dcrat | 4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/01/2025, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Size

1.5MB
MD5

2383d038dfb2be0c8b36e110ed0961f9
SHA1

5bdd5b73a677d9161b8a7d43f453cd05c7bcbe02
SHA256

4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74
SHA512

40f475788d97ddddb07b49ff4373737bf58eb2b3a99cd0476323b637c83744612d47b8c7cfa2cd6121b81fdc8b328face4e41254597ff357204f7897ad6aa717
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MSDvbNP\\winlogon.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MSDvbNP\\winlogon.exe\", \"C:\\Users\\Default\\dwm.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MSDvbNP\\winlogon.exe\", \"C:\\Users\\Default\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_wcf_CA_smci_20240903_051526_992\\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MSDvbNP\\winlogon.exe\", \"C:\\Users\\Default\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_wcf_CA_smci_20240903_051526_992\\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MSDvbNP\\winlogon.exe\", \"C:\\Users\\Default\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_wcf_CA_smci_20240903_051526_992\\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Documents and Settings\\lsm.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MSDvbNP\\winlogon.exe\", \"C:\\Users\\Default\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_wcf_CA_smci_20240903_051526_992\\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Documents and Settings\\lsm.exe\", \"C:\\Windows\\Cursors\\taskhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2524	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2524	schtasks.exe	28

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2240	powershell.exe
2352	powershell.exe
2332	powershell.exe
2328	powershell.exe
1740	powershell.exe
2084	powershell.exe
2024	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Executes dropped EXE 11 IoCs

pid	Process
2004	audiodg.exe
2184	audiodg.exe
1648	audiodg.exe
2944	audiodg.exe
1568	audiodg.exe
2980	audiodg.exe
2632	audiodg.exe
3040	audiodg.exe
1748	audiodg.exe
2336	audiodg.exe
2980	audiodg.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Cursors\\taskhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\MSDvbNP\\winlogon.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\dwm.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_wcf_CA_smci_20240903_051526_992\\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Documents and Settings\\lsm.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Cursors\\taskhost.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\MSDvbNP\\winlogon.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\dwm.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_wcf_CA_smci_20240903_051526_992\\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Documents and Settings\\lsm.exe\""	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\MSDvbNP\winlogon.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\MSDvbNP\winlogon.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\System32\MSDvbNP\cc11b995f2a76d	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\System32\MSDvbNP\RCX5F9E.tmp	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\RCX69B1.tmp	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File opened for modification	C:\Windows\Cursors\taskhost.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\Cursors\taskhost.exe	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
File created	C:\Windows\Cursors\b75386f1303e64	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
320	schtasks.exe
1532	schtasks.exe
2512	schtasks.exe
2028	schtasks.exe
2464	schtasks.exe
1708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
2328	powershell.exe
2332	powershell.exe
2024	powershell.exe
2240	powershell.exe
2352	powershell.exe
1740	powershell.exe
2084	powershell.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe
2004	audiodg.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2004	audiodg.exe
Token: SeDebugPrivilege	2184	audiodg.exe
Token: SeDebugPrivilege	1648	audiodg.exe
Token: SeDebugPrivilege	2944	audiodg.exe
Token: SeDebugPrivilege	1568	audiodg.exe
Token: SeDebugPrivilege	2980	audiodg.exe
Token: SeDebugPrivilege	2632	audiodg.exe
Token: SeDebugPrivilege	3040	audiodg.exe
Token: SeDebugPrivilege	1748	audiodg.exe
Token: SeDebugPrivilege	2336	audiodg.exe
Token: SeDebugPrivilege	2980	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2024	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	35
PID 3044 wrote to memory of 2024	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	35
PID 3044 wrote to memory of 2024	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	35
PID 3044 wrote to memory of 2240	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	36
PID 3044 wrote to memory of 2240	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	36
PID 3044 wrote to memory of 2240	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	36
PID 3044 wrote to memory of 2352	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	39
PID 3044 wrote to memory of 2352	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	39
PID 3044 wrote to memory of 2352	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	39
PID 3044 wrote to memory of 2084	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	40
PID 3044 wrote to memory of 2084	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	40
PID 3044 wrote to memory of 2084	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	40
PID 3044 wrote to memory of 1740	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	41
PID 3044 wrote to memory of 1740	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	41
PID 3044 wrote to memory of 1740	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	41
PID 3044 wrote to memory of 2328	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	42
PID 3044 wrote to memory of 2328	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	42
PID 3044 wrote to memory of 2328	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	42
PID 3044 wrote to memory of 2332	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	43
PID 3044 wrote to memory of 2332	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	43
PID 3044 wrote to memory of 2332	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	43
PID 3044 wrote to memory of 1028	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	49
PID 3044 wrote to memory of 1028	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	49
PID 3044 wrote to memory of 1028	3044	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe	49
PID 1028 wrote to memory of 2076	1028	cmd.exe	51
PID 1028 wrote to memory of 2076	1028	cmd.exe	51
PID 1028 wrote to memory of 2076	1028	cmd.exe	51
PID 1028 wrote to memory of 2004	1028	cmd.exe	52
PID 1028 wrote to memory of 2004	1028	cmd.exe	52
PID 1028 wrote to memory of 2004	1028	cmd.exe	52
PID 2004 wrote to memory of 2324	2004	audiodg.exe	53
PID 2004 wrote to memory of 2324	2004	audiodg.exe	53
PID 2004 wrote to memory of 2324	2004	audiodg.exe	53
PID 2004 wrote to memory of 2320	2004	audiodg.exe	54
PID 2004 wrote to memory of 2320	2004	audiodg.exe	54
PID 2004 wrote to memory of 2320	2004	audiodg.exe	54
PID 2324 wrote to memory of 2184	2324	WScript.exe	55
PID 2324 wrote to memory of 2184	2324	WScript.exe	55
PID 2324 wrote to memory of 2184	2324	WScript.exe	55
PID 2184 wrote to memory of 2652	2184	audiodg.exe	56
PID 2184 wrote to memory of 2652	2184	audiodg.exe	56
PID 2184 wrote to memory of 2652	2184	audiodg.exe	56
PID 2184 wrote to memory of 2532	2184	audiodg.exe	57
PID 2184 wrote to memory of 2532	2184	audiodg.exe	57
PID 2184 wrote to memory of 2532	2184	audiodg.exe	57
PID 2652 wrote to memory of 1648	2652	WScript.exe	60
PID 2652 wrote to memory of 1648	2652	WScript.exe	60
PID 2652 wrote to memory of 1648	2652	WScript.exe	60
PID 1648 wrote to memory of 1280	1648	audiodg.exe	61
PID 1648 wrote to memory of 1280	1648	audiodg.exe	61
PID 1648 wrote to memory of 1280	1648	audiodg.exe	61
PID 1648 wrote to memory of 1736	1648	audiodg.exe	62
PID 1648 wrote to memory of 1736	1648	audiodg.exe	62
PID 1648 wrote to memory of 1736	1648	audiodg.exe	62
PID 1280 wrote to memory of 2944	1280	WScript.exe	63
PID 1280 wrote to memory of 2944	1280	WScript.exe	63
PID 1280 wrote to memory of 2944	1280	WScript.exe	63
PID 2944 wrote to memory of 2192	2944	audiodg.exe	64
PID 2944 wrote to memory of 2192	2944	audiodg.exe	64
PID 2944 wrote to memory of 2192	2944	audiodg.exe	64
PID 2944 wrote to memory of 1100	2944	audiodg.exe	65
PID 2944 wrote to memory of 1100	2944	audiodg.exe	65
PID 2944 wrote to memory of 1100	2944	audiodg.exe	65
PID 2192 wrote to memory of 1568	2192	WScript.exe	66

System policy modification 1 TTPs 36 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe
"C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\MSDvbNP\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240903_051526_992\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M29MjwVbCQ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2076
- - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
    "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e570de95-e7b1-4e52-a74b-09af9e6ff87d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2184
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24c8566e-5bb7-4e58-aa83-368c9bc1a4ea.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\682d78cd-d437-43ac-a9c5-e27e67a53520.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a48d3bb0-99a4-4d5f-8bc5-df791df13062.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53fa7b0b-86f1-421b-8d57-ad957fa76645.vbs"
        12⤵
        
        PID:2332
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8c10952-eeaa-4f80-80d6-6f51a9b7d744.vbs"
        14⤵
        
        PID:1968
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26bc4a60-1f34-40ce-b3a6-a9b8c1c63ba0.vbs"
        16⤵
        
        PID:2712
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9022f7c-3ffb-41cd-8009-40577ea08468.vbs"
        18⤵
        
        PID:2644
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\291dd116-44d8-4393-8e56-dd01a08c2631.vbs"
        20⤵
        
        PID:2752
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\985bea9a-01b3-4903-b2b1-6dcf58212090.vbs"
        22⤵
        
        PID:1672
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fe9ba58-7ec2-4f01-b055-b17b81ea08a5.vbs"
        24⤵
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c9a3d2d-e4eb-496f-aec9-465447e3a9b9.vbs"
        24⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f464192-cd28-4eaa-8262-8958c1acf378.vbs"
        22⤵
        
        PID:856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcd46736-45ad-4f42-af76-b1cc1f89728b.vbs"
        20⤵
        
        PID:1224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c61a61e3-541d-47fc-b4b4-3b9a91c1b623.vbs"
        18⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48a37cf1-7368-420c-b9b0-aad8a991c6af.vbs"
        16⤵
        
        PID:592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d134095-f406-4059-acdd-a76b148917f3.vbs"
        14⤵
        
        PID:568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a152044-78de-422a-9203-927f45783179.vbs"
        12⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b2067a2-5942-438e-9660-df6f66e53462.vbs"
        10⤵
        
        PID:1100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75e1db0d-f90e-413f-98d9-a97794022c04.vbs"
        8⤵
        
        PID:1736
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9572cbb8-135c-436f-be7e-86e843281b12.vbs"
        6⤵
        
        PID:2532
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dfbd004-105d-4127-8091-ab6e4dd1fd9d.vbs"
      4⤵
      PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\MSDvbNP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240903_051526_992\4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Cursors\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1dfbd004-105d-4127-8091-ab6e4dd1fd9d.vbs

Filesize
526B

MD5
176b6290e3878a90fbe244400497656f

SHA1
2928e86c3a7d7a7f7c6fc3d54065434f39645ae8

SHA256
c848c43f181e1e482f96fa9fce81cab27fde658412ed85991a49170d1f26265c

SHA512
d54a2e786793157cf4a9f2b30cfdf72873aeebb1f2cd236115ea4fd59ded45e3bf9d98763a5452c0a42bee20fa41e842fb57fb4063669e1deab9089012484c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\24c8566e-5bb7-4e58-aa83-368c9bc1a4ea.vbs

Filesize
750B

MD5
c6c88e44645754b8cb431f64c439d4b3

SHA1
40a1f2bd74a0e4c96717b75c3971891e7273ad21

SHA256
a865b1f55838ececc9a4ab397669882fb2bcf49c07f50ed5fa7f3af2c7d8e718

SHA512
2d4fc6a35584ec3a1057e6dd2737aed6b3be86a641dc7cd31627eccde08aba30e72c3a2d9c39238e8cb19b19d101177cd38007c76c3ee3f626597c8fd0053a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\26bc4a60-1f34-40ce-b3a6-a9b8c1c63ba0.vbs

Filesize
750B

MD5
d9acfa71020d1b2fba02f4f4e6501cce

SHA1
70366e2e5097935acc0efecdf02b461a2aba1051

SHA256
6f3d7e62e6496341ec81c2eebe4cb9ff0a86f24e9bab93142314e7c42c321df3

SHA512
e4183b97ca1204cdfc5878333517091c7c5aaa8dcee751e474c887bca42a2c8c62bca0f2f04d16a2fce436f8f932a2be423596b0dcdab60fa8e9c2424a2ed148

Download Submit
C:\Users\Admin\AppData\Local\Temp\291dd116-44d8-4393-8e56-dd01a08c2631.vbs

Filesize
750B

MD5
3bd9a455ca7d0d3bc1868faa14821fa6

SHA1
8695b5989c074a2173571110269245a2f1498f5f

SHA256
582880b669a58779205467de4f7b2345f58950bd47e33a26a6c1e212cc86484a

SHA512
6fec8d8df29f57600fc71ac8051bc41267f359bc8a1651994ff84b74383cd4269c4fb2a5773cc2a25c3b8b9eb2c3d1e5ed617c9f74681178a52f772f76c1fce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\53fa7b0b-86f1-421b-8d57-ad957fa76645.vbs

Filesize
750B

MD5
f922a4c7f9b0a06c25382df9dc7b8014

SHA1
a4ab7ae303c3fc6acb3138e30931b33023d09f92

SHA256
613ff68b3ea0ef188c9dec2c1244be9a01d6417275adb1ec5066bf80a7b6082c

SHA512
3f85dcad17b88c7f33ca88ced46ea65a448532fe792351af9118c428c83b5441c341681e2269b3e11d4d017e85a9ef96e008010e1d2c464747fed2b557a7ec4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\682d78cd-d437-43ac-a9c5-e27e67a53520.vbs

Filesize
750B

MD5
e9ec6fba1d5296e279c38b9fc3f4563f

SHA1
06f3aac6adcc7f2629d8205bb9c94a92c4b7f43a

SHA256
f18b26f52429abea7be21950f705c93d3b188bbfae4c9e7e8e3f61c697b6581d

SHA512
b89e3e766d9e61d17c1daae1f0b99e4773f34e9cf3062418f64ea7fce7c2195b4c3c9b6f9af6b35e3935f579381593a070e1737ac60901200d871bb26cc8e7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\985bea9a-01b3-4903-b2b1-6dcf58212090.vbs

Filesize
750B

MD5
e9a8359cd4f6a74294be426cd6b8f848

SHA1
d8bd25c17d5dbe392d5c0607469c891da7e1fa7a

SHA256
2fbde22d32bb84d7cd670bfecae7504453bfccc7d4df93235de3cc074b9cfb27

SHA512
1febeee2b6bf6a5cd8aedbf7a036c57eb551b8a3ecd80c1d1b07d8a7d648a64aa478674d152039114f9a841972b36d352feab8780d07993d772223e960eeab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\M29MjwVbCQ.bat

Filesize
238B

MD5
a412804ed84f2f17439c924b997299ac

SHA1
94520992f3eb6e85fa07b2fef11389f958c376ce

SHA256
f4b5c00e79afb232246b5957b8c397b0c32a20aa5991a6e80661156475cfaf21

SHA512
54fa4a500aa34d611846c086dc8a3b91cea19ae3e98d8a1524865dc20f7f263e7a27032430cb9d5b56d14bef25bf97d29187149734c73a083a4003f07eae6c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a48d3bb0-99a4-4d5f-8bc5-df791df13062.vbs

Filesize
750B

MD5
adb9d003a365e81659799cd146f71a95

SHA1
1a5e12bf5d12e51bde205f12bb9e41a812944edf

SHA256
22a570ce027a4c5fa96307de6425cac59d0ee786f70504461c83ada3813d78b0

SHA512
7518f539f5e2f47d6e4496abb4af2e2ffec58b608ae36072c886a601f81cb9d062827a9db27aff6de49fe3f0facb159110b689bcf83b27ff433476c7c9342c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9022f7c-3ffb-41cd-8009-40577ea08468.vbs

Filesize
750B

MD5
4c39b817e0c023222a2e167ad5564e9d

SHA1
96e5d549f175909854ba05937ec4833699f8bfab

SHA256
a7eb0f21ead06d791629600a4461a104f36f54d06d4c914367f12b89ccb9c076

SHA512
b204560e4b3111c358a65977189b90f40ca5353c3b11bf254acc42c6e7650999ec341b8eebd246ed60c4bb58a70f0fa321922f36b3545fcd0d8c942e39c001f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e570de95-e7b1-4e52-a74b-09af9e6ff87d.vbs

Filesize
750B

MD5
92eb53f37d85a7f102a1948a8390fd9e

SHA1
cad44c212743b082c9dfbc841d61fb720359b080

SHA256
cfa674626237275e05d30e0fed4c80c78257820316d76f1b7f2c89667b408333

SHA512
d62f9304dc3bf75963ee064b950ad3098216823b63d8c34d11f0a4da6a8a711516df57f618e3cd9c770d5731dc115e6bb580c117d3d836d9f1fa4a920fa6cef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8c10952-eeaa-4f80-80d6-6f51a9b7d744.vbs

Filesize
750B

MD5
9268bb6b6f150264d6f2f4498693effb

SHA1
6cd64f02fc28e37c47906386d9d1fe9846422d74

SHA256
6107d08a5a12a5b24c9d06daa684b66def50999c06294249fa9acca8e7f44e1a

SHA512
6d52c43d9f9599af6c3d14f8e7c60be31dc7902f71cb7e0b83da21a8abe58511ca719a26cff58f5a0deaafa2f9e568a4efa9928aed518584352c2b61f21a2c54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5af840f9c2985f920531ab20a39637ea

SHA1
1fd224e1f05f7c86f4845bd2fcf3f9b582dc0cc9

SHA256
0fc270b7c9b1e00ea33f78a6bfb827b83fdc467403d5b606d0e1595997ef8c0e

SHA512
24efa5e134c84e0bf28a26c5b035832c6d12f2f7d5a44ab6096d54c3ea8e3b91c0a16b900385bd4e563a7e817f91b47819a550cde42ba5135f70fe193057c6c2

Download Submit
C:\Users\lsm.exe

Filesize
1.5MB

MD5
2383d038dfb2be0c8b36e110ed0961f9

SHA1
5bdd5b73a677d9161b8a7d43f453cd05c7bcbe02

SHA256
4ba57f7d2cb90da09cd7f58c167191bed352f68aebec38bda5944d9136891a74

SHA512
40f475788d97ddddb07b49ff4373737bf58eb2b3a99cd0476323b637c83744612d47b8c7cfa2cd6121b81fdc8b328face4e41254597ff357204f7897ad6aa717

Download Submit
memory/1568-175-0x0000000001240000-0x00000000013BE000-memory.dmp

Filesize
1.5MB

Download
memory/1648-150-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1648-149-0x0000000000A20000-0x0000000000B9E000-memory.dmp

Filesize
1.5MB

Download
memory/1748-222-0x0000000000F50000-0x00000000010CE000-memory.dmp

Filesize
1.5MB

Download
memory/2004-126-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2004-125-0x0000000000D20000-0x0000000000E9E000-memory.dmp

Filesize
1.5MB

Download
memory/2184-137-0x0000000000100000-0x000000000027E000-memory.dmp

Filesize
1.5MB

Download
memory/2328-121-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2328-122-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2336-234-0x0000000000250000-0x00000000003CE000-memory.dmp

Filesize
1.5MB

Download
memory/2632-198-0x00000000002D0000-0x000000000044E000-memory.dmp

Filesize
1.5MB

Download
memory/2944-162-0x0000000001090000-0x000000000120E000-memory.dmp

Filesize
1.5MB

Download
memory/2944-163-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2980-247-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2980-246-0x0000000001100000-0x000000000127E000-memory.dmp

Filesize
1.5MB

Download
memory/3040-210-0x00000000003A0000-0x000000000051E000-memory.dmp

Filesize
1.5MB

Download
memory/3044-17-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/3044-7-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/3044-14-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/3044-13-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/3044-12-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/3044-11-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/3044-10-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/3044-16-0x0000000000890000-0x0000000000898000-memory.dmp

Filesize
32KB

Download
memory/3044-24-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-9-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/3044-8-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/3044-15-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/3044-6-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/3044-18-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/3044-5-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/3044-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/3044-4-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3044-3-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/3044-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-20-0x00000000008C0000-0x00000000008CC000-memory.dmp

Filesize
48KB

Download
memory/3044-1-0x00000000001A0000-0x000000000031E000-memory.dmp

Filesize
1.5MB

Download
memory/3044-21-0x0000000002110000-0x0000000002118000-memory.dmp

Filesize
32KB

Download
memory/3044-107-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download