT\RCXEC1A.tmp	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Windows\SysWOW64\pt-PT\dllhost.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\Java\smss.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files\Windows Journal\de-DE\5940a34987c991	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files (x86)\Windows Media Player\0a1fd5f707cd16	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files\Java\RCXF429.tmp	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\c5b4cb5e9653cc	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXEA16.tmp	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files\Java\smss.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\RCXF62D.tmp	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\dllhost.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files\Java\69ddcba757bf72	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files (x86)\Windows Media Player\sppsvc.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files\Windows Journal\de-DE\dllhost.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\101b941d020240	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXEE1D.tmp	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXF830.tmp	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\RCXFAA1.tmp	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\24dbde2999530e	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\sppsvc.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Idle.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\6ccacd8608530f	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\RCXF021.tmp	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Idle.exe	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
2812	schtasks.exe
1880	schtasks.exe
1680	schtasks.exe
2800	schtasks.exe
2672	schtasks.exe
2268	schtasks.exe
1972	schtasks.exe
2372	schtasks.exe
1632	schtasks.exe
2536	schtasks.exe
1672	schtasks.exe
536	schtasks.exe
2516	schtasks.exe
1192	schtasks.exe
328	schtasks.exe
2824	schtasks.exe
2312	schtasks.exe
1856	schtasks.exe
2064	schtasks.exe
376	schtasks.exe
2092	schtasks.exe
2504	schtasks.exe
2588	schtasks.exe
2936	schtasks.exe
1944	schtasks.exe
2332	schtasks.exe
2316	schtasks.exe
3036	schtasks.exe
2568	schtasks.exe
2584	schtasks.exe
2916	schtasks.exe
2000	schtasks.exe
324	schtasks.exe
1988	schtasks.exe
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
2720	powershell.exe
2424	powershell.exe
2984	powershell.exe
3056	powershell.exe
2820	powershell.exe
2692	powershell.exe
2960	powershell.exe
2952	powershell.exe
2684	powershell.exe
2596	powershell.exe
2552	powershell.exe
2388	powershell.exe
696	smss.exe
2020	smss.exe
1964	smss.exe
2260	smss.exe
948	smss.exe
2992	smss.exe
1792	smss.exe
3000	smss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	696	smss.exe
Token: SeDebugPrivilege	2020	smss.exe
Token: SeDebugPrivilege	1964	smss.exe
Token: SeDebugPrivilege	2260	smss.exe
Token: SeDebugPrivilege	948	smss.exe
Token: SeDebugPrivilege	2992	smss.exe
Token: SeDebugPrivilege	1792	smss.exe
Token: SeDebugPrivilege	3000	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2820	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	69
PID 2136 wrote to memory of 2820	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	69
PID 2136 wrote to memory of 2820	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	69
PID 2136 wrote to memory of 2952	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	70
PID 2136 wrote to memory of 2952	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	70
PID 2136 wrote to memory of 2952	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	70
PID 2136 wrote to memory of 2424	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	71
PID 2136 wrote to memory of 2424	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	71
PID 2136 wrote to memory of 2424	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	71
PID 2136 wrote to memory of 3056	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	73
PID 2136 wrote to memory of 3056	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	73
PID 2136 wrote to memory of 3056	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	73
PID 2136 wrote to memory of 2984	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	74
PID 2136 wrote to memory of 2984	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	74
PID 2136 wrote to memory of 2984	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	74
PID 2136 wrote to memory of 2692	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	77
PID 2136 wrote to memory of 2692	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	77
PID 2136 wrote to memory of 2692	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	77
PID 2136 wrote to memory of 2720	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	78
PID 2136 wrote to memory of 2720	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	78
PID 2136 wrote to memory of 2720	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	78
PID 2136 wrote to memory of 2388	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	80
PID 2136 wrote to memory of 2388	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	80
PID 2136 wrote to memory of 2388	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	80
PID 2136 wrote to memory of 2960	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	81
PID 2136 wrote to memory of 2960	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	81
PID 2136 wrote to memory of 2960	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	81
PID 2136 wrote to memory of 2684	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	82
PID 2136 wrote to memory of 2684	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	82
PID 2136 wrote to memory of 2684	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	82
PID 2136 wrote to memory of 2596	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	83
PID 2136 wrote to memory of 2596	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	83
PID 2136 wrote to memory of 2596	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	83
PID 2136 wrote to memory of 2552	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	84
PID 2136 wrote to memory of 2552	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	84
PID 2136 wrote to memory of 2552	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	84
PID 2136 wrote to memory of 708	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	93
PID 2136 wrote to memory of 708	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	93
PID 2136 wrote to memory of 708	2136	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe	93
PID 708 wrote to memory of 1616	708	cmd.exe	95
PID 708 wrote to memory of 1616	708	cmd.exe	95
PID 708 wrote to memory of 1616	708	cmd.exe	95
PID 708 wrote to memory of 696	708	cmd.exe	96
PID 708 wrote to memory of 696	708	cmd.exe	96
PID 708 wrote to memory of 696	708	cmd.exe	96
PID 696 wrote to memory of 2336	696	smss.exe	97
PID 696 wrote to memory of 2336	696	smss.exe	97
PID 696 wrote to memory of 2336	696	smss.exe	97
PID 696 wrote to memory of 2616	696	smss.exe	98
PID 696 wrote to memory of 2616	696	smss.exe	98
PID 696 wrote to memory of 2616	696	smss.exe	98
PID 2336 wrote to memory of 2020	2336	WScript.exe	99
PID 2336 wrote to memory of 2020	2336	WScript.exe	99
PID 2336 wrote to memory of 2020	2336	WScript.exe	99
PID 2020 wrote to memory of 2936	2020	smss.exe	100
PID 2020 wrote to memory of 2936	2020	smss.exe	100
PID 2020 wrote to memory of 2936	2020	smss.exe	100
PID 2020 wrote to memory of 536	2020	smss.exe	101
PID 2020 wrote to memory of 536	2020	smss.exe	101
PID 2020 wrote to memory of 536	2020	smss.exe	101
PID 2936 wrote to memory of 1964	2936	WScript.exe	102
PID 2936 wrote to memory of 1964	2936	WScript.exe	102
PID 2936 wrote to memory of 1964	2936	WScript.exe	102
PID 1964 wrote to memory of 2668	1964	smss.exe	103

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe
"C:\Users\Admin\AppData\Local\Temp\c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79cccN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8kuxZwF9lg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1616
- - C:\Program Files\Java\smss.exe
    "C:\Program Files\Java\smss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:696
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea9d58c3-3872-4c68-9111-8ce61ec49cc8.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Program Files\Java\smss.exe
        
        "C:\Program Files\Java\smss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2020
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\248f4eb6-5163-47a3-aa6a-7f328760f2af.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Program Files\Java\smss.exe
        
        "C:\Program Files\Java\smss.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ce1c1c-738b-4965-b432-831ed5b16ec3.vbs"
        8⤵
        
        PID:2668
        
        C:\Program Files\Java\smss.exe
        
        "C:\Program Files\Java\smss.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9da8dd4d-2ff9-492d-a758-aeae8ab47905.vbs"
        10⤵
        
        PID:1260
        
        C:\Program Files\Java\smss.exe
        
        "C:\Program Files\Java\smss.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39354957-2f22-4238-a6a4-896fe05e5db9.vbs"
        12⤵
        
        PID:2568
        
        C:\Program Files\Java\smss.exe
        
        "C:\Program Files\Java\smss.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58761d10-3f4d-43ef-a7e6-ea702c4cba87.vbs"
        14⤵
        
        PID:2328
        
        C:\Program Files\Java\smss.exe
        
        "C:\Program Files\Java\smss.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83549bc9-488c-4a11-8045-040d0190b0b7.vbs"
        16⤵
        
        PID:1052
        
        C:\Program Files\Java\smss.exe
        
        "C:\Program Files\Java\smss.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48dca68c-b9b1-4810-b5b9-7e23fd953c8f.vbs"
        18⤵
        
        PID:2708
        
        C:\Program Files\Java\smss.exe
        
        "C:\Program Files\Java\smss.exe"
        19⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c9428ce-0662-4d13-bb81-9e5328e0cb63.vbs"
        18⤵
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acd7f560-235f-43d5-9303-21b021e4ab68.vbs"
        16⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\894d2607-8983-408b-99a1-a9a8296ce315.vbs"
        14⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5188d1e7-e1b2-4a0e-b5c9-af654bdfa1bc.vbs"
        12⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\798b4369-af5f-4eed-89e5-037d002c9517.vbs"
        10⤵
        
        PID:276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05a53fa4-f083-4915-ad2f-b700965c5fb3.vbs"
        8⤵
        
        PID:1680
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\baf359f2-1d82-4184-92d8-1f7f1b6f1e48.vbs"
        6⤵
        
        PID:536
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae1b3b28-ea46-48c0-8801-e156b2b756a7.vbs"
      4⤵
      PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\pt-PT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\pt-PT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\pt-PT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\Framework\v3.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\smss.exe

Filesize
3.8MB

MD5
daecbae1deb8f5d4a7fc19586feb0580

SHA1
128f001e95f087d0567069de84090d7504a76173

SHA256
71f9483d4a5fa46527086d84446a8233e7616c9e95d00d74a2d028ccc708cc93

SHA512
c985aeac52d4b1804f551ae86801b913cee0b22e77c2f0777a374da903087dd9cfe4a95608e4c15d7cd0a89f6fb2abcc3abcc43388adf1d56a21dd56fb8b5bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\248f4eb6-5163-47a3-aa6a-7f328760f2af.vbs

Filesize
706B

MD5
f286b17754c563993ab11e6fed576c48

SHA1
12b27ec6f5af7d4ef30ce0ba896d5445b02d76de

SHA256
986405a975fceec96d16d27ed71ea11212f78b0930ae7535ab2239214b4bab76

SHA512
57fed4761bc2cbfc530bac1d0c36d06da48186f2079eb74fb340b5de3de8a6bbfa12b4f1c9409bc59f5b31abfba96058e07f49e9c9211c9997bd9022ebb0eecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\39354957-2f22-4238-a6a4-896fe05e5db9.vbs

Filesize
705B

MD5
bb3f86d31d5c832fba690108936d9c67

SHA1
720f70ff26a555f28d24cad31de9f636c1f1e37c

SHA256
c190d65349dd9d54f3f5779611b7a7f8cb2d82cf6bcdaa6f2a12e09109106c94

SHA512
c1f30c2565398141e575d03e536ba5ba5b645e77c186ea56c69c375a44f1cbdab729de26d1cfad101971fe8f07e7202883d26b43efa587ebdcea07261a0eb8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\48dca68c-b9b1-4810-b5b9-7e23fd953c8f.vbs

Filesize
706B

MD5
0df1d478dc589ec7f3e706a54481eb06

SHA1
24e723620e851c8decb94bb083f7947faf00bedf

SHA256
269efb52de7cef60a7c9cb03e604be227315d59aa5f1011eaa011e999f4024bc

SHA512
de1dc52b3625a14617aa6e3e12326929cb18a7b5d1fff304044fd17329d745f199580b177e4b472cbff5be2b21c5dde79b1e358716df37907710c65a97542d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\58761d10-3f4d-43ef-a7e6-ea702c4cba87.vbs

Filesize
706B

MD5
57248bcaeebc3f6fd0ebdf96f837881d

SHA1
55803d09c13df3b829567705d639676ba92e17fe

SHA256
8d44cba5adc8e56cbc2db2b4f6f83768df246a19b56ae86dd02ecaf40e54d8bf

SHA512
8b28ecf0d5322f310233a954264306f28679a407d7e4782faf38ea9505bc72c27cde560aae229109d815c8b7a3da258b53a2f1c8dd3a29588c90bed13c54440c

Download Submit
C:\Users\Admin\AppData\Local\Temp\83549bc9-488c-4a11-8045-040d0190b0b7.vbs

Filesize
706B

MD5
7846162b5f7322c827106384ca06b15b

SHA1
20c9095c1971a601e5548b8f1b99ffacc0da2551

SHA256
2507130adc81db0811f6878b410e7f58452e4f1b19dc760027b6978ef84d27a1

SHA512
33680122055ae5659a0cfe136225643ae347c7f4fb901542582dec78fa8dc43a940b5bc344d93f55ef8eda4cc329556c8416992fc13359c60481d0ca4101f029

Download Submit
C:\Users\Admin\AppData\Local\Temp\8kuxZwF9lg.bat

Filesize
195B

MD5
febfd9fc307c9f248d15efced28264a5

SHA1
f1b6620c644b42305993ef31d0445eb1f6f89d5d

SHA256
319387472334504450b5ddaca2d42275400a50cc10b4373931e8aab92b77ac25

SHA512
f2d8cdaa95c600e996931b48f6f6c55a85acfc239cda9ea452cfca7abfc54ffadd2809ffc0c8ae1111af30838997fc93bef91353f0577fa18951e1aa78548f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\9da8dd4d-2ff9-492d-a758-aeae8ab47905.vbs

Filesize
706B

MD5
37a33ec61a4e2b85e4937a909864e315

SHA1
54987f4fdbe5bc69c8d236b2e586c11f6acc7eea

SHA256
2695e27dd33c23fb1573e9a44213f14a6102c0b925ab465ff45e20fc7ba14e7e

SHA512
9492cf3e4c10f540032db7b7307010a47b5ea8cc180996493d755db393348c48ef09e3572e661e7d4306f75222ff1c83801c81e60637d3746bcdf4a74b2cac61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae1b3b28-ea46-48c0-8801-e156b2b756a7.vbs

Filesize
482B

MD5
1383f74558a077fd341dbfb3575eafec

SHA1
7413476283418d80e50d1a21571c769732884acb

SHA256
5a328dbb7e59f106232ae8e9b339fc8b80f1834d647c1a0515448198bde49f7b

SHA512
3c8b538138d11cde43c67785e55b3678acb792369156886322acc978a2bcaf92af0386b16b77e26e6fb4f3ad8d13716e787aca2b6cb23ba4a7e6a4ec0d19e119

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9ce1c1c-738b-4965-b432-831ed5b16ec3.vbs

Filesize
706B

MD5
60c98566b20f3d5b5bcd8232734e1648

SHA1
9b16add966dab5650a54ff88fa38ddafa3414e31

SHA256
20ec013920528269bd513776f6d19bfa16a25e55e31308aa90dfd366f997dfb9

SHA512
70250c3f717e21ff9692e4cb465da55ca5221826f2439f003faf91179d71a84c803f14a6d3050b7964487f71095f2c7144f3ae6dde8b33018e1edc79ab46674e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea9d58c3-3872-4c68-9111-8ce61ec49cc8.vbs

Filesize
705B

MD5
8dfc8d0de223241234f83d2997569805

SHA1
13151b5026b1f268e142c208af8f46d6e5faa79d

SHA256
26c2efe1ee8b5360ec7df7116de4dbb249d2e91281a410d88fdf6127f492179b

SHA512
ef585f5184abf424e4deaea4721c0d4d1b987c3e7c5c944ee8aa00fa6f00a0b1b336546aff46cb28c7982e5848797ec967d1da18d0595b9d3d6fe9589dbee8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp20E9.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1546012125eecc0965a4422ef9ae3d6b

SHA1
d9170094f6f2095727004c77b497c38a56a13c33

SHA256
4a3fa002fea1bf0e8a0c473b5fa3b3e05df55485c79bf602422210c832cfc4d9

SHA512
1ba28b4887790f9440b63cf5da0683ff5e57e33e0904d7151d9c307c5e158d1a687026cf60022dcba5572b0ec5c6fcd4ecea1c1806b6a331672c512b594f7936

Download Submit
C:\Windows\SysWOW64\pt-PT\dllhost.exe

Filesize
4.9MB

MD5
a0f7a7c23f4328406cd5e9c3048ac530

SHA1
f0182c24eb6c86b592e92ccabf50abb48bfb92ce

SHA256
c43ca8d4db6d919255a551797c7f01e75d8272fc8a2881bae204952091e79ccc

SHA512
7f439594403da5e99de6e4ba5a388ba3ce61571c7589a34040f8dc36ccab3e0ea28193b94852fa3d00c22f9ac32aab454cd569e8ba38175a5be56a25f5b86dbf

Download Submit
memory/696-197-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/696-196-0x0000000001030000-0x0000000001524000-memory.dmp

Filesize
5.0MB

Download
memory/948-259-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/948-258-0x0000000001350000-0x0000000001844000-memory.dmp

Filesize
5.0MB

Download
memory/1792-290-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1792-289-0x0000000000E60000-0x0000000001354000-memory.dmp

Filesize
5.0MB

Download
memory/1964-228-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/1964-227-0x0000000000E20000-0x0000000001314000-memory.dmp

Filesize
5.0MB

Download
memory/2020-211-0x00000000000E0000-0x00000000005D4000-memory.dmp

Filesize
5.0MB

Download
memory/2020-212-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/2136-13-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

Filesize
56KB

Download
memory/2136-6-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/2136-8-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/2136-11-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/2136-16-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/2136-14-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/2136-7-0x0000000000700000-0x0000000000716000-memory.dmp

Filesize
88KB

Download
memory/2136-9-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/2136-1-0x0000000000E10000-0x0000000001304000-memory.dmp

Filesize
5.0MB

Download
memory/2136-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2136-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-12-0x0000000000D90000-0x0000000000D9E000-memory.dmp

Filesize
56KB

Download
memory/2136-3-0x000000001B620000-0x000000001B74E000-memory.dmp

Filesize
1.2MB

Download
memory/2136-10-0x0000000000CF0000-0x0000000000D02000-memory.dmp

Filesize
72KB

Download
memory/2136-5-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/2136-130-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-4-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2136-15-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/2260-243-0x0000000000300000-0x00000000007F4000-memory.dmp

Filesize
5.0MB

Download
memory/2720-142-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2720-143-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2992-274-0x0000000000280000-0x0000000000774000-memory.dmp

Filesize
5.0MB

Download
memory/3000-305-0x0000000001130000-0x0000000001624000-memory.dmp

Filesize
5.0MB

Download