dcrat | b8c5e2c8477706f3f54e152443718dcec270889002289aa1730eabc5ba3f312f

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2695e9c3407b633d957cf77bb878f5f2.exe
Size

5.9MB
MD5

2695e9c3407b633d957cf77bb878f5f2
SHA1

ec0caded0b9a4b143a0e6793d21fdf4eccfa8484
SHA256

e4fd314579515e6065e60382d2f266607ba872608bb0c9e29a6fda8b9c702383
SHA512

b3eeb4d3f9744c8a0b8144e1b3253a1ef3644b331bee8900d9cfdb86d019303f3dca08ee3b2e620f6ef6829dd90d1b356a26ac58f016cbec655a35dd6474906f
SSDEEP

98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4l:xyeU11Rvqmu8TWKnF6N/1wg

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 45 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2888	schtasks.exe
		1624	schtasks.exe
		1860	schtasks.exe
		1708	schtasks.exe
		2756	schtasks.exe
		1804	schtasks.exe
		1968	schtasks.exe
		3040	schtasks.exe
		856	schtasks.exe
		848	schtasks.exe
		1212	schtasks.exe
		1000	schtasks.exe
		2444	schtasks.exe
		3000	schtasks.exe
		2816	schtasks.exe
		2000	schtasks.exe
		2760	schtasks.exe
		3028	schtasks.exe
		1544	schtasks.exe
		2464	schtasks.exe
		2272	schtasks.exe
		676	schtasks.exe
		1520	schtasks.exe
		1436	schtasks.exe
		2892	schtasks.exe
		540	schtasks.exe
		2676	schtasks.exe
		700	schtasks.exe
		2764	schtasks.exe
		2460	schtasks.exe
		1448	schtasks.exe
		1428	schtasks.exe
File created	C:\Program Files (x86)\MSBuild\5940a34987c991		2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Windows\system\1610b97d3ab4a7		2695e9c3407b633d957cf77bb878f5f2.exe
		1632	schtasks.exe
		2212	schtasks.exe
		860	schtasks.exe
		2092	schtasks.exe
		2020	schtasks.exe
		2180	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		2695e9c3407b633d957cf77bb878f5f2.exe
		2912	schtasks.exe
		2852	schtasks.exe
		576	schtasks.exe
		1556	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	3012	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3012	schtasks.exe	31

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1216	powershell.exe
1120	powershell.exe
2860	powershell.exe
2732	powershell.exe
596	powershell.exe
2176	powershell.exe
1440	powershell.exe
2548	powershell.exe
276	powershell.exe
2388	powershell.exe
1372	powershell.exe
536	powershell.exe
556	powershell.exe
2984	powershell.exe
2296	powershell.exe
2780	powershell.exe
716	powershell.exe
2776	powershell.exe
2508	powershell.exe
1556	powershell.exe
2880	powershell.exe
2728	powershell.exe
2448	powershell.exe
2484	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2695e9c3407b633d957cf77bb878f5f2.exe

Executes dropped EXE 4 IoCs

pid	Process
1536	2695e9c3407b633d957cf77bb878f5f2.exe
872	spoolsv.exe
676	spoolsv.exe
2912	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
872	spoolsv.exe
872	spoolsv.exe
676	spoolsv.exe
676	spoolsv.exe
2912	spoolsv.exe
2912	spoolsv.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\wininit.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\csrss.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\886983d96e3d3e	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\2695e9c3407b633d957cf77bb878f5f2.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\MSBuild\dllhost.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\56085415360792	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\2695e9c3407b633d957cf77bb878f5f2.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\8313e8a3cf7e63	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\wininit.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\csrss.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\MSBuild\dllhost.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Program Files (x86)\MSBuild\5940a34987c991	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXFD54.tmp	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXFD65.tmp	2695e9c3407b633d957cf77bb878f5f2.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\RCXFF69.tmp	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Windows\system\RCXFFD7.tmp	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Windows\system\OSPPSVC.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Windows\en-US\5940a34987c991	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Windows\en-US\dllhost.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File opened for modification	C:\Windows\ModemLogs\explorer.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Windows\system\OSPPSVC.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Windows\system\1610b97d3ab4a7	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Windows\en-US\dllhost.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Windows\ModemLogs\explorer.exe	2695e9c3407b633d957cf77bb878f5f2.exe
File created	C:\Windows\ModemLogs\7a0fd90576e088	2695e9c3407b633d957cf77bb878f5f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2816	schtasks.exe
2756	schtasks.exe
2760	schtasks.exe
3040	schtasks.exe
2464	schtasks.exe
1804	schtasks.exe
1436	schtasks.exe
2912	schtasks.exe
2444	schtasks.exe
676	schtasks.exe
1624	schtasks.exe
2000	schtasks.exe
576	schtasks.exe
1212	schtasks.exe
2180	schtasks.exe
1428	schtasks.exe
2272	schtasks.exe
540	schtasks.exe
860	schtasks.exe
1448	schtasks.exe
1000	schtasks.exe
2212	schtasks.exe
700	schtasks.exe
2764	schtasks.exe
2092	schtasks.exe
2020	schtasks.exe
1544	schtasks.exe
1708	schtasks.exe
848	schtasks.exe
2852	schtasks.exe
2676	schtasks.exe
1520	schtasks.exe
1968	schtasks.exe
2460	schtasks.exe
2888	schtasks.exe
2892	schtasks.exe
856	schtasks.exe
1860	schtasks.exe
1556	schtasks.exe
1632	schtasks.exe
3028	schtasks.exe
3000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
2024	2695e9c3407b633d957cf77bb878f5f2.exe
1556	powershell.exe
2880	powershell.exe
2732	powershell.exe
2388	powershell.exe
276	powershell.exe
536	powershell.exe
1216	powershell.exe
1120	powershell.exe
2860	powershell.exe
556	powershell.exe
596	powershell.exe
1372	powershell.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
1536	2695e9c3407b633d957cf77bb878f5f2.exe
716	powershell.exe
2548	powershell.exe
2176	powershell.exe
2780	powershell.exe
2728	powershell.exe
2448	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	2695e9c3407b633d957cf77bb878f5f2.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1536	2695e9c3407b633d957cf77bb878f5f2.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	872	spoolsv.exe
Token: SeDebugPrivilege	676	spoolsv.exe
Token: SeDebugPrivilege	2912	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1216	2024	2695e9c3407b633d957cf77bb878f5f2.exe	38
PID 2024 wrote to memory of 1216	2024	2695e9c3407b633d957cf77bb878f5f2.exe	38
PID 2024 wrote to memory of 1216	2024	2695e9c3407b633d957cf77bb878f5f2.exe	38
PID 2024 wrote to memory of 276	2024	2695e9c3407b633d957cf77bb878f5f2.exe	39
PID 2024 wrote to memory of 276	2024	2695e9c3407b633d957cf77bb878f5f2.exe	39
PID 2024 wrote to memory of 276	2024	2695e9c3407b633d957cf77bb878f5f2.exe	39
PID 2024 wrote to memory of 1556	2024	2695e9c3407b633d957cf77bb878f5f2.exe	40
PID 2024 wrote to memory of 1556	2024	2695e9c3407b633d957cf77bb878f5f2.exe	40
PID 2024 wrote to memory of 1556	2024	2695e9c3407b633d957cf77bb878f5f2.exe	40
PID 2024 wrote to memory of 2388	2024	2695e9c3407b633d957cf77bb878f5f2.exe	41
PID 2024 wrote to memory of 2388	2024	2695e9c3407b633d957cf77bb878f5f2.exe	41
PID 2024 wrote to memory of 2388	2024	2695e9c3407b633d957cf77bb878f5f2.exe	41
PID 2024 wrote to memory of 2732	2024	2695e9c3407b633d957cf77bb878f5f2.exe	42
PID 2024 wrote to memory of 2732	2024	2695e9c3407b633d957cf77bb878f5f2.exe	42
PID 2024 wrote to memory of 2732	2024	2695e9c3407b633d957cf77bb878f5f2.exe	42
PID 2024 wrote to memory of 2860	2024	2695e9c3407b633d957cf77bb878f5f2.exe	43
PID 2024 wrote to memory of 2860	2024	2695e9c3407b633d957cf77bb878f5f2.exe	43
PID 2024 wrote to memory of 2860	2024	2695e9c3407b633d957cf77bb878f5f2.exe	43
PID 2024 wrote to memory of 2880	2024	2695e9c3407b633d957cf77bb878f5f2.exe	44
PID 2024 wrote to memory of 2880	2024	2695e9c3407b633d957cf77bb878f5f2.exe	44
PID 2024 wrote to memory of 2880	2024	2695e9c3407b633d957cf77bb878f5f2.exe	44
PID 2024 wrote to memory of 1120	2024	2695e9c3407b633d957cf77bb878f5f2.exe	46
PID 2024 wrote to memory of 1120	2024	2695e9c3407b633d957cf77bb878f5f2.exe	46
PID 2024 wrote to memory of 1120	2024	2695e9c3407b633d957cf77bb878f5f2.exe	46
PID 2024 wrote to memory of 1372	2024	2695e9c3407b633d957cf77bb878f5f2.exe	48
PID 2024 wrote to memory of 1372	2024	2695e9c3407b633d957cf77bb878f5f2.exe	48
PID 2024 wrote to memory of 1372	2024	2695e9c3407b633d957cf77bb878f5f2.exe	48
PID 2024 wrote to memory of 536	2024	2695e9c3407b633d957cf77bb878f5f2.exe	49
PID 2024 wrote to memory of 536	2024	2695e9c3407b633d957cf77bb878f5f2.exe	49
PID 2024 wrote to memory of 536	2024	2695e9c3407b633d957cf77bb878f5f2.exe	49
PID 2024 wrote to memory of 556	2024	2695e9c3407b633d957cf77bb878f5f2.exe	50
PID 2024 wrote to memory of 556	2024	2695e9c3407b633d957cf77bb878f5f2.exe	50
PID 2024 wrote to memory of 556	2024	2695e9c3407b633d957cf77bb878f5f2.exe	50
PID 2024 wrote to memory of 596	2024	2695e9c3407b633d957cf77bb878f5f2.exe	51
PID 2024 wrote to memory of 596	2024	2695e9c3407b633d957cf77bb878f5f2.exe	51
PID 2024 wrote to memory of 596	2024	2695e9c3407b633d957cf77bb878f5f2.exe	51
PID 2024 wrote to memory of 1536	2024	2695e9c3407b633d957cf77bb878f5f2.exe	62
PID 2024 wrote to memory of 1536	2024	2695e9c3407b633d957cf77bb878f5f2.exe	62
PID 2024 wrote to memory of 1536	2024	2695e9c3407b633d957cf77bb878f5f2.exe	62
PID 1536 wrote to memory of 2176	1536	2695e9c3407b633d957cf77bb878f5f2.exe	99
PID 1536 wrote to memory of 2176	1536	2695e9c3407b633d957cf77bb878f5f2.exe	99
PID 1536 wrote to memory of 2176	1536	2695e9c3407b633d957cf77bb878f5f2.exe	99
PID 1536 wrote to memory of 716	1536	2695e9c3407b633d957cf77bb878f5f2.exe	100
PID 1536 wrote to memory of 716	1536	2695e9c3407b633d957cf77bb878f5f2.exe	100
PID 1536 wrote to memory of 716	1536	2695e9c3407b633d957cf77bb878f5f2.exe	100
PID 1536 wrote to memory of 2776	1536	2695e9c3407b633d957cf77bb878f5f2.exe	101
PID 1536 wrote to memory of 2776	1536	2695e9c3407b633d957cf77bb878f5f2.exe	101
PID 1536 wrote to memory of 2776	1536	2695e9c3407b633d957cf77bb878f5f2.exe	101
PID 1536 wrote to memory of 2984	1536	2695e9c3407b633d957cf77bb878f5f2.exe	102
PID 1536 wrote to memory of 2984	1536	2695e9c3407b633d957cf77bb878f5f2.exe	102
PID 1536 wrote to memory of 2984	1536	2695e9c3407b633d957cf77bb878f5f2.exe	102
PID 1536 wrote to memory of 1440	1536	2695e9c3407b633d957cf77bb878f5f2.exe	103
PID 1536 wrote to memory of 1440	1536	2695e9c3407b633d957cf77bb878f5f2.exe	103
PID 1536 wrote to memory of 1440	1536	2695e9c3407b633d957cf77bb878f5f2.exe	103
PID 1536 wrote to memory of 2728	1536	2695e9c3407b633d957cf77bb878f5f2.exe	104
PID 1536 wrote to memory of 2728	1536	2695e9c3407b633d957cf77bb878f5f2.exe	104
PID 1536 wrote to memory of 2728	1536	2695e9c3407b633d957cf77bb878f5f2.exe	104
PID 1536 wrote to memory of 2548	1536	2695e9c3407b633d957cf77bb878f5f2.exe	105
PID 1536 wrote to memory of 2548	1536	2695e9c3407b633d957cf77bb878f5f2.exe	105
PID 1536 wrote to memory of 2548	1536	2695e9c3407b633d957cf77bb878f5f2.exe	105
PID 1536 wrote to memory of 2448	1536	2695e9c3407b633d957cf77bb878f5f2.exe	106
PID 1536 wrote to memory of 2448	1536	2695e9c3407b633d957cf77bb878f5f2.exe	106
PID 1536 wrote to memory of 2448	1536	2695e9c3407b633d957cf77bb878f5f2.exe	106
PID 1536 wrote to memory of 2296	1536	2695e9c3407b633d957cf77bb878f5f2.exe	107

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2695e9c3407b633d957cf77bb878f5f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2695e9c3407b633d957cf77bb878f5f2.exe
"C:\Users\Admin\AppData\Local\Temp\2695e9c3407b633d957cf77bb878f5f2.exe"
1⤵
- DcRat
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- C:\Users\Admin\AppData\Local\Temp\2695e9c3407b633d957cf77bb878f5f2.exe
  "C:\Users\Admin\AppData\Local\Temp\2695e9c3407b633d957cf77bb878f5f2.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nTU0UPEK42.bat"
    3⤵
    PID:1748
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:644
  - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
      "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:872
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1de44b8-2baf-4086-b89d-8533b5c88c7e.vbs"
        5⤵
        
        PID:1784
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcca60a2-c01d-4afc-80af-6c96bb7f988f.vbs"
        7⤵
        
        PID:2368
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c48a3988-8ec2-4cd5-b4af-a1a8a9e7790f.vbs"
        9⤵
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad1746ca-5969-4c91-80dd-084fdcd5e1b9.vbs"
        9⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33fc2c05-cd31-4b6c-ad77-448935259e05.vbs"
        7⤵
        
        PID:2328
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56387d9d-0a89-422e-b9b5-90d09d80843c.vbs"
        5⤵
        
        PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\system\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\system\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\system\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ModemLogs\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Links\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2695e9c3407b633d957cf77bb878f5f22" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\2695e9c3407b633d957cf77bb878f5f2.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2695e9c3407b633d957cf77bb878f5f2" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\2695e9c3407b633d957cf77bb878f5f2.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2695e9c3407b633d957cf77bb878f5f22" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\2695e9c3407b633d957cf77bb878f5f2.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\dllhost.exe

Filesize
5.9MB

MD5
2695e9c3407b633d957cf77bb878f5f2

SHA1
ec0caded0b9a4b143a0e6793d21fdf4eccfa8484

SHA256
e4fd314579515e6065e60382d2f266607ba872608bb0c9e29a6fda8b9c702383

SHA512
b3eeb4d3f9744c8a0b8144e1b3253a1ef3644b331bee8900d9cfdb86d019303f3dca08ee3b2e620f6ef6829dd90d1b356a26ac58f016cbec655a35dd6474906f

Download Submit
C:\Users\Admin\AppData\Local\Temp\56387d9d-0a89-422e-b9b5-90d09d80843c.vbs

Filesize
531B

MD5
c6d0e7c396afc53356d42e200940ccf2

SHA1
01c2cc0ae8a6ef646718ec18c33bbab8eb449f1f

SHA256
31b46e1e236716c43e331a91424d7fac44a25d377f16039bcc2e2f77ca3c0b81

SHA512
8be9e9d2cd9013aa5bd1bdb49fede8c78280f95d8a8578eae9d066900b76d8f6f8f418112704750b44142f1236ad5a7c75fa26e5f0ed165a7f8f8078ca687d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c48a3988-8ec2-4cd5-b4af-a1a8a9e7790f.vbs

Filesize
755B

MD5
e0260363ad8b61f334ba07ae107742ab

SHA1
8988c247321fb1ce98af3b7040849079aec926b0

SHA256
a220ce88ae3ab4ab816f42f63b230469d0ff7c808a173db23188c6be19050796

SHA512
314da0e9a2b4900d50afa63cb415f960f70770ce08c673c0949d02fa7e032bf692bf984b00ce53fe4c9b01162f9bf76cdf013737f9008557bfc03427e46993ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1de44b8-2baf-4086-b89d-8533b5c88c7e.vbs

Filesize
754B

MD5
51d33f3606f4d21851060440894ac6de

SHA1
fd15cff1c9ef761d15190ff3e66291ac417b96a5

SHA256
95effc255325a06b6aae9e155925efdd36980d42646165f9e9c22fc04a70a117

SHA512
c3612878ffafd921c6f9f2e1a8e5a12b5fcf0ecd5d85781a754a5e903cab2714c61a56de2a6efd25ca045b7e1eba77cd38727549e2d3fdb462a2129b49be06de

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcca60a2-c01d-4afc-80af-6c96bb7f988f.vbs

Filesize
754B

MD5
a108d637a171deebe548c2ecde19fca4

SHA1
940034bb70be4f61beb3df07b7711a63e404d168

SHA256
a7ead44236926f9150d00bbcfb052decfb692f186c53a4d495361f475497955a

SHA512
996457e0a5bf01b386e5d33edd887fb54c51a9d90ee5373e0decaacd3cefce4bf4be9f4d32c7b69690bcb9bb1fb823f356bbff99d80a52f94114284efc6a342e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nTU0UPEK42.bat

Filesize
244B

MD5
deb3fceb2eab1e4e283346d1349155c2

SHA1
75bdb377aabf79edce61d400101fc70fcc02e595

SHA256
74f62cc121e4d21416feb40578122b5c32a25e16573b8fbe1f227976f2172005

SHA512
4a1c58f95c056acea11882b9e0c7a340da7e76900040212932588353e126ecff38f8edacc43863806209978e654225122304ed79dc7afeca9eec851779995163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae383cdbbe0956a65731428ed4d0cff6

SHA1
85440b2b430319a0cbd8cd21c6d7e904be36981b

SHA256
e17201e627eb553d37a0e9ebf3edb0ff45f2f58e8f10cc31644240d166324a0f

SHA512
5848d3fcbcb4919a20bd876f99c0a37bd368f8e1a691418492df702c6976db837efd70768f0a254d2e2fcfa154f1a2d62a0e5125cbbb176d76a5a2e2fe207fbf

Download Submit
C:\Windows\system\OSPPSVC.exe

Filesize
5.9MB

MD5
3bb87c756c60cf9058c1495e1cd3e58c

SHA1
4c3b63f78a7dd951dbefcbf67467713194dbf162

SHA256
d03d5c5a22f108298aca52540ce335476cd4cedd72f7573a1822f42e1224c601

SHA512
dc646eca765715a2e1c3baf2ca45b10b8e590d8069bc71b0b361db5e212e538d6b2afda8dd4ee4aa3f6a4326a8619e82c18d911fee07d2fc0752d761eca53fb1

Download Submit
memory/676-249-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Filesize
72KB

Download
memory/716-196-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/716-197-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/872-236-0x0000000000EB0000-0x00000000017A8000-memory.dmp

Filesize
9.0MB

Download
memory/1536-138-0x0000000002B70000-0x0000000002B82000-memory.dmp

Filesize
72KB

Download
memory/1536-137-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/1556-86-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1556-97-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2024-14-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/2024-39-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/2024-19-0x00000000029D0000-0x00000000029D8000-memory.dmp

Filesize
32KB

Download
memory/2024-20-0x00000000029E0000-0x00000000029EC000-memory.dmp

Filesize
48KB

Download
memory/2024-21-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/2024-23-0x000000001AFE0000-0x000000001AFF2000-memory.dmp

Filesize
72KB

Download
memory/2024-24-0x000000001B090000-0x000000001B09C000-memory.dmp

Filesize
48KB

Download
memory/2024-25-0x000000001B0A0000-0x000000001B0AC000-memory.dmp

Filesize
48KB

Download
memory/2024-26-0x000000001B0B0000-0x000000001B0B8000-memory.dmp

Filesize
32KB

Download
memory/2024-27-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

Filesize
48KB

Download
memory/2024-28-0x000000001B0D0000-0x000000001B0DC000-memory.dmp

Filesize
48KB

Download
memory/2024-29-0x000000001B0F0000-0x000000001B0F8000-memory.dmp

Filesize
32KB

Download
memory/2024-30-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

Filesize
48KB

Download
memory/2024-31-0x000000001B100000-0x000000001B10A000-memory.dmp

Filesize
40KB

Download
memory/2024-32-0x000000001B4E0000-0x000000001B4EE000-memory.dmp

Filesize
56KB

Download
memory/2024-33-0x000000001B4F0000-0x000000001B4F8000-memory.dmp

Filesize
32KB

Download
memory/2024-34-0x000000001B500000-0x000000001B50E000-memory.dmp

Filesize
56KB

Download
memory/2024-35-0x000000001B9D0000-0x000000001B9D8000-memory.dmp

Filesize
32KB

Download
memory/2024-36-0x000000001B9E0000-0x000000001B9EC000-memory.dmp

Filesize
48KB

Download
memory/2024-37-0x000000001B9F0000-0x000000001B9F8000-memory.dmp

Filesize
32KB

Download
memory/2024-38-0x000000001BA00000-0x000000001BA0A000-memory.dmp

Filesize
40KB

Download
memory/2024-18-0x00000000029C0000-0x00000000029CC000-memory.dmp

Filesize
48KB

Download
memory/2024-17-0x000000001AF90000-0x000000001AFE6000-memory.dmp

Filesize
344KB

Download
memory/2024-16-0x00000000029B0000-0x00000000029BA000-memory.dmp

Filesize
40KB

Download
memory/2024-15-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/2024-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2024-13-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/2024-125-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-12-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/2024-11-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2024-10-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2024-9-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/2024-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2024-7-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/2024-6-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2024-5-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2024-4-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2024-3-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2024-1-0x0000000000CB0000-0x00000000015A8000-memory.dmp

Filesize
9.0MB

Download
memory/2912-262-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download