dcrat | 75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c76e7dcc8ae18ed5107083568de5c15.exe
Size

2.2MB
MD5

8c76e7dcc8ae18ed5107083568de5c15
SHA1

b229653c55b499475dc90fd7f517dad0ddf83afa
SHA256

75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835
SHA512

bb1d47f24fe11a598c85ad3204bf272be66763d20b880996f68f06b0623aa7d823af44a60722977e539f8a80fab1bd9fd8866da0ffc72251d91aa38603ed12bb
SSDEEP

49152:a31tZUmbFNH1wLJDPqTo9lIS/MXU2F4/1l5eQ7K6:altZUE6NDyTo9lv2F+VvK6

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\System.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\addins\\sppsvc.exe\", \"C:\\Users\\All Users\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\explorer.exe\", \"C:\\Program Files (x86)\\Google\\audiodg.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\System.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsm.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\addins\\sppsvc.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\Public\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsm.exe\", \"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\addins\\sppsvc.exe\", \"C:\\Users\\All Users\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\explorer.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2800	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2800	schtasks.exe	28

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2844-1-0x0000000000830000-0x0000000000A5E000-memory.dmp	dcrat
behavioral1/files/0x0008000000016621-38.dat	dcrat
behavioral1/files/0x000500000001a495-83.dat	dcrat
behavioral1/files/0x000700000001939c-110.dat	dcrat
behavioral1/files/0x0009000000016307-121.dat	dcrat
behavioral1/files/0x000d000000016621-156.dat	dcrat
behavioral1/files/0x00060000000194c6-190.dat	dcrat
behavioral1/files/0x000a0000000194da-196.dat	dcrat
behavioral1/memory/2596-233-0x0000000001150000-0x000000000137E000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	8c76e7dcc8ae18ed5107083568de5c15.exe

Executes dropped EXE 3 IoCs

pid	Process
2596	System.exe
380	System.exe
1380	System.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\addins\\sppsvc.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\explorer.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Package Cache\\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\\packages\\explorer.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Google\\audiodg.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsm.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\lsass.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsm.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\lsm.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\System.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\smss.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Sidebar\\de-DE\\smss.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\System.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\spoolsv.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Google\\audiodg.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\f6a14ac2-8725-11ef-a9ab-dab21757c799\\csrss.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\addins\\sppsvc.exe\""	8c76e7dcc8ae18ed5107083568de5c15.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8c76e7dcc8ae18ed5107083568de5c15.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8c76e7dcc8ae18ed5107083568de5c15.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\RCXBD05.tmp	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files (x86)\Google\RCXBD73.tmp	8c76e7dcc8ae18ed5107083568de5c15.exe
File created	C:\Program Files\Windows Sidebar\de-DE\smss.exe	8c76e7dcc8ae18ed5107083568de5c15.exe
File created	C:\Program Files (x86)\Google\42af1c969fbb7b	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX9F10.tmp	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RCXA114.tmp	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCXA31A.tmp	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lsass.exe	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\smss.exe	8c76e7dcc8ae18ed5107083568de5c15.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\smss.exe	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\smss.exe	8c76e7dcc8ae18ed5107083568de5c15.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\6203df4a6bafc7	8c76e7dcc8ae18ed5107083568de5c15.exe
File created	C:\Program Files\Windows Sidebar\de-DE\69ddcba757bf72	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX9F0F.tmp	8c76e7dcc8ae18ed5107083568de5c15.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\69ddcba757bf72	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RCXA115.tmp	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCXA319.tmp	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Program Files (x86)\Google\audiodg.exe	8c76e7dcc8ae18ed5107083568de5c15.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lsass.exe	8c76e7dcc8ae18ed5107083568de5c15.exe
File created	C:\Program Files (x86)\Google\audiodg.exe	8c76e7dcc8ae18ed5107083568de5c15.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\sppsvc.exe	8c76e7dcc8ae18ed5107083568de5c15.exe
File created	C:\Windows\addins\sppsvc.exe	8c76e7dcc8ae18ed5107083568de5c15.exe
File created	C:\Windows\addins\0a1fd5f707cd16	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Windows\addins\RCXB7B4.tmp	8c76e7dcc8ae18ed5107083568de5c15.exe
File opened for modification	C:\Windows\addins\RCXB822.tmp	8c76e7dcc8ae18ed5107083568de5c15.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1504	schtasks.exe
844	schtasks.exe
328	schtasks.exe
3056	schtasks.exe
2600	schtasks.exe
2164	schtasks.exe
2312	schtasks.exe
1836	schtasks.exe
1736	schtasks.exe
332	schtasks.exe
1932	schtasks.exe
2580	schtasks.exe
2896	schtasks.exe
276	schtasks.exe
604	schtasks.exe
324	schtasks.exe
2548	schtasks.exe
1660	schtasks.exe
1516	schtasks.exe
2112	schtasks.exe
1704	schtasks.exe
1912	schtasks.exe
1328	schtasks.exe
1220	schtasks.exe
1728	schtasks.exe
1532	schtasks.exe
1884	schtasks.exe
2944	schtasks.exe
1748	schtasks.exe
2760	schtasks.exe
2044	schtasks.exe
2108	schtasks.exe
2084	schtasks.exe
2836	schtasks.exe
2636	schtasks.exe
2520	schtasks.exe
2748	schtasks.exe
1672	schtasks.exe
1960	schtasks.exe
2988	schtasks.exe
2612	schtasks.exe
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2844	8c76e7dcc8ae18ed5107083568de5c15.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe
2596	System.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	8c76e7dcc8ae18ed5107083568de5c15.exe
Token: SeDebugPrivilege	2596	System.exe
Token: SeDebugPrivilege	380	System.exe
Token: SeDebugPrivilege	1380	System.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3032	2844	8c76e7dcc8ae18ed5107083568de5c15.exe	71
PID 2844 wrote to memory of 3032	2844	8c76e7dcc8ae18ed5107083568de5c15.exe	71
PID 2844 wrote to memory of 3032	2844	8c76e7dcc8ae18ed5107083568de5c15.exe	71
PID 3032 wrote to memory of 2108	3032	cmd.exe	73
PID 3032 wrote to memory of 2108	3032	cmd.exe	73
PID 3032 wrote to memory of 2108	3032	cmd.exe	73
PID 3032 wrote to memory of 2596	3032	cmd.exe	76
PID 3032 wrote to memory of 2596	3032	cmd.exe	76
PID 3032 wrote to memory of 2596	3032	cmd.exe	76
PID 2596 wrote to memory of 604	2596	System.exe	77
PID 2596 wrote to memory of 604	2596	System.exe	77
PID 2596 wrote to memory of 604	2596	System.exe	77
PID 2596 wrote to memory of 1672	2596	System.exe	78
PID 2596 wrote to memory of 1672	2596	System.exe	78
PID 2596 wrote to memory of 1672	2596	System.exe	78
PID 604 wrote to memory of 380	604	WScript.exe	79
PID 604 wrote to memory of 380	604	WScript.exe	79
PID 604 wrote to memory of 380	604	WScript.exe	79
PID 380 wrote to memory of 2184	380	System.exe	80
PID 380 wrote to memory of 2184	380	System.exe	80
PID 380 wrote to memory of 2184	380	System.exe	80
PID 380 wrote to memory of 792	380	System.exe	81
PID 380 wrote to memory of 792	380	System.exe	81
PID 380 wrote to memory of 792	380	System.exe	81
PID 2184 wrote to memory of 1380	2184	WScript.exe	82
PID 2184 wrote to memory of 1380	2184	WScript.exe	82
PID 2184 wrote to memory of 1380	2184	WScript.exe	82
PID 1380 wrote to memory of 3044	1380	System.exe	83
PID 1380 wrote to memory of 3044	1380	System.exe	83
PID 1380 wrote to memory of 3044	1380	System.exe	83
PID 1380 wrote to memory of 1848	1380	System.exe	84
PID 1380 wrote to memory of 1848	1380	System.exe	84
PID 1380 wrote to memory of 1848	1380	System.exe	84

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8c76e7dcc8ae18ed5107083568de5c15.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8c76e7dcc8ae18ed5107083568de5c15.exe
"C:\Users\Admin\AppData\Local\Temp\8c76e7dcc8ae18ed5107083568de5c15.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BOHPKclMxg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2108
- - C:\MSOCache\All Users\System.exe
    "C:\MSOCache\All Users\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2596
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d64a32f-a0ad-4567-8490-0b4d48f72176.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:380
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c06da67d-afe9-4d41-a70e-229a3c483acd.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbe7da0c-fa0f-41c3-b7ce-baa4f9a00f19.vbs"
        8⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62d44f71-eb18-43bf-ae96-e86f6b3ebfbe.vbs"
        8⤵
        
        PID:1848
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f64f1d26-ac03-444f-aef6-fd353c2ee8e5.vbs"
        6⤵
        
        PID:792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2c9fda7-14db-4d02-bd09-78ae9b9b8cf5.vbs"
      4⤵
      PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\System.exe

Filesize
2.2MB

MD5
3ef52af5ce4cea21029fc02d8babffab

SHA1
2c3c84b839a6c03670c042b8141a318096616f26

SHA256
d48b9e0a5b7afcb759e4efde1593d3e63d1c2812dd52c3d756fabecb1730cbb7

SHA512
67047489e98714c8f99b57c48cf3929e9a40c0951f3d46f1dd292392e82faf8728a985f1247a194382b45c8329bfd79dc18616cea9c9bad81b839f31de705100

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe

Filesize
2.2MB

MD5
4118a2becd4360f2089ebb3c327d794b

SHA1
3f31cba58f2e761d418bc302e05588808902484e

SHA256
05fc99548fd708fcc536a76e6a4b4400ffa9422a9ffda0ed38a29d0992444bdd

SHA512
63f67fb5c1149e9d8f01d8428b1e46f01aafc3dc50234d479fcec2e8a29e0d7f9d6e054d9e5248e623539da7da1f8db6e9ca01e0974a88c9d5f72e35ddf1dfbd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\RCXA115.tmp

Filesize
2.2MB

MD5
5d3af89d022a5254fb73160a9344c5cd

SHA1
29f80f28bc8a1f30f4377dbb9041605aff4fd484

SHA256
6342eadbd0350c42bc903b36487794cfc554a0e94ea389633942c1de23af862e

SHA512
740f213116b9fd1dac7193211bb370077cc0568fb944a3c80c050703ac0cf58064b7bc6acd1e5b34f9e5e27ee9b5a24403e000d76de2d89c1a2a6df88b7ebd80

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe

Filesize
2.2MB

MD5
8c76e7dcc8ae18ed5107083568de5c15

SHA1
b229653c55b499475dc90fd7f517dad0ddf83afa

SHA256
75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835

SHA512
bb1d47f24fe11a598c85ad3204bf272be66763d20b880996f68f06b0623aa7d823af44a60722977e539f8a80fab1bd9fd8866da0ffc72251d91aa38603ed12bb

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe

Filesize
2.2MB

MD5
fc5e480fb05fb38b4f9731e917b9e766

SHA1
96f145eb175121537b7b8c65a6c1139232708325

SHA256
c8e5df5bb388376ec5a4a19bfa085b7fdcfd755cc89e29b4d443c009724616ef

SHA512
7f4b5f2430e2ce5deedfdf114c2d888b1ff84926e8f9384bc514b669b3d02534c5624b5764b7b8e387770192aea72e661c8d16da6f97ffb0b939955f2605202a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d64a32f-a0ad-4567-8490-0b4d48f72176.vbs

Filesize
708B

MD5
57c9e60bf1c0dfc85dc822f7b512718c

SHA1
b214a86dd5af5066e23c0f86ba526e44571f5e73

SHA256
d1b804e20691feb09998c664d1c65f76de906d44a302a01669adeb34951e8e05

SHA512
ed252c778fe7006b05e93364ebb74b0fdec213cea6b58fb2dba53cd6ccffcea3f71919247889fa8014e11b1d488ae58f97842b6c686a96bb0a6bcd4dd624174a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOHPKclMxg.bat

Filesize
197B

MD5
db7f1ee6ef3c06d199bc23caa5f7f4ff

SHA1
f2ad25cf6fc450f1c68abeaa946f6cdd83e12586

SHA256
65d2b1c2ff4e3492f9285362ee1805693b77e948eff01962d0b1295f6808c88d

SHA512
81b6d9e6cc4c4369f348aca3118fd3692da54ec741cb58de9ca4f0cdd18ce6b4e97008585c5afd55cccfee2cf4139399245bc48e3752efaafc1d0a4fc0cb85b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c06da67d-afe9-4d41-a70e-229a3c483acd.vbs

Filesize
707B

MD5
b4527564758d6be22bb253d3f5f6bc30

SHA1
1d1dbf85305aacfef1eded433299eecff8dc4fe6

SHA256
779ccaccc3eba3f054d922e6d66e74896efd40ad204281ec743623a9490d07df

SHA512
9b84ae6c1a055cab34faddc6cf8a75cd5492daf21312548af639fe511332b7e0de334717988d0e0c5ff55d935bfd1cd443fb08f57ff24a7a89868c7596782aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2c9fda7-14db-4d02-bd09-78ae9b9b8cf5.vbs

Filesize
484B

MD5
1a37de6462d4377b2bbd8e191e15f1d3

SHA1
51f8f6dcc7504350434fdf39657d03632ec932fa

SHA256
4bae02e6618a6fb279359a1af72025f50e383adf0b641594b661b0a830081ce4

SHA512
7fb71783b7f4e6348e79421aebac174a9b9d599b4e4b80c5a0780cf527684005d25ef70819e11b1d9865f4f3f4f71de3dcc2540744719a2b91fded0b02392f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbe7da0c-fa0f-41c3-b7ce-baa4f9a00f19.vbs

Filesize
708B

MD5
b0df278d1c0e31f807dbf8e923df351b

SHA1
e88cb5c7f01f2200c0b84839bbfa8fd1c6cf54a7

SHA256
de04860ad0a6ba6020d6e21207a810cf05eb6d8c8d416b99a24ec59cbdcfaa18

SHA512
106a264b8e4718ac55f522536cfee604a441f60bba7502d3d778042968e1581340a43054ca615440b2cb3b177ffe93268aee70dae331bfdf0cdefc195d0fcce2

Download Submit
C:\Users\Default\lsm.exe

Filesize
2.2MB

MD5
7f24f5bfa3a4e1d8e7087b573ca05aee

SHA1
3bec3b35dd31b3610d24034d2bc3e1c3b7e4ed5a

SHA256
fe6b9b778450e98e709651d70af7f8e968f4caf63c659075cc5748fc6fc85709

SHA512
a55e8d9fb6fd28d61b42ecfef885572787052d91ec1ef2974c5de3e58ae2515a173b66b8f4a4fd31dfa5d132760d0f2c386c7a9913c88c380af85b8d5616efb8

Download Submit
C:\Windows\addins\sppsvc.exe

Filesize
2.2MB

MD5
faf2aecb96fd230cdf8dce30bfcde918

SHA1
d0af0fa0332c35c6f249ca3eb472207b152e9035

SHA256
4c997b058d946e9dfd0a09bb35399e57735825b5944d4b376de37aa8a70de5d1

SHA512
fef078098587cdef2090378d557779838e761509fe793faf6b9458caf0a3beccb0cc9775b59782b7df55566bac583da97f2933c5eedcb68fb28b6008eb1ed99d

Download Submit
memory/2596-233-0x0000000001150000-0x000000000137E000-memory.dmp

Filesize
2.2MB

Download
memory/2844-10-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/2844-29-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2844-14-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2844-18-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/2844-16-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2844-19-0x0000000002320000-0x000000000232C000-memory.dmp

Filesize
48KB

Download
memory/2844-20-0x0000000002330000-0x000000000233C000-memory.dmp

Filesize
48KB

Download
memory/2844-21-0x0000000002340000-0x000000000234C000-memory.dmp

Filesize
48KB

Download
memory/2844-24-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/2844-23-0x00000000023E0000-0x00000000023EE000-memory.dmp

Filesize
56KB

Download
memory/2844-25-0x0000000002400000-0x000000000240E000-memory.dmp

Filesize
56KB

Download
memory/2844-22-0x0000000002350000-0x000000000235A000-memory.dmp

Filesize
40KB

Download
memory/2844-26-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/2844-27-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2844-28-0x0000000002430000-0x000000000243C000-memory.dmp

Filesize
48KB

Download
memory/2844-15-0x00000000022D0000-0x00000000022DC000-memory.dmp

Filesize
48KB

Download
memory/2844-13-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/2844-12-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/2844-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/2844-11-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/2844-8-0x00000000007C0000-0x00000000007D6000-memory.dmp

Filesize
88KB

Download
memory/2844-9-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/2844-7-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/2844-201-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/2844-218-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2844-229-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2844-6-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/2844-5-0x0000000000790000-0x00000000007AC000-memory.dmp

Filesize
112KB

Download
memory/2844-4-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/2844-3-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download
memory/2844-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2844-1-0x0000000000830000-0x0000000000A5E000-memory.dmp

Filesize
2.2MB

Download