dcrat | 68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Size

4.9MB
MD5

a7d660695a3c55b0c2b6b81f608b65fe
SHA1

451d92a971b532de8ae8d116f5b6c10c1eb2c0ab
SHA256

68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2
SHA512

61cf2c0e0fe4736140ea2219351befbbd867c8d6746ec62bc3b04c962504abb26c509ba5436cfc0723c9f0240794c93c6670739d464f80e6dda6929b45a51dc6
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 40 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1860	schtasks.exe
		2820	schtasks.exe
		2772	schtasks.exe
		2764	schtasks.exe
		2000	schtasks.exe
		644	schtasks.exe
		2644	schtasks.exe
		1412	schtasks.exe
		2748	schtasks.exe
		1756	schtasks.exe
		796	schtasks.exe
		1572	schtasks.exe
		2696	schtasks.exe
		872	schtasks.exe
		356	schtasks.exe
		2560	schtasks.exe
		2044	schtasks.exe
		2564	schtasks.exe
		1636	schtasks.exe
		1760	schtasks.exe
		2880	schtasks.exe
		2800	schtasks.exe
		2668	schtasks.exe
		2824	schtasks.exe
		2656	schtasks.exe
		2588	schtasks.exe
		596	schtasks.exe
		2892	schtasks.exe
		2776	schtasks.exe
		2600	schtasks.exe
		2576	schtasks.exe
		2964	schtasks.exe
		2592	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
		3056	schtasks.exe
		2864	schtasks.exe
		2728	schtasks.exe
		2744	schtasks.exe
		2720	schtasks.exe
		2920	schtasks.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	3032	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	3032	schtasks.exe	31

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2304-3-0x000000001BA40000-0x000000001BB6E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2460	powershell.exe
1416	powershell.exe
1728	powershell.exe
3060	powershell.exe
1668	powershell.exe
1648	powershell.exe
2272	powershell.exe
2328	powershell.exe
832	powershell.exe
708	powershell.exe
776	powershell.exe
1456	powershell.exe
2468	powershell.exe
1424	powershell.exe
536	powershell.exe
2472	powershell.exe
2036	powershell.exe
1716	powershell.exe
1028	powershell.exe
2416	powershell.exe
3036	powershell.exe
1448	powershell.exe
1680	powershell.exe
2508	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
792	WmiPrvSE.exe
2132	WmiPrvSE.exe
1200	WmiPrvSE.exe
2416	WmiPrvSE.exe
680	WmiPrvSE.exe
2116	WmiPrvSE.exe
2300	WmiPrvSE.exe
900	WmiPrvSE.exe
808	WmiPrvSE.exe
1016	WmiPrvSE.exe
2304	WmiPrvSE.exe
1448	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\nl-NL\1610b97d3ab4a7	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
File opened for modification	C:\Windows\System32\nl-NL\OSPPSVC.exe	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
File created	C:\Windows\System32\nl-NL\OSPPSVC.exe	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\powershell.exe	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\e978f868350d50	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
File created	C:\Program Files\Windows Mail\ja-JP\powershell.exe	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
File created	C:\Program Files\Windows Mail\ja-JP\e978f868350d50	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\powershell.exe	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\powershell.exe	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2600	schtasks.exe
872	schtasks.exe
796	schtasks.exe
1572	schtasks.exe
356	schtasks.exe
2772	schtasks.exe
3056	schtasks.exe
2044	schtasks.exe
1756	schtasks.exe
2824	schtasks.exe
2764	schtasks.exe
2576	schtasks.exe
2880	schtasks.exe
2920	schtasks.exe
2800	schtasks.exe
2776	schtasks.exe
2560	schtasks.exe
596	schtasks.exe
2644	schtasks.exe
1860	schtasks.exe
2748	schtasks.exe
2592	schtasks.exe
2728	schtasks.exe
2744	schtasks.exe
2656	schtasks.exe
2564	schtasks.exe
2696	schtasks.exe
2668	schtasks.exe
2820	schtasks.exe
2720	schtasks.exe
644	schtasks.exe
2864	schtasks.exe
2588	schtasks.exe
1636	schtasks.exe
2000	schtasks.exe
2964	schtasks.exe
2892	schtasks.exe
1760	schtasks.exe
1412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
2272	powershell.exe
2460	powershell.exe
1416	powershell.exe
1648	powershell.exe
2508	powershell.exe
2472	powershell.exe
1456	powershell.exe
1448	powershell.exe
2468	powershell.exe
1680	powershell.exe
2328	powershell.exe
776	powershell.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
3060	powershell.exe
708	powershell.exe
1028	powershell.exe
1728	powershell.exe
1668	powershell.exe
832	powershell.exe
2416	powershell.exe
1716	powershell.exe
3036	powershell.exe
1424	powershell.exe
536	powershell.exe
2036	powershell.exe
792	WmiPrvSE.exe
2132	WmiPrvSE.exe
1200	WmiPrvSE.exe
2416	WmiPrvSE.exe
680	WmiPrvSE.exe
2116	WmiPrvSE.exe
2300	WmiPrvSE.exe
900	WmiPrvSE.exe
808	WmiPrvSE.exe
1016	WmiPrvSE.exe
2304	WmiPrvSE.exe
1448	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	792	WmiPrvSE.exe
Token: SeDebugPrivilege	2132	WmiPrvSE.exe
Token: SeDebugPrivilege	1200	WmiPrvSE.exe
Token: SeDebugPrivilege	2416	WmiPrvSE.exe
Token: SeDebugPrivilege	680	WmiPrvSE.exe
Token: SeDebugPrivilege	2116	WmiPrvSE.exe
Token: SeDebugPrivilege	2300	WmiPrvSE.exe
Token: SeDebugPrivilege	900	WmiPrvSE.exe
Token: SeDebugPrivilege	808	WmiPrvSE.exe
Token: SeDebugPrivilege	1016	WmiPrvSE.exe
Token: SeDebugPrivilege	2304	WmiPrvSE.exe
Token: SeDebugPrivilege	1448	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 776	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	41
PID 2304 wrote to memory of 776	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	41
PID 2304 wrote to memory of 776	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	41
PID 2304 wrote to memory of 1648	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	42
PID 2304 wrote to memory of 1648	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	42
PID 2304 wrote to memory of 1648	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	42
PID 2304 wrote to memory of 1416	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	43
PID 2304 wrote to memory of 1416	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	43
PID 2304 wrote to memory of 1416	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	43
PID 2304 wrote to memory of 1448	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	45
PID 2304 wrote to memory of 1448	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	45
PID 2304 wrote to memory of 1448	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	45
PID 2304 wrote to memory of 2472	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	47
PID 2304 wrote to memory of 2472	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	47
PID 2304 wrote to memory of 2472	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	47
PID 2304 wrote to memory of 2460	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	48
PID 2304 wrote to memory of 2460	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	48
PID 2304 wrote to memory of 2460	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	48
PID 2304 wrote to memory of 2328	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	49
PID 2304 wrote to memory of 2328	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	49
PID 2304 wrote to memory of 2328	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	49
PID 2304 wrote to memory of 2508	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	50
PID 2304 wrote to memory of 2508	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	50
PID 2304 wrote to memory of 2508	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	50
PID 2304 wrote to memory of 2468	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	51
PID 2304 wrote to memory of 2468	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	51
PID 2304 wrote to memory of 2468	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	51
PID 2304 wrote to memory of 1456	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	52
PID 2304 wrote to memory of 1456	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	52
PID 2304 wrote to memory of 1456	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	52
PID 2304 wrote to memory of 2272	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	53
PID 2304 wrote to memory of 2272	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	53
PID 2304 wrote to memory of 2272	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	53
PID 2304 wrote to memory of 1680	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	54
PID 2304 wrote to memory of 1680	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	54
PID 2304 wrote to memory of 1680	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	54
PID 2304 wrote to memory of 1856	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	65
PID 2304 wrote to memory of 1856	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	65
PID 2304 wrote to memory of 1856	2304	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	65
PID 1856 wrote to memory of 1728	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	97
PID 1856 wrote to memory of 1728	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	97
PID 1856 wrote to memory of 1728	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	97
PID 1856 wrote to memory of 1028	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	98
PID 1856 wrote to memory of 1028	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	98
PID 1856 wrote to memory of 1028	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	98
PID 1856 wrote to memory of 708	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	99
PID 1856 wrote to memory of 708	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	99
PID 1856 wrote to memory of 708	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	99
PID 1856 wrote to memory of 536	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	101
PID 1856 wrote to memory of 536	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	101
PID 1856 wrote to memory of 536	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	101
PID 1856 wrote to memory of 2036	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	103
PID 1856 wrote to memory of 2036	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	103
PID 1856 wrote to memory of 2036	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	103
PID 1856 wrote to memory of 832	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	104
PID 1856 wrote to memory of 832	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	104
PID 1856 wrote to memory of 832	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	104
PID 1856 wrote to memory of 1668	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	105
PID 1856 wrote to memory of 1668	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	105
PID 1856 wrote to memory of 1668	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	105
PID 1856 wrote to memory of 1716	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	106
PID 1856 wrote to memory of 1716	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	106
PID 1856 wrote to memory of 1716	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	106
PID 1856 wrote to memory of 1424	1856	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe	107

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
"C:\Users\Admin\AppData\Local\Temp\68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe
  "C:\Users\Admin\AppData\Local\Temp\68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
    "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1810ea92-afce-4a00-958f-20db78ddfbb3.vbs"
      4⤵
      PID:2856
    - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2132
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f74a5908-7579-42a7-842b-83fdad7ffefe.vbs"
        6⤵
        
        PID:1596
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bddb396-9115-42eb-8647-79401e163e3c.vbs"
        8⤵
        
        PID:2864
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4717149e-844c-42d2-aab3-e4d2503c7ee7.vbs"
        10⤵
        
        PID:2612
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fb5e136-9ff9-4a94-acdd-f7dd38caaa28.vbs"
        12⤵
        
        PID:1916
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1b01596-3810-4cd5-83ca-a47d593685df.vbs"
        14⤵
        
        PID:1964
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\329abb8f-7ea3-4852-8f55-2d529daeaea5.vbs"
        16⤵
        
        PID:1980
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a00b260-2820-4ec5-bb01-e93e376876d6.vbs"
        18⤵
        
        PID:2340
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43d03528-39f5-4af3-a113-c6b437e16280.vbs"
        20⤵
        
        PID:2140
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd72165d-3d6c-426c-82f0-4e688673efa6.vbs"
        22⤵
        
        PID:1372
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4cd31d-ab63-42e6-9598-e1a7346578fa.vbs"
        24⤵
        
        PID:1028
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c3ab187-c898-4740-a98c-49a36d20ccc3.vbs"
        24⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa5b9f75-8680-4485-b77d-f9081ebd58c2.vbs"
        22⤵
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc05b187-2de5-4a4e-8c53-ce2d8c51a420.vbs"
        20⤵
        
        PID:716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9f496f9-dd86-4669-8cd7-02356639ef8d.vbs"
        18⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9097f2fc-2c8b-4557-bcd2-bfe94938c8e1.vbs"
        16⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94e1b043-942a-4711-810c-19add9b5a7e4.vbs"
        14⤵
        
        PID:848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f13a3f9a-ed68-4d18-8886-da73571be06d.vbs"
        12⤵
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9cec1fd-38b2-4840-bff5-7562d364093b.vbs"
        10⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73eec59b-4653-4fdb-8d2e-c12d7e15759b.vbs"
        8⤵
        
        PID:1800
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\549d5786-41e3-482f-8d32-ad6f0adda286.vbs"
        6⤵
        
        PID:1196
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fab17b5-446b-4f60-9eda-5e54562cd3a1.vbs"
      4⤵
      PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Templates\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Templates\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\nl-NL\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\System32\nl-NL\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\nl-NL\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\ja-JP\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\ja-JP\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe

Filesize
4.9MB

MD5
a7d660695a3c55b0c2b6b81f608b65fe

SHA1
451d92a971b532de8ae8d116f5b6c10c1eb2c0ab

SHA256
68746e93d479b484dd35ee6afa14496e38fadce3067fd86a59ad5a78c20e35f2

SHA512
61cf2c0e0fe4736140ea2219351befbbd867c8d6746ec62bc3b04c962504abb26c509ba5436cfc0723c9f0240794c93c6670739d464f80e6dda6929b45a51dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0bddb396-9115-42eb-8647-79401e163e3c.vbs

Filesize
737B

MD5
0b47ff0b67117e13f784b554a5a0645c

SHA1
e79b19097f9f10766f435bef16ae466a202d1f61

SHA256
85e535c01b364a33fded77aaa2fa363401e7bfbe70866165dd11397aa5763fb2

SHA512
904617c39c17e913b94714b9df11aefb342309ca3ba870326f4ac966eb9311a186ee01903b21a9d1779bd85f6939c745354df43252394f406649c9adf0dde71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fab17b5-446b-4f60-9eda-5e54562cd3a1.vbs

Filesize
513B

MD5
e8694f4d3d99d35f38937fb9d6909c70

SHA1
3587e4b22f3b11fd3d5ade7da92f49cab6554fa7

SHA256
ca7b1e4d182ca1cbbb1e2696b10b0ba099a0c1a8ad083fa8230645f7ca8f175c

SHA512
4179d7c948a92707a85ef00d8c45f0f010f9e41154271a71478dd1a99c2506485b2291b1ca849e4839ba9e76263d5bf3900ae1c203821b212af026cfbad59864

Download Submit
C:\Users\Admin\AppData\Local\Temp\1810ea92-afce-4a00-958f-20db78ddfbb3.vbs

Filesize
736B

MD5
6d0315d2dd631ff2c63d7c891cb65267

SHA1
adf85148c06ccee427d584d115bf2832ecff78f4

SHA256
e0a5fbfe6c98fa8c4f8b28325e3215f872b66fe5429aa31e6fc33bb223e475eb

SHA512
7764c44725da6653baa25f75eed647938a4ada1eaebd580c9041fbd2da3d090d215ba63af72af81bf73fd65aa56cc99234d222802b662941bf6a8244add411ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\329abb8f-7ea3-4852-8f55-2d529daeaea5.vbs

Filesize
737B

MD5
497a60a13d70125b18d11d153bacc26c

SHA1
41298f8df09d61da46ce037fc4db8e4e86e8f942

SHA256
ce65aeb4b7a0d183f072e2bb98b00212bb67bc42793b91889987ca3d3394ceb7

SHA512
738c4c66ddfb1ed95e4ff0761946e98d9dd404f1cd222af673681fca5c6d5cc19fa2617b9511e2709abc250364e60c08d6310f1c4395a4f32341a673e1382472

Download Submit
C:\Users\Admin\AppData\Local\Temp\43d03528-39f5-4af3-a113-c6b437e16280.vbs

Filesize
736B

MD5
26979e59972f30ffeff9acaf1b482cdb

SHA1
b9a7dd75dbdad078df548ee50a218c6395825144

SHA256
b94133b1d2943e1952a3094d40119faec8ca033f3c605f9b78332cee82f14b34

SHA512
5cb72a5eab6071d74e76773bf2b6d70d4136f7d7d3437ccdd97afe2072abf3ff878f1ea25375fbd04c6747e8fddfa83fe07ae69bb177d9b30bece58cda622c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\4717149e-844c-42d2-aab3-e4d2503c7ee7.vbs

Filesize
737B

MD5
b7176f694fef334d41c8d02475aa5f21

SHA1
8f5d47b66c45be995bd58e3c233d701b4a0a04ec

SHA256
938aa75b2a4ded3a52fa8fac8d3b9e26b388b6d2aafc0d588838484bf03da08e

SHA512
c7144202f2006e11ded1924998c2aa047c38c7fb2de5bb8b462bf34fc53ce5e75e74cc6666414b88236b4b55fdd68e480be91d067d1164aad56b729224485088

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fb5e136-9ff9-4a94-acdd-f7dd38caaa28.vbs

Filesize
736B

MD5
de801844bb5ff462ddf0ace405befc07

SHA1
8e2bc08600cc77dc9270fae7581e085391513f70

SHA256
1cfe4535eae04b5053049f2b6a992fcacd0203be70479a9bae56bdf01397960a

SHA512
203b2e02f66fba2fb04a2a4987db3719ef73d350690a9e865f351def6d5773f1cfa768ed8f444732266218bf852d85f0233179638715f951c657d0de93f6e6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a00b260-2820-4ec5-bb01-e93e376876d6.vbs

Filesize
736B

MD5
527fcba5aad9cbbee873f7875a07f74e

SHA1
6fbc772caca6e67987f13f6a02c9ec7c9ba40916

SHA256
65abad17f6de8a2c199b0adfb21832a48c53919e26abf9e71e80b32a4358c19b

SHA512
fbd6c06213c85c6dd1850004b50ceca102a2d72d05eb260816e17f2de3043bb101c61837101e600ece0619d0bea0e3f0bd730c3578067c5668e775c0f38526e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1b01596-3810-4cd5-83ca-a47d593685df.vbs

Filesize
737B

MD5
9183645a1587de4b156be8a137a6d2b1

SHA1
032a399dfc2bafec499ad294d1a93fc5be19f2fe

SHA256
18916b404398e770d4b0f2fdf41f688b747e43c01269324054dbdb0e9c4896f2

SHA512
ca1bacc776794e3c2d82f1bddf9b1aff236f6b8eb5031cd4d2a1344aeaad02412aeb3aefa558666a26bf4d8c1a8ca08f41d05657530ddebd303ca24eebf0b008

Download Submit
C:\Users\Admin\AppData\Local\Temp\be4cd31d-ab63-42e6-9598-e1a7346578fa.vbs

Filesize
737B

MD5
ce4121029ba44b4fae2e08bfb818fe0b

SHA1
207d03e77389cfa6f0effd76e282a66080427899

SHA256
6d0e0b22b09b2ca9b936c3829a912541e27965b1f28e5e093208f86d065e993d

SHA512
d7a85af39e11bda63c4e54614e56c2e9f647021ebc9cc728bd1f04e5bf2b39e58ad545c8e625cfdb351caaa140e418756a178184cb611f3f8d6eb049cc7de167

Download Submit
C:\Users\Admin\AppData\Local\Temp\f74a5908-7579-42a7-842b-83fdad7ffefe.vbs

Filesize
737B

MD5
445589c75031df92b74b5dd439e9c91f

SHA1
4b4fd6130105ed390f23d13290fb634a5e5483a5

SHA256
812731fde36255ab82ecff6f0079e9d93bf2cdedfc697c995b7a35839f0625b7

SHA512
7e66670f4872dd240914922252841a2680c2e88448408d28be2868f63f319669fd0817716c00a940512e0d530b412be7d53c864fd3e5263f8da2cf94f97ac2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd72165d-3d6c-426c-82f0-4e688673efa6.vbs

Filesize
737B

MD5
a8000e1a6c99cdb1d74c1b1c28580fc0

SHA1
76dc417b35bb1d0332580c7ae6a25aea49f20dc9

SHA256
319239f57d4a9f311b53bea5372a77ba1076cbb6654eb4116a42f2f04b0e3063

SHA512
c6726e79dc152fda98eda548feb37e9cb2ceaf0c35d0a1ba70be013f7dbc8934bd1c96c855dc2223548c3c6c08e45eef8fbeca6f5e53da2e475976d9d3035db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE3CA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QXEHEKHMTXE1GBKTT92K.temp

Filesize
7KB

MD5
a2d26cd56f764711e8f2327ce9023208

SHA1
47556230cb45df1900cffdde415aa7fb2a28a633

SHA256
10d6448140e2938164eaecb51155ef4f1acd28ea5781e8d96beca4b30be10afc

SHA512
950fc7a11842a82ed2752b1534e474a8aee9a6c85f1ca35e1f68920a29e94068873215065a6b8762729c57d9a321379847a4996bae43e0baca0ceb462c5653f6

Download Submit
memory/680-265-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/680-264-0x0000000000040000-0x0000000000534000-memory.dmp

Filesize
5.0MB

Download
memory/792-186-0x0000000000220000-0x0000000000714000-memory.dmp

Filesize
5.0MB

Download
memory/808-325-0x0000000000100000-0x00000000005F4000-memory.dmp

Filesize
5.0MB

Download
memory/900-310-0x0000000000A70000-0x0000000000F64000-memory.dmp

Filesize
5.0MB

Download
memory/1016-340-0x0000000000C40000-0x0000000001134000-memory.dmp

Filesize
5.0MB

Download
memory/1016-341-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/1200-235-0x0000000000D30000-0x0000000001224000-memory.dmp

Filesize
5.0MB

Download
memory/1416-96-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1448-369-0x00000000000E0000-0x00000000005D4000-memory.dmp

Filesize
5.0MB

Download
memory/2116-280-0x0000000001150000-0x0000000001644000-memory.dmp

Filesize
5.0MB

Download
memory/2132-220-0x0000000000030000-0x0000000000524000-memory.dmp

Filesize
5.0MB

Download
memory/2300-295-0x00000000002A0000-0x0000000000794000-memory.dmp

Filesize
5.0MB

Download
memory/2304-12-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/2304-10-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2304-1-0x0000000001190000-0x0000000001684000-memory.dmp

Filesize
5.0MB

Download
memory/2304-2-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-69-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-16-0x0000000000DB0000-0x0000000000DBC000-memory.dmp

Filesize
48KB

Download
memory/2304-15-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/2304-14-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2304-13-0x0000000000C00000-0x0000000000C0E000-memory.dmp

Filesize
56KB

Download
memory/2304-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

Filesize
4KB

Download
memory/2304-11-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/2304-356-0x00000000011B0000-0x00000000016A4000-memory.dmp

Filesize
5.0MB

Download
memory/2304-9-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/2304-8-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/2304-7-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/2304-6-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2304-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2304-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2304-3-0x000000001BA40000-0x000000001BB6E000-memory.dmp

Filesize
1.2MB

Download
memory/2460-95-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/3060-148-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/3060-146-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download