dcrat | 8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Size

1.5MB
MD5

24a6fbff4c43f3aafd8906724ab7a21e
SHA1

c0f99114a21e322eabc8ee370993ecb09e984121
SHA256

8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354
SHA512

7daf7fd2890acad093bc7f71db825a9e13eb60fe188d3cd2de44d7994db25e71576f721005fdc9cde0263aa3fb25319235fd9611862ede7f6dff0c0d00286a4a
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
File created	C:\Windows\System32\auditpolmsg\69ddcba757bf72		8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
		2780	schtasks.exe
		2700	schtasks.exe
		2836	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\auditpolmsg\\smss.exe\""	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\auditpolmsg\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\winlogon.exe\""	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\auditpolmsg\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\winlogon.exe\", \"C:\\Windows\\System32\\licmgr10\\wininit.exe\""	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2808	schtasks.exe	31

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
2632	powershell.exe
2992	powershell.exe
2292	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe

Executes dropped EXE 13 IoCs

pid	Process
2108	winlogon.exe
1036	winlogon.exe
1688	winlogon.exe
2776	winlogon.exe
2572	winlogon.exe
1956	winlogon.exe
2068	winlogon.exe
2960	winlogon.exe
780	winlogon.exe
1068	winlogon.exe
988	winlogon.exe
1376	winlogon.exe
2448	winlogon.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\auditpolmsg\\smss.exe\""	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\auditpolmsg\\smss.exe\""	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\winlogon.exe\""	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\winlogon.exe\""	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\licmgr10\\wininit.exe\""	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\licmgr10\\wininit.exe\""	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\licmgr10\56085415360792	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
File opened for modification	C:\Windows\System32\auditpolmsg\RCXDD26.tmp	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
File opened for modification	C:\Windows\System32\licmgr10\RCXE1BB.tmp	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
File opened for modification	C:\Windows\System32\licmgr10\wininit.exe	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
File created	C:\Windows\System32\auditpolmsg\smss.exe	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
File opened for modification	C:\Windows\System32\auditpolmsg\smss.exe	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
File created	C:\Windows\System32\auditpolmsg\69ddcba757bf72	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
File created	C:\Windows\System32\licmgr10\wininit.exe	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2780	schtasks.exe
2700	schtasks.exe
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
2632	powershell.exe
2992	powershell.exe
2292	powershell.exe
2968	powershell.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe
2108	winlogon.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2108	winlogon.exe
Token: SeDebugPrivilege	1036	winlogon.exe
Token: SeDebugPrivilege	1688	winlogon.exe
Token: SeDebugPrivilege	2776	winlogon.exe
Token: SeDebugPrivilege	2572	winlogon.exe
Token: SeDebugPrivilege	1956	winlogon.exe
Token: SeDebugPrivilege	2068	winlogon.exe
Token: SeDebugPrivilege	2960	winlogon.exe
Token: SeDebugPrivilege	780	winlogon.exe
Token: SeDebugPrivilege	1068	winlogon.exe
Token: SeDebugPrivilege	988	winlogon.exe
Token: SeDebugPrivilege	1376	winlogon.exe
Token: SeDebugPrivilege	2448	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2632	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	35
PID 1672 wrote to memory of 2632	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	35
PID 1672 wrote to memory of 2632	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	35
PID 1672 wrote to memory of 2968	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	36
PID 1672 wrote to memory of 2968	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	36
PID 1672 wrote to memory of 2968	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	36
PID 1672 wrote to memory of 2992	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	37
PID 1672 wrote to memory of 2992	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	37
PID 1672 wrote to memory of 2992	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	37
PID 1672 wrote to memory of 2292	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	39
PID 1672 wrote to memory of 2292	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	39
PID 1672 wrote to memory of 2292	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	39
PID 1672 wrote to memory of 396	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	43
PID 1672 wrote to memory of 396	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	43
PID 1672 wrote to memory of 396	1672	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe	43
PID 396 wrote to memory of 1724	396	cmd.exe	45
PID 396 wrote to memory of 1724	396	cmd.exe	45
PID 396 wrote to memory of 1724	396	cmd.exe	45
PID 396 wrote to memory of 2108	396	cmd.exe	46
PID 396 wrote to memory of 2108	396	cmd.exe	46
PID 396 wrote to memory of 2108	396	cmd.exe	46
PID 2108 wrote to memory of 900	2108	winlogon.exe	47
PID 2108 wrote to memory of 900	2108	winlogon.exe	47
PID 2108 wrote to memory of 900	2108	winlogon.exe	47
PID 2108 wrote to memory of 956	2108	winlogon.exe	48
PID 2108 wrote to memory of 956	2108	winlogon.exe	48
PID 2108 wrote to memory of 956	2108	winlogon.exe	48
PID 900 wrote to memory of 1036	900	WScript.exe	49
PID 900 wrote to memory of 1036	900	WScript.exe	49
PID 900 wrote to memory of 1036	900	WScript.exe	49
PID 1036 wrote to memory of 1936	1036	winlogon.exe	50
PID 1036 wrote to memory of 1936	1036	winlogon.exe	50
PID 1036 wrote to memory of 1936	1036	winlogon.exe	50
PID 1036 wrote to memory of 2344	1036	winlogon.exe	51
PID 1036 wrote to memory of 2344	1036	winlogon.exe	51
PID 1036 wrote to memory of 2344	1036	winlogon.exe	51
PID 1936 wrote to memory of 1688	1936	WScript.exe	52
PID 1936 wrote to memory of 1688	1936	WScript.exe	52
PID 1936 wrote to memory of 1688	1936	WScript.exe	52
PID 1688 wrote to memory of 3044	1688	winlogon.exe	53
PID 1688 wrote to memory of 3044	1688	winlogon.exe	53
PID 1688 wrote to memory of 3044	1688	winlogon.exe	53
PID 1688 wrote to memory of 2764	1688	winlogon.exe	54
PID 1688 wrote to memory of 2764	1688	winlogon.exe	54
PID 1688 wrote to memory of 2764	1688	winlogon.exe	54
PID 3044 wrote to memory of 2776	3044	WScript.exe	55
PID 3044 wrote to memory of 2776	3044	WScript.exe	55
PID 3044 wrote to memory of 2776	3044	WScript.exe	55
PID 2776 wrote to memory of 2392	2776	winlogon.exe	56
PID 2776 wrote to memory of 2392	2776	winlogon.exe	56
PID 2776 wrote to memory of 2392	2776	winlogon.exe	56
PID 2776 wrote to memory of 1816	2776	winlogon.exe	57
PID 2776 wrote to memory of 1816	2776	winlogon.exe	57
PID 2776 wrote to memory of 1816	2776	winlogon.exe	57
PID 2392 wrote to memory of 2572	2392	WScript.exe	58
PID 2392 wrote to memory of 2572	2392	WScript.exe	58
PID 2392 wrote to memory of 2572	2392	WScript.exe	58
PID 2572 wrote to memory of 2024	2572	winlogon.exe	59
PID 2572 wrote to memory of 2024	2572	winlogon.exe	59
PID 2572 wrote to memory of 2024	2572	winlogon.exe	59
PID 2572 wrote to memory of 2956	2572	winlogon.exe	60
PID 2572 wrote to memory of 2956	2572	winlogon.exe	60
PID 2572 wrote to memory of 2956	2572	winlogon.exe	60
PID 2024 wrote to memory of 1956	2024	WScript.exe	61

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe
"C:\Users\Admin\AppData\Local\Temp\8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\auditpolmsg\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\licmgr10\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xP34HrFi3z.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1724
- - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
    "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2108
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50d68832-2f5d-4379-b4d5-232f8304a46e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1036
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdf0339d-a36a-47de-ad65-44478ea12435.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c11751b9-a847-4dce-a28d-b55aff15ea48.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be66d2e5-7e4c-4c7e-a648-196968d6b472.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b3ae5f0-7501-46fc-8049-e58ff3e576b0.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c3b3a70-9fa7-456c-89e0-36d11134c7e4.vbs"
        14⤵
        
        PID:1876
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d0f5d9b-7887-447b-bf35-56fe1b2dde09.vbs"
        16⤵
        
        PID:3064
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea222ba9-5020-42de-94df-1bee7af5b903.vbs"
        18⤵
        
        PID:3020
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bfda635-5794-40de-8d8a-1077f82ca484.vbs"
        20⤵
        
        PID:1924
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba3847ad-d6db-4c77-8a12-12af276f409e.vbs"
        22⤵
        
        PID:2976
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66bdcbae-28f1-4834-acdb-d8907aad7465.vbs"
        24⤵
        
        PID:644
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b7a5cb2-1673-4af2-b1cb-5fa7369e2791.vbs"
        26⤵
        
        PID:2404
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe"
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e69662bc-595b-4ccd-88bb-55778c1156ba.vbs"
        28⤵
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b459691-7277-4156-9778-4b614b773438.vbs"
        28⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e0d1845-1a12-46d3-a6c5-4fb9b988d6bf.vbs"
        26⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac136257-db1b-414f-9f51-7acfa240deb2.vbs"
        24⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d586a34-0a3d-4e3f-addf-810bc5b46dca.vbs"
        22⤵
        
        PID:300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b1b8062-4b2f-4c2f-a101-7c93fd1e78b7.vbs"
        20⤵
        
        PID:2972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27e76091-7249-4d20-9765-16d22b6927b8.vbs"
        18⤵
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90e38d08-5dfa-43b7-ad60-6f4dd1af90d6.vbs"
        16⤵
        
        PID:816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d4c3ca7-3206-4bde-b21a-1a0c4b825317.vbs"
        14⤵
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e015b6c6-7054-4ec1-a11d-4bd7f83a9338.vbs"
        12⤵
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67d21f34-98ea-4a36-a5ab-4e3f965406e4.vbs"
        10⤵
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c8b3f43-ac84-46af-8167-2682b2452564.vbs"
        8⤵
        
        PID:2764
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f99c9ca-8c75-4c79-88fc-0e758ceadac2.vbs"
        6⤵
        
        PID:2344
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb86c8b9-8e20-4a34-b80f-1207933de1e3.vbs"
      4⤵
      PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\auditpolmsg\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\licmgr10\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe

Filesize
1.5MB

MD5
343cfd5cb5696752722f1f1eaad27435

SHA1
47ad3ead24b400ff6576604153a6e398cd967512

SHA256
7df5f8ce122d9e836cd543f19a9514edc66760fbdda99808b3664023c569b98c

SHA512
fdcd97929e01c219e7beb957d70d710ba2c4afb5800915ee62bd53800bcab36007cb0a9a6a9a44442d9911ee56caf5dd2482eac56706b3f1b6551bdcc9e01640

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bfda635-5794-40de-8d8a-1077f82ca484.vbs

Filesize
763B

MD5
ad077d949ad4398ac7b71d2de12b7c7b

SHA1
abe0d6e7e65fb8bde8725fa4fb9cdef4e0f7cbf8

SHA256
fbbeea79cbb56df898796fc604c7c696af5af242e35cefa3acc46789359f412e

SHA512
5f906323b507bd6d2ad497334f8aa04cae9dc4521208b58471d1e567d536e6527c580aaa64e10c01dcc8d54e55f4b884e2b5760d134435c6b0a0dfe4332367c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d0f5d9b-7887-447b-bf35-56fe1b2dde09.vbs

Filesize
764B

MD5
fbbbd1dec0f20fdee38976601f861e85

SHA1
58f89d8c54809d5582b1bc0bd276e8bef0bbbe6a

SHA256
30b777d81717980033ed8b3ba50189eeb7fefbb16eacaad596f148b8e062fac2

SHA512
61daec7586ad656a97443f86fb00cebb953cfa7211f119ed5d6b7c227f6acfc4f49530fd2afba4482c01c0a808d11b1763dfc29515028608bb528a477b4afc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b3ae5f0-7501-46fc-8049-e58ff3e576b0.vbs

Filesize
764B

MD5
23b2e7495ee1c793e6b7ff61456fd9e3

SHA1
c5d368970f3c7bf1ddd27b8d167257f67b47f29b

SHA256
221b6e788445a1c5c9baf70743602ef941cf173c490915764fff778485bdd92d

SHA512
e0afa657c4f7a856b834892b1d0f243398905e765f793e135ee22bbe7705887068da03fc9addc75b9024361c188c221db1db7eabfc101d3a926bd2933395a22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\50d68832-2f5d-4379-b4d5-232f8304a46e.vbs

Filesize
764B

MD5
a60bc4e5d8f90cd6b50edb2ab0d7a8c4

SHA1
c0ce3b12a66a3446fdf85f2fbaf14d59bf4ef026

SHA256
ac3e4e1fe521474362618d4235d322072199f17b7cd68b972a34c3a351e32bfe

SHA512
2ab4468e3e5d003d7241553a52e087340474517abe5bc0b3554e1ea3f4c4f8da740580e4609c6354fefd59bcce8a7625ac5cf2e5f6005db083a4886d5331890b

Download Submit
C:\Users\Admin\AppData\Local\Temp\66bdcbae-28f1-4834-acdb-d8907aad7465.vbs

Filesize
763B

MD5
6cbfd63df701dad7cbad97bdd46e819f

SHA1
13c250dce8def37015ebcd588fd6d995c991285f

SHA256
945c494f38e97ec282b5202af7106f5617c2a0f40d2d10841892966353b9e8bc

SHA512
32d5194aa626fb0094568f4dff92a3987a71d361368b1da78e1de0b6d41d400e702d02dc15da02ca2ffae604d853be20a7fa450e47c6cf9bdd57aba1080ebe14

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b7a5cb2-1673-4af2-b1cb-5fa7369e2791.vbs

Filesize
764B

MD5
0cad23147c64079fb84f6b3c33d08eef

SHA1
04c8f7ef5da23cfc707411f8524166e6e7407aac

SHA256
a7ca31d74f9489e35b565c76eaba7f6049bd854246fcb10f8ced2799fbc2687d

SHA512
f48dd23b44ac38ff87c368af7d97de17afe61804cd12c34075346101906b377a7fec7457356b2680efd4380a76392c95234c3c2fcd4faab6a0374246fb1d2c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c3b3a70-9fa7-456c-89e0-36d11134c7e4.vbs

Filesize
764B

MD5
61c37a393ded4709ad15eb322562cf09

SHA1
c693182c7006e459a7de2c1cb982ccf05095d41a

SHA256
a887761d0540ae0b479b57f0e335776a68ab112a5073b70813f516ee9d0f7bb0

SHA512
6b05ecc32ae5cc09ac907a97ba189760e2b0d5ac00aacfbc7a58f76652d48f50e120517749c4ff0a19ab8ed523233aa15106e1020de1b1daaef361ad9ec94ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba3847ad-d6db-4c77-8a12-12af276f409e.vbs

Filesize
764B

MD5
e0b0bdeb88480f41a56f01cdfd055d63

SHA1
27e258455f0ed105d2ffab990d41867433bb8b3a

SHA256
104ae7452798f738df2ddf85ac1ceb0415566df18c8f23bb122eb976631972fa

SHA512
357a7682df09184e064b43a6f44afcc103330b3596cd04b3a48b9c5494c8e0b3403fe12b4aba19a8062c72c3ac9245ccc361d3023edd5486a5b3c4bb1088f5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb86c8b9-8e20-4a34-b80f-1207933de1e3.vbs

Filesize
540B

MD5
0b5814466a22435125f4c0c7e534888d

SHA1
85b1b276914588d2e2d7c75d62948fa5823a6c36

SHA256
8e92937a825b5b3559cd31a5d19b72a2c7556d4175e8c1749e9f2e544ba9c280

SHA512
0da8b4ac016e7cd7289f780963f34f7942dea709a4ee6ecb40dfd27892ec776439aca3895df60fbf035c0652ea7f1e53496815026d8dec78a08b03524e8dba2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\be66d2e5-7e4c-4c7e-a648-196968d6b472.vbs

Filesize
764B

MD5
a7748c520e1bdfbfab710b23783406b4

SHA1
4c3b1f975271ee7e169cb7809a28ed59c12cfb0e

SHA256
b940c8f5c537022902157744737715e494227c804b6e409e3f9192b55579833d

SHA512
894a6f4239a30cc2d07de814be86eef67d4ade29061fdef9d5ee797994d5bf8473376795d5875d276b96938fc1cedef45bd1caeffe6a7a03524d22303790f35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c11751b9-a847-4dce-a28d-b55aff15ea48.vbs

Filesize
764B

MD5
09e44076a7a8311cf7457c4210736aba

SHA1
52435657860db732fe28b967d4dba51f2b9b55a1

SHA256
5562c4e985271dd3960da72df54de3de91658cd914ec7cd3503319dd00b37f6b

SHA512
27ea4a9c7fa8f1bafc70b44670367488904db332057653edab128ca0a51e60fd104dbf333e1b7b03b086ea9182c19f22d88ad7b1106273c70a86a705d7f1e860

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf0339d-a36a-47de-ad65-44478ea12435.vbs

Filesize
764B

MD5
122ace87eed8fb547a32d02b3fe15788

SHA1
3fc30c67f0fe6c84bf0aaf85334aa486c16c15f0

SHA256
b1a1317bda468f8826969aa8118d44dc5fe89108f0948ace976f67a4b0ff8bb1

SHA512
776ad683927bccd8dacbc4324347d32fa8a1380f1c7015054fe478eea0b25ede60a5bb00a7c989da93c7c9378ecc7c6a382f54f2f864191896b73593ab0220dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e69662bc-595b-4ccd-88bb-55778c1156ba.vbs

Filesize
764B

MD5
95c3160649f81236d36432a96f39a84c

SHA1
00438fd26f07bfe339323c5ecb6546c741c4d9f0

SHA256
14444bf94b0874ba6341ad8eb5f47a34fe1ad0210cc9798e36bce493e473cb21

SHA512
b9d1a01eb3b92ec4d8fadf1890bb6d0c9a03d21cd7a134599bc7e2ae7c07397f82f0d44244a59998cc3d98f24d44995e2d00cd231587ebc01d2c480952e46410

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea222ba9-5020-42de-94df-1bee7af5b903.vbs

Filesize
764B

MD5
729c6686f65f93d0c11304dce8eabbb7

SHA1
fca05885c59e80fa9edf73b45ef7549f5812d5cd

SHA256
a8dbc9fe8bdc76603c691e5ec76d2152f955e8da2f4791fa4a5820e7cc385998

SHA512
e777008a22785ef62f252e36153602eb2d47297cb2b59328208795b3952d3c2c92cedc3feb21416bf7e6a6962f59d0ffa0236b252a17649e2b112cace2778d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xP34HrFi3z.bat

Filesize
252B

MD5
eb03d7fd3e898aeb5b6c13301a1f0468

SHA1
e879f948573615f9f82bb26d6eb302174731f949

SHA256
bbc0e4ed665697b806ad3880e66cbeb9d67c8418645ecc6cdd2b7cdf9fcd3ffa

SHA512
871dd0b38b08b24e9930f9f1031a5b2bfa12d62fc400d4093fdb8faf2dff24eba0a59b9a7605b708baca90279923faa77a3dce2981c10f25cfbbde6119571982

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9737ba95962cd372cf75adfb08dc9a84

SHA1
b408b42b4d8aaa4a20951c6b677068ec0bfd7c2f

SHA256
907685a145e5c99eb1a7a1e1ab2dbf74f56946b125b37a5f98a2f56e6ecd1b66

SHA512
9a91de4f41850e2887599b18359b351dc5f1724b281163e1eeb4c877cfd557114466c1d932eaf66428f85ab5400a3e9e4b3bf98efbfd3b4cc1a815fdbc545e0d

Download Submit
C:\Windows\System32\auditpolmsg\smss.exe

Filesize
1.5MB

MD5
24a6fbff4c43f3aafd8906724ab7a21e

SHA1
c0f99114a21e322eabc8ee370993ecb09e984121

SHA256
8db947ca9c4f9a44d65dd0b7b9ab04023b925bd79fc5e0ea89f8d905bccc5354

SHA512
7daf7fd2890acad093bc7f71db825a9e13eb60fe188d3cd2de44d7994db25e71576f721005fdc9cde0263aa3fb25319235fd9611862ede7f6dff0c0d00286a4a

Download Submit
memory/780-175-0x0000000000050000-0x00000000001CE000-memory.dmp

Filesize
1.5MB

Download
memory/988-199-0x0000000001330000-0x00000000014AE000-memory.dmp

Filesize
1.5MB

Download
memory/1036-95-0x0000000001080000-0x00000000011FE000-memory.dmp

Filesize
1.5MB

Download
memory/1068-187-0x0000000000A60000-0x0000000000BDE000-memory.dmp

Filesize
1.5MB

Download
memory/1672-13-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/1672-8-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1672-1-0x0000000000290000-0x000000000040E000-memory.dmp

Filesize
1.5MB

Download
memory/1672-39-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1672-62-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1672-24-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1672-21-0x0000000002100000-0x0000000002108000-memory.dmp

Filesize
32KB

Download
memory/1672-2-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1672-3-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1672-20-0x00000000020F0000-0x00000000020FC000-memory.dmp

Filesize
48KB

Download
memory/1672-18-0x00000000020E0000-0x00000000020E8000-memory.dmp

Filesize
32KB

Download
memory/1672-17-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/1672-16-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/1672-4-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1672-15-0x00000000020B0000-0x00000000020BA000-memory.dmp

Filesize
40KB

Download
memory/1672-14-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/1672-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

Filesize
4KB

Download
memory/1672-12-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/1672-11-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/1672-5-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1672-10-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/1672-9-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1672-6-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1672-7-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1688-107-0x00000000012F0000-0x000000000146E000-memory.dmp

Filesize
1.5MB

Download
memory/2108-84-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2108-83-0x0000000000A40000-0x0000000000BBE000-memory.dmp

Filesize
1.5MB

Download
memory/2632-79-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2632-78-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2960-163-0x00000000013D0000-0x000000000154E000-memory.dmp

Filesize
1.5MB

Download