dcrat | 2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111e

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Size

4.9MB
MD5

c352be4e4eadf26973f9bff1e60635b0
SHA1

a4b01b3e58aafd467e23d2eaada670116d2f7971
SHA256

2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111e
SHA512

a8471c5325c5d205adaa90aa51ea9b9dd08f8622a9cf3424c490818b1a0504447f84296e5fd2615544f8e2cb90fdd5a9d50f319387049162dd88137940174c8f
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3036	schtasks.exe	29

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1712-3-0x000000001BA00000-0x000000001BB2E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2604	powershell.exe
476	powershell.exe
1408	powershell.exe
2888	powershell.exe
2984	powershell.exe
332	powershell.exe
572	powershell.exe
2680	powershell.exe
2872	powershell.exe
2884	powershell.exe
2372	powershell.exe
2956	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2428	winlogon.exe
2908	winlogon.exe
1860	winlogon.exe
2728	winlogon.exe
2136	winlogon.exe
896	winlogon.exe
2848	winlogon.exe
1860	winlogon.exe
2280	winlogon.exe
1304	winlogon.exe
920	winlogon.exe
2416	winlogon.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCX3FEE.tmp	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX4211.tmp	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Program Files (x86)\Microsoft Office\24dbde2999530e	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\c5b4cb5e9653cc	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\ScanFile\Idle.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File created	C:\Windows\SoftwareDistribution\ScanFile\6ccacd8608530f	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Windows\SoftwareDistribution\ScanFile\RCX4425.tmp	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
File opened for modification	C:\Windows\SoftwareDistribution\ScanFile\Idle.exe	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2696	schtasks.exe
2080	schtasks.exe
1052	schtasks.exe
2240	schtasks.exe
880	schtasks.exe
2744	schtasks.exe
2436	schtasks.exe
2780	schtasks.exe
2960	schtasks.exe
2672	schtasks.exe
2616	schtasks.exe
2848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
1408	powershell.exe
2604	powershell.exe
2888	powershell.exe
2884	powershell.exe
476	powershell.exe
2680	powershell.exe
2872	powershell.exe
572	powershell.exe
2984	powershell.exe
2372	powershell.exe
2956	powershell.exe
332	powershell.exe
2428	winlogon.exe
2908	winlogon.exe
1860	winlogon.exe
2728	winlogon.exe
2136	winlogon.exe
896	winlogon.exe
2848	winlogon.exe
1860	winlogon.exe
2280	winlogon.exe
1304	winlogon.exe
920	winlogon.exe
2416	winlogon.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	476	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	2428	winlogon.exe
Token: SeDebugPrivilege	2908	winlogon.exe
Token: SeDebugPrivilege	1860	winlogon.exe
Token: SeDebugPrivilege	2728	winlogon.exe
Token: SeDebugPrivilege	2136	winlogon.exe
Token: SeDebugPrivilege	896	winlogon.exe
Token: SeDebugPrivilege	2848	winlogon.exe
Token: SeDebugPrivilege	1860	winlogon.exe
Token: SeDebugPrivilege	2280	winlogon.exe
Token: SeDebugPrivilege	1304	winlogon.exe
Token: SeDebugPrivilege	920	winlogon.exe
Token: SeDebugPrivilege	2416	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 476	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	42
PID 1712 wrote to memory of 476	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	42
PID 1712 wrote to memory of 476	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	42
PID 1712 wrote to memory of 1408	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	43
PID 1712 wrote to memory of 1408	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	43
PID 1712 wrote to memory of 1408	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	43
PID 1712 wrote to memory of 2680	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	44
PID 1712 wrote to memory of 2680	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	44
PID 1712 wrote to memory of 2680	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	44
PID 1712 wrote to memory of 2604	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	45
PID 1712 wrote to memory of 2604	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	45
PID 1712 wrote to memory of 2604	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	45
PID 1712 wrote to memory of 2872	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	47
PID 1712 wrote to memory of 2872	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	47
PID 1712 wrote to memory of 2872	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	47
PID 1712 wrote to memory of 2888	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	49
PID 1712 wrote to memory of 2888	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	49
PID 1712 wrote to memory of 2888	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	49
PID 1712 wrote to memory of 2956	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	50
PID 1712 wrote to memory of 2956	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	50
PID 1712 wrote to memory of 2956	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	50
PID 1712 wrote to memory of 2884	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	52
PID 1712 wrote to memory of 2884	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	52
PID 1712 wrote to memory of 2884	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	52
PID 1712 wrote to memory of 2372	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	53
PID 1712 wrote to memory of 2372	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	53
PID 1712 wrote to memory of 2372	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	53
PID 1712 wrote to memory of 572	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	55
PID 1712 wrote to memory of 572	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	55
PID 1712 wrote to memory of 572	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	55
PID 1712 wrote to memory of 332	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	56
PID 1712 wrote to memory of 332	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	56
PID 1712 wrote to memory of 332	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	56
PID 1712 wrote to memory of 2984	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	57
PID 1712 wrote to memory of 2984	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	57
PID 1712 wrote to memory of 2984	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	57
PID 1712 wrote to memory of 2428	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	66
PID 1712 wrote to memory of 2428	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	66
PID 1712 wrote to memory of 2428	1712	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe	66
PID 2428 wrote to memory of 2848	2428	winlogon.exe	67
PID 2428 wrote to memory of 2848	2428	winlogon.exe	67
PID 2428 wrote to memory of 2848	2428	winlogon.exe	67
PID 2428 wrote to memory of 2240	2428	winlogon.exe	68
PID 2428 wrote to memory of 2240	2428	winlogon.exe	68
PID 2428 wrote to memory of 2240	2428	winlogon.exe	68
PID 2848 wrote to memory of 2908	2848	WScript.exe	69
PID 2848 wrote to memory of 2908	2848	WScript.exe	69
PID 2848 wrote to memory of 2908	2848	WScript.exe	69
PID 2908 wrote to memory of 2200	2908	winlogon.exe	70
PID 2908 wrote to memory of 2200	2908	winlogon.exe	70
PID 2908 wrote to memory of 2200	2908	winlogon.exe	70
PID 2908 wrote to memory of 1220	2908	winlogon.exe	71
PID 2908 wrote to memory of 1220	2908	winlogon.exe	71
PID 2908 wrote to memory of 1220	2908	winlogon.exe	71
PID 2200 wrote to memory of 1860	2200	WScript.exe	72
PID 2200 wrote to memory of 1860	2200	WScript.exe	72
PID 2200 wrote to memory of 1860	2200	WScript.exe	72
PID 1860 wrote to memory of 2952	1860	winlogon.exe	73
PID 1860 wrote to memory of 2952	1860	winlogon.exe	73
PID 1860 wrote to memory of 2952	1860	winlogon.exe	73
PID 1860 wrote to memory of 992	1860	winlogon.exe	74
PID 1860 wrote to memory of 992	1860	winlogon.exe	74
PID 1860 wrote to memory of 992	1860	winlogon.exe	74
PID 2952 wrote to memory of 2728	2952	WScript.exe	75

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe
"C:\Users\Admin\AppData\Local\Temp\2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111eN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
  "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2428
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c57783a3-432a-44ae-b10e-7200cb75fbe5.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
      "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2908
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04126f6c-eb8c-4a1e-bf5c-eb075b1141a2.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a695dc9-9b43-49b9-937e-5363e7ba1c08.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\161df49b-d4a1-4878-874f-6d20083bffa4.vbs"
        9⤵
        
        PID:1700
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67bd0183-b6cf-4e09-96da-3cbdafea854f.vbs"
        11⤵
        
        PID:1048
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcb0ea41-8f05-4eba-94c3-a79fa857bdbd.vbs"
        13⤵
        
        PID:2468
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f5beef4-8264-47c2-80d1-aa30deb6cf8b.vbs"
        15⤵
        
        PID:1660
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\594b32cc-2037-4698-9138-766a92dd8ac3.vbs"
        17⤵
        
        PID:276
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2902717-5add-4f73-b23d-7fd068c6952d.vbs"
        19⤵
        
        PID:2876
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fad75173-34bf-4842-a8f4-53822c68ee17.vbs"
        21⤵
        
        PID:2664
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94f67de3-7ebc-43d2-b8e8-7a7c96f60255.vbs"
        23⤵
        
        PID:2768
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb746717-ce71-4221-bf57-7b3be450bbc8.vbs"
        25⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b79a994-be30-4d89-9b2c-4895484e1e32.vbs"
        25⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ba15090-9696-4e13-b02a-09d1c331abef.vbs"
        23⤵
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9654b65-c46a-40cb-991a-96e06474c470.vbs"
        21⤵
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4030e457-2ddc-4561-9a27-c7b698395163.vbs"
        19⤵
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7256e2c5-f465-4ef5-9069-40c4c66bb70b.vbs"
        17⤵
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d21b31e8-6ce4-43a0-ab52-5287a0a3fc40.vbs"
        15⤵
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bf4aecf-6b92-4ca2-9bc6-cdfed0a953a1.vbs"
        13⤵
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\260073f4-a309-4496-860a-6f4c53273196.vbs"
        11⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d941643e-a2d2-485e-8725-e3d4fa87b8aa.vbs"
        9⤵
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b8d0095-44b1-47cc-987d-90da6b7e5d91.vbs"
        7⤵
        
        PID:992
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1714335-5595-4711-83d4-bcde4bf864e7.vbs"
        5⤵
        
        PID:1220
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb672c36-3f22-4223-8bb2-27d3cfaf729e.vbs"
    3⤵
    PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\ScanFile\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\ScanFile\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\WmiPrvSE.exe

Filesize
4.9MB

MD5
c352be4e4eadf26973f9bff1e60635b0

SHA1
a4b01b3e58aafd467e23d2eaada670116d2f7971

SHA256
2efc423b76e4954b7311cb80771c1d8ff34db83b8a33a31efd21ceb1ff85111e

SHA512
a8471c5325c5d205adaa90aa51ea9b9dd08f8622a9cf3424c490818b1a0504447f84296e5fd2615544f8e2cb90fdd5a9d50f319387049162dd88137940174c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\04126f6c-eb8c-4a1e-bf5c-eb075b1141a2.vbs

Filesize
751B

MD5
8f498feefa21a30b2d23ad36b5948426

SHA1
9703c4130d24eac8f8ab79b4bc81e13eef622a0d

SHA256
bef3bc60b1bfa32cd858fa4eab3419471d2a668d3f0cc42d2ef9ac8cd0f6e282

SHA512
7abaac9db1d228e9991953e36f3c00d140c524b1358e72d76973e2b318d99433ac49a1b8db8a24cb756d725b5d43458b974c5dfee8e0f0cadb42fe104c5067bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\161df49b-d4a1-4878-874f-6d20083bffa4.vbs

Filesize
751B

MD5
27f6ef825e25198986e2e70eacd59130

SHA1
47a76a5e92739d5c191ea8eb035dab4b0cef9e5d

SHA256
d0e5264d84ab2130637fee47ecc7fce048df6b89c6765dc2fdaa058d935b736f

SHA512
8293b923d9ca427a0f2c54e4479805c4e6f0d1a08d71dcf1fd2b9bbafdced458760dbb8707e84173a8cd6695d791ab1c31d1d5de3f9409810a9a1921c86224d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f5beef4-8264-47c2-80d1-aa30deb6cf8b.vbs

Filesize
751B

MD5
3386a893bb4894d3ed43847958cfbc27

SHA1
9fa981c932611922935d447ef0ff2d42b3eb9580

SHA256
456de6ac85fd341d4e561e026f25b19aad85777391ac4a78ff50a79fc24817f9

SHA512
7101414b7217b24db5eff6c1eb02fee72d0c23a9678ca3c9c4d0654bc355dce82e15ee23606013c9398c9f9d116095583386fe5f49a81469b032c1eae8658df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\67bd0183-b6cf-4e09-96da-3cbdafea854f.vbs

Filesize
751B

MD5
1c2f725bb145ab2773fe286d3499ae74

SHA1
e3bb139fb5e00e3a461ff6726aa78a599367aebb

SHA256
b261548c394766eaf8ec38b917b166f760c3ce2c69315480a3353bdd4a876da9

SHA512
80bf204f14de61854489c526173680f4e732602e943afa7c44e0d4596f75d3eb7988d2f440ee9e12a4bd4bc4c5f82a777717e2db10db4ca7997188bc3e856a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a695dc9-9b43-49b9-937e-5363e7ba1c08.vbs

Filesize
751B

MD5
32199cacc29cc976774c153f8120944a

SHA1
2b442e8fbc6d4d1856cc3117baa5571b730996e2

SHA256
76a9ddd8c753125cc48fba7aa0f5500c225863b436f0e805ea5dbb2d9f242d07

SHA512
92bba9e9e0cc944018685775dd3c8975de5be73925899e46ca7f26e663710605a51eef757d149db6deee9e5c096044d74a931b4790de9901ff9968f93d7f20f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\94f67de3-7ebc-43d2-b8e8-7a7c96f60255.vbs

Filesize
750B

MD5
9ce002a8c1d5fee91ec3ef28e4bde74f

SHA1
0083fd41f1cc89dc8ba323b5f93df2dc44fa55ca

SHA256
1d3a8a44806b748a4eaf12f9a24ad5a96377545f2d08577ace50b6e2807ff8ec

SHA512
3cf3bdc3be081cea2a4457c81683de5a63109f9c3738c9069f17b8655c586badd166d032e1990fb81903567acffb6cc91c2d7a49bc67488988411f399b379645

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb746717-ce71-4221-bf57-7b3be450bbc8.vbs

Filesize
751B

MD5
562aa014d904ca11622a0cd63dab018a

SHA1
de08c9345f52fd80300d7b8d4a53730e950850da

SHA256
64e31e75b5f3df38d8ada31730a8368673a9b3a57fe2c94a469d4453ac6b1999

SHA512
69823ab6582a2883e8944b2bea0cd43ee2e51812d8fe7b7ffe601826b15a6329197c0aeecfa352e1086e5a9892b47f41e93267c286e1237d84b1196e5d65fd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c57783a3-432a-44ae-b10e-7200cb75fbe5.vbs

Filesize
751B

MD5
59ed593f427f59597446b71da457767c

SHA1
6329d8a79e9a1d55eaaa7e3d592f5b2d87666833

SHA256
40ca7481db243b5a261fafa83f4d18dbb3d8306450b86ac16c30957b546dcf89

SHA512
5a66c6ea3db4b3cecca8b561a75d0110380c508005f0b36210449bbc940e1a3f0cfd19b2504d49c7e36cc9e0512fd29672b899fc86268cba690b72631eb60bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2902717-5add-4f73-b23d-7fd068c6952d.vbs

Filesize
751B

MD5
285f1ef37cfce87acdeb49210f23ae39

SHA1
d3dfb941a665e805e394338d114efa936da091db

SHA256
877ea03d29063e31fc4c3665791cc1add8b5fa58b8dd366ed53fbf2dce394e26

SHA512
dcdeced9b145e0d3fa170c7561f2252e27c1003effb65c089962c567fec93b3860f477d92d97bcf4bc79be6907eaa924f56f9fbaffd14c94afaa61f667ab0a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcb0ea41-8f05-4eba-94c3-a79fa857bdbd.vbs

Filesize
750B

MD5
b39a00785139a4657221896e48b7ca16

SHA1
6b3b3100493acb07ad7bd405ef542ab554805060

SHA256
200e1fe2e756d00430a58bd8dff7ea280b8510bf1177fffe25355928ae8edb5c

SHA512
43d6a4fc5b84d13a97956f6cfce026fadc6964560005ccb0ca9e57f2ca7a5376adb838c0e2836fefbd8c5a38c4fccce87473de29d601795264e5257a8d4e1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb672c36-3f22-4223-8bb2-27d3cfaf729e.vbs

Filesize
527B

MD5
ae43d5836b001d07e1fb8d76c4434d83

SHA1
1df3eba4f32cedec7da2d9148f1f8e6c6be4de81

SHA256
98591c66e086ed45bdad316961efa8526551d9bd33db1683453bd3b57448dff6

SHA512
caad1955df8ba588dc21a8d4be68fcc5bc24aea603afbc4ef0be668ad053c095860ccd65670d250a5d40800bea1a066d576287c98f1e83e9c337fb142cff6623

Download Submit
C:\Users\Admin\AppData\Local\Temp\fad75173-34bf-4842-a8f4-53822c68ee17.vbs

Filesize
751B

MD5
fc812186e1db0375688db85727b1a952

SHA1
e9f06ffc90d0c0a5f1c88e6ea24614d83a99a695

SHA256
29b675667f106125445223687dfd84fc1cdb25ccb2b4f53b81dc2234cb4a48d5

SHA512
9328b73cebe0969debba6465a0583d9d6b2b3214d074899b454f00f86bb0f99fdb79d8dae5fdbb29f22e00ffca19ed9cd312ee847e47eb3d98f6bdc1ee74f77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp57FF.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7e02f9a2a188f2fa42a13b0c0351a46b

SHA1
a24635efe60fc2ebd407d7aa3ad0ceb5b9db6a76

SHA256
0379e9adcb5cda7987550ea626dfe013328d8edf5b1304c8da70326c06e15ad0

SHA512
9ba128a2b9fccd08960e6b509f75899d9ac3bfdf6705e09567111000271646d8b79e51fc5ed8841ed1927d2912f62faa11e6055d19b1ac57915c7dc0c1c8d504

Download Submit
memory/1304-259-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/1408-71-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1408-70-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/1712-15-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/1712-1-0x0000000000100000-0x00000000005F4000-memory.dmp

Filesize
5.0MB

Download
memory/1712-13-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/1712-90-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-12-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/1712-11-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/1712-10-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/1712-9-0x0000000000720000-0x000000000072A000-memory.dmp

Filesize
40KB

Download
memory/1712-7-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/1712-6-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/1712-5-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/1712-8-0x0000000000710000-0x0000000000720000-memory.dmp

Filesize
64KB

Download
memory/1712-16-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/1712-4-0x0000000000690000-0x00000000006AC000-memory.dmp

Filesize
112KB

Download
memory/1712-3-0x000000001BA00000-0x000000001BB2E000-memory.dmp

Filesize
1.2MB

Download
memory/1712-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/1712-14-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/1712-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1860-229-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download
memory/2136-185-0x0000000001090000-0x0000000001584000-memory.dmp

Filesize
5.0MB

Download
memory/2136-186-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/2280-244-0x0000000000E20000-0x0000000001314000-memory.dmp

Filesize
5.0MB

Download
memory/2428-126-0x0000000002480000-0x0000000002492000-memory.dmp

Filesize
72KB

Download
memory/2428-89-0x0000000000830000-0x0000000000D24000-memory.dmp

Filesize
5.0MB

Download
memory/2728-170-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/2728-169-0x00000000000D0000-0x00000000005C4000-memory.dmp

Filesize
5.0MB

Download
memory/2908-140-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download