dcrat | 5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
Size

4.9MB
MD5

31b93ec89ad297254d18c2a3f8df6260
SHA1

00498d80e29e4d12cada288878f141a823bb4dac
SHA256

5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42
SHA512

71f85fb514f77d0fad0badf1238ba75b6ce40511cdea09da79a9719ab5a2de48587bf22d83c5e12ca105466358f77ea50f6c881583d8160a114646752ba9e484
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2944	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2944	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

WmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1580-2-0x000000001BA10000-0x000000001BB3E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
332	powershell.exe
992	powershell.exe
2792	powershell.exe
916	powershell.exe
884	powershell.exe
568	powershell.exe
1556	powershell.exe
2844	powershell.exe
2812	powershell.exe
1872	powershell.exe
1052	powershell.exe
2008	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

WmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

pid	Process
1424	WmiPrvSE.exe
2412	WmiPrvSE.exe
2748	WmiPrvSE.exe
568	WmiPrvSE.exe
2304	WmiPrvSE.exe
2340	WmiPrvSE.exe
2144	WmiPrvSE.exe
2764	WmiPrvSE.exe
1632	WmiPrvSE.exe
2424	WmiPrvSE.exe
2400	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WmiPrvSE.exe5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Drops file in Program Files directory 8 IoCs

Processes:

5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe

description	ioc	Process
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFF85.tmp	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX189.tmp	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\wininit.exe	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
File created	C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
File created	C:\Program Files (x86)\Google\CrashReports\24dbde2999530e	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2244	schtasks.exe
2268	schtasks.exe
2764	schtasks.exe
2704	schtasks.exe
1692	schtasks.exe
2936	schtasks.exe
2824	schtasks.exe
2576	schtasks.exe
2592	schtasks.exe
2664	schtasks.exe
3048	schtasks.exe
1268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

pid	Process
1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
2844	powershell.exe
884	powershell.exe
2812	powershell.exe
332	powershell.exe
568	powershell.exe
1872	powershell.exe
916	powershell.exe
992	powershell.exe
2792	powershell.exe
2008	powershell.exe
1052	powershell.exe
1556	powershell.exe
1424	WmiPrvSE.exe
2412	WmiPrvSE.exe
2748	WmiPrvSE.exe
568	WmiPrvSE.exe
2304	WmiPrvSE.exe
2340	WmiPrvSE.exe
2144	WmiPrvSE.exe
2764	WmiPrvSE.exe
1632	WmiPrvSE.exe
2424	WmiPrvSE.exe
2400	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1424	WmiPrvSE.exe
Token: SeDebugPrivilege	2412	WmiPrvSE.exe
Token: SeDebugPrivilege	2748	WmiPrvSE.exe
Token: SeDebugPrivilege	568	WmiPrvSE.exe
Token: SeDebugPrivilege	2304	WmiPrvSE.exe
Token: SeDebugPrivilege	2340	WmiPrvSE.exe
Token: SeDebugPrivilege	2144	WmiPrvSE.exe
Token: SeDebugPrivilege	2764	WmiPrvSE.exe
Token: SeDebugPrivilege	1632	WmiPrvSE.exe
Token: SeDebugPrivilege	2424	WmiPrvSE.exe
Token: SeDebugPrivilege	2400	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exeWmiPrvSE.exeWScript.exeWmiPrvSE.exeWScript.exeWmiPrvSE.exeWScript.exe

description	pid	Process	procid_target
PID 1580 wrote to memory of 2844	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	43
PID 1580 wrote to memory of 2844	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	43
PID 1580 wrote to memory of 2844	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	43
PID 1580 wrote to memory of 2812	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	44
PID 1580 wrote to memory of 2812	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	44
PID 1580 wrote to memory of 2812	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	44
PID 1580 wrote to memory of 2792	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	46
PID 1580 wrote to memory of 2792	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	46
PID 1580 wrote to memory of 2792	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	46
PID 1580 wrote to memory of 1872	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	48
PID 1580 wrote to memory of 1872	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	48
PID 1580 wrote to memory of 1872	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	48
PID 1580 wrote to memory of 916	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	49
PID 1580 wrote to memory of 916	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	49
PID 1580 wrote to memory of 916	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	49
PID 1580 wrote to memory of 884	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	50
PID 1580 wrote to memory of 884	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	50
PID 1580 wrote to memory of 884	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	50
PID 1580 wrote to memory of 568	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	51
PID 1580 wrote to memory of 568	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	51
PID 1580 wrote to memory of 568	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	51
PID 1580 wrote to memory of 1556	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	52
PID 1580 wrote to memory of 1556	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	52
PID 1580 wrote to memory of 1556	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	52
PID 1580 wrote to memory of 1052	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	53
PID 1580 wrote to memory of 1052	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	53
PID 1580 wrote to memory of 1052	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	53
PID 1580 wrote to memory of 332	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	54
PID 1580 wrote to memory of 332	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	54
PID 1580 wrote to memory of 332	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	54
PID 1580 wrote to memory of 992	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	55
PID 1580 wrote to memory of 992	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	55
PID 1580 wrote to memory of 992	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	55
PID 1580 wrote to memory of 2008	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	56
PID 1580 wrote to memory of 2008	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	56
PID 1580 wrote to memory of 2008	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	56
PID 1580 wrote to memory of 1424	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	67
PID 1580 wrote to memory of 1424	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	67
PID 1580 wrote to memory of 1424	1580	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe	67
PID 1424 wrote to memory of 2824	1424	WmiPrvSE.exe	68
PID 1424 wrote to memory of 2824	1424	WmiPrvSE.exe	68
PID 1424 wrote to memory of 2824	1424	WmiPrvSE.exe	68
PID 1424 wrote to memory of 2268	1424	WmiPrvSE.exe	69
PID 1424 wrote to memory of 2268	1424	WmiPrvSE.exe	69
PID 1424 wrote to memory of 2268	1424	WmiPrvSE.exe	69
PID 2824 wrote to memory of 2412	2824	WScript.exe	70
PID 2824 wrote to memory of 2412	2824	WScript.exe	70
PID 2824 wrote to memory of 2412	2824	WScript.exe	70
PID 2412 wrote to memory of 2976	2412	WmiPrvSE.exe	71
PID 2412 wrote to memory of 2976	2412	WmiPrvSE.exe	71
PID 2412 wrote to memory of 2976	2412	WmiPrvSE.exe	71
PID 2412 wrote to memory of 1532	2412	WmiPrvSE.exe	72
PID 2412 wrote to memory of 1532	2412	WmiPrvSE.exe	72
PID 2412 wrote to memory of 1532	2412	WmiPrvSE.exe	72
PID 2976 wrote to memory of 2748	2976	WScript.exe	73
PID 2976 wrote to memory of 2748	2976	WScript.exe	73
PID 2976 wrote to memory of 2748	2976	WScript.exe	73
PID 2748 wrote to memory of 2796	2748	WmiPrvSE.exe	74
PID 2748 wrote to memory of 2796	2748	WmiPrvSE.exe	74
PID 2748 wrote to memory of 2796	2748	WmiPrvSE.exe	74
PID 2748 wrote to memory of 2812	2748	WmiPrvSE.exe	75
PID 2748 wrote to memory of 2812	2748	WmiPrvSE.exe	75
PID 2748 wrote to memory of 2812	2748	WmiPrvSE.exe	75
PID 2796 wrote to memory of 568	2796	WScript.exe	76

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

WmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe
"C:\Users\Admin\AppData\Local\Temp\5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
  "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1424
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13ee2b86-2a87-44d1-b9b9-f2ba1c954741.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
      C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2412
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\652a64e2-6bab-4b9a-bf89-0467be5f176d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6af9125-9ee3-45e8-913b-96d14e583080.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b5ea364-e5a1-4b6d-becd-a0479bc20ec0.vbs"
        9⤵
        
        PID:1172
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\676dc42b-b842-4642-a698-a155223ea09b.vbs"
        11⤵
        
        PID:2840
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\044367fa-773f-4320-a314-595df1ba0e4b.vbs"
        13⤵
        
        PID:1224
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e80bd070-6f41-4d7a-98a4-ca061fc79051.vbs"
        15⤵
        
        PID:2752
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\655c8b09-eda5-4731-9fa3-9700ca97e6a6.vbs"
        17⤵
        
        PID:1792
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81eb483b-1306-4bac-be0c-f5cd878e3e27.vbs"
        19⤵
        
        PID:1428
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73856d63-d5dc-4b9a-bae4-44f0fd70f37d.vbs"
        21⤵
        
        PID:2544
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb6fc63-d0f5-407d-9d7b-962b059dec2d.vbs"
        23⤵
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90e78c8b-759a-4805-bad6-53039d63188a.vbs"
        23⤵
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4136b0d1-7e3c-4ecd-9e9a-00b1938ca3ef.vbs"
        21⤵
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\499949bf-830b-4b72-b0f8-131fd9c50ffe.vbs"
        19⤵
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ea12099-27e5-4832-b8dc-c5cbd4ee3269.vbs"
        17⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b42e4ec-6d8f-414b-a51a-f3b1baeee9bc.vbs"
        15⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d23c1fb-a89f-439b-8220-f3302aa28710.vbs"
        13⤵
        
        PID:560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\336a1717-f60f-4cd0-9dbd-1553798809c3.vbs"
        11⤵
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22f65422-4dbd-4b26-ba12-9de21a2f0e9e.vbs"
        9⤵
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c621d52-5d9d-4e08-bd56-60a0c069b77e.vbs"
        7⤵
        
        PID:2812
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76526603-4062-4dcd-afde-8cacdc9b2cbd.vbs"
        5⤵
        
        PID:1532
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c8f5ba6-52d9-4539-9f8a-82ada01dc06f.vbs"
    3⤵
    PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Portable Devices\wininit.exe

Filesize
4.9MB

MD5
31b93ec89ad297254d18c2a3f8df6260

SHA1
00498d80e29e4d12cada288878f141a823bb4dac

SHA256
5641790332a9e4e7e0d37b3c3f69b3fac8c5dee4b61fe106ca2d57efa4285d42

SHA512
71f85fb514f77d0fad0badf1238ba75b6ce40511cdea09da79a9719ab5a2de48587bf22d83c5e12ca105466358f77ea50f6c881583d8160a114646752ba9e484

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe

Filesize
4.9MB

MD5
9ac46058638f4d04788bbbeb656162d2

SHA1
a74d9074e20c858fc7daa23fbc09b45d30ae88d7

SHA256
231d78d7933d2166fc79970829e4a4a975b435c7455e47fc6426c6f294221ece

SHA512
64f3f109c6fae541d71e73f7de00277508f482d9e72e1d34da9f02752dd25c43ee389621ecfa97a608b644a803b1e86bc22a9d065ed67f36e6fe1c6236411169

Download Submit
C:\Users\Admin\AppData\Local\Temp\044367fa-773f-4320-a314-595df1ba0e4b.vbs

Filesize
737B

MD5
4ac5c46fc366e1396cea4c99ba298946

SHA1
b0c81301e78d7cd95eed611459a83d3a68019240

SHA256
ea5b66dcbd5ad2388a97c9e4edf97b81fecfc5baf2f832e17f5711c1eb8ddae6

SHA512
8fe4cb6fd47e2ed2482da7fd8bfe3659e9abd73437417a37c618e1da9c038a68535484d01014c9cc37166390464d6b6f421a3277dd3d7d7c17e8d7e9dee53f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\13ee2b86-2a87-44d1-b9b9-f2ba1c954741.vbs

Filesize
737B

MD5
120af2a76a2bbb373d75ecbe5950da51

SHA1
d39019a00549cd4fdbef59ad950c92855acc7898

SHA256
5d705a7ee23bbc3bc60388c36442858644a602b9e2883324c72aa3132d573a2d

SHA512
70ab7e97a3cabc29d6e68d1f8b140d7ba542d6385a552ab67f0787aadeeb9421892c18dd293fced058c67072b09c085d142579e0a94b982f6e549f86702fecce

Download Submit
C:\Users\Admin\AppData\Local\Temp\652a64e2-6bab-4b9a-bf89-0467be5f176d.vbs

Filesize
737B

MD5
c0b4053a8b87a14b4972cd24f01935c2

SHA1
e2cea680f67a370ae7f450adf211e00130e037b1

SHA256
2711f32770b5b971c17704a1777454ab0974e0e864e21d48a720b8ae8ac458a6

SHA512
ba5f98ed63b951a684424885eadd5ec0870e6d9bff95c7825150549ee9ac2d565a0b98ddadd6df47e786081c6c3dddb58ee110a02b81232a94d2b44ac7ab8c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\655c8b09-eda5-4731-9fa3-9700ca97e6a6.vbs

Filesize
737B

MD5
a8c7979bf7c1412ed73bc93d37f64893

SHA1
b7e654e3b65d50d596ecf94c56f62f49175bb0f6

SHA256
0c1740de56d22b4e3161ddf71eb3711e4fdc1d9bde9bbe09a0463b3a8c55438f

SHA512
db1fc209c7940e45de2828012dd53d09a9932a36f575729baf7a8a556c00f77975c25ab475abad7e88bc10c260f42f7a81d1088c8b49eed76060b953f4022abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\676dc42b-b842-4642-a698-a155223ea09b.vbs

Filesize
737B

MD5
280cb525ee7c9570a000811b0d88b901

SHA1
6c55b39f7f3864292c9b00c7942c6ca79bdf73a0

SHA256
fd2d9fb90b253fcb35873ddfad5acab0450d6bb165015118962e950fa32966b0

SHA512
e481cfa5059d1a0060cc76dc98f34723cdbaa3caf7982def6e62b1f02e8b9debfc21d8459efed1835e7b7544a6051f2b61d688b6f30af903a82beeaebf698a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b5ea364-e5a1-4b6d-becd-a0479bc20ec0.vbs

Filesize
736B

MD5
adc7182a542c9c62de82f854962fe47d

SHA1
685a3756d345151306d7c7cacedb391f365620b1

SHA256
cbbbcc83e24d121d778fc722163a4be01bfa1481ad6a2bb894cafc617c7b735d

SHA512
c7b34f105b758fb829e59069b8a394ff21b92c5cce02e6433c47ff13650a2e183b137e3c9f5276dc17812c168de5e935fb1dd17af0740443f8de29f76671bccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c8f5ba6-52d9-4539-9f8a-82ada01dc06f.vbs

Filesize
513B

MD5
c539142489d3f98706d6461aa3b0a463

SHA1
cd1341bbfc8d5d198948434b84563ca8d9098ae8

SHA256
841b9e0e8a71264a999083670196b4904445aa840b6f376c7095470ab1224afc

SHA512
72bdf6327e1931fc6ff183bb742f897e9d23c6c35324b7d243dcca0ca893acb778fc48b3224541beeb0024829ebc5fb15ed8486095c1371cf763316cede49574

Download Submit
C:\Users\Admin\AppData\Local\Temp\73856d63-d5dc-4b9a-bae4-44f0fd70f37d.vbs

Filesize
737B

MD5
ce7b59b015081aa247795e344872c64b

SHA1
3edd1024a69966956b802d2ad03a039d31e80168

SHA256
22e2f3456aa6986ed99cc0da02101e2265b24bb4f4250d84e2018a074a00cf22

SHA512
90c8f8d90168c7a245c06a26703b2065d4b0dbe3969b4f114e34f226cd1cfb1e33447fc8d9ba0b44c458112463abd85775e2665af3c6ee02572cd19336176ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\81eb483b-1306-4bac-be0c-f5cd878e3e27.vbs

Filesize
737B

MD5
2bfe3849f67d904da657c5beb639e617

SHA1
46a669b62c49c6059ec559e2a31e117224f23d75

SHA256
9a9b2038bd94dbf3a046521295290ab7ace756ff92c517ee88aebd32ede5c609

SHA512
1937c05cb67a0956da8adcc03f8431ea0e245b923ba14fa300f0b60c34561e85218a2a30fea0a4177f98565d0a796f6a3d0d15509f8840c017954d3961d68e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\beb6fc63-d0f5-407d-9d7b-962b059dec2d.vbs

Filesize
737B

MD5
82c80c1f6129e2a0f1807b9c80c9550b

SHA1
4c70690799443f28d4ca2b8dfa43ddb37a751887

SHA256
e86c02b4ba220ca2ab14e7a096210bed3aa04170d3187836aa6aae5d72f0731d

SHA512
a49bae6c00503970479574e62423e83ce39bb65cfeb145f7e126448520e5fd511571d40ac2a557b835d8db8d49ffdda1cacc7f0ea448d30c13b27982fd6c5130

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6af9125-9ee3-45e8-913b-96d14e583080.vbs

Filesize
737B

MD5
21f19ae787fcc6940a6bc5b72fe952f7

SHA1
c1c0b90e9d3cf44fb1effa8a2fe3ad0843dc4373

SHA256
1cafc6b85f04eb0e94c1f003f3293b1aab4a9ff9aac32af4965a34ab9426b826

SHA512
8724c3186831fe9748def7ea61a7d63595de5e1e8ac7b33416c49a3951299b00aeba12ef834463ba76dac1b96bff883a4cd30a083159029872bceb213713dcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e80bd070-6f41-4d7a-98a4-ca061fc79051.vbs

Filesize
737B

MD5
26ae9e75b2aff57997528518dce83799

SHA1
19d2b37b74b7c05f3293b8519c91316f8d4a5d2d

SHA256
551ae4f46d8c27f910d417c7f42227216510f39989fa7eb6060881ef5477a170

SHA512
6e64be9036d9e8808ef20106dde4bad6a5fd18e5e795e471696557a5aec65ff84f53a64cfbd1ca7129a97a0f21bb379922be086cccd9e2ce0f970f810a04187d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1777.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0c0671d7baff787a3f0c4364cd4739b2

SHA1
6608be6ec4046938d6c19a35f2769626e410dc64

SHA256
67cc3cf6be67256af6e2a963aca6c3864598090143499c5969b38731e3f24ef0

SHA512
906c4a97890e0518fe25bd177837c30a15ad88092933d795334a3e2f085b904a942c8627d1e0b04650ba7cf106725dfec47d910eff60aab49a18bdf4658dd18c

Download Submit
memory/884-73-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1424-108-0x0000000000D50000-0x0000000001244000-memory.dmp

Filesize
5.0MB

Download
memory/1580-10-0x0000000000930000-0x0000000000942000-memory.dmp

Filesize
72KB

Download
memory/1580-1-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/1580-4-0x00000000008B0000-0x00000000008CC000-memory.dmp

Filesize
112KB

Download
memory/1580-14-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/1580-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/1580-124-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/1580-13-0x0000000000960000-0x000000000096E000-memory.dmp

Filesize
56KB

Download
memory/1580-12-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/1580-15-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1580-2-0x000000001BA10000-0x000000001BB3E000-memory.dmp

Filesize
1.2MB

Download
memory/1580-3-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/1580-16-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download
memory/1580-11-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/1580-9-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download
memory/1580-8-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/1580-7-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/1580-5-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/1580-6-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/1632-240-0x0000000000340000-0x0000000000834000-memory.dmp

Filesize
5.0MB

Download
memory/2400-270-0x0000000000220000-0x0000000000714000-memory.dmp

Filesize
5.0MB

Download
memory/2412-138-0x0000000000E30000-0x0000000001324000-memory.dmp

Filesize
5.0MB

Download
memory/2424-255-0x0000000001250000-0x0000000001744000-memory.dmp

Filesize
5.0MB

Download
memory/2748-154-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/2748-153-0x0000000001200000-0x00000000016F4000-memory.dmp

Filesize
5.0MB

Download
memory/2764-225-0x00000000001F0000-0x00000000006E4000-memory.dmp

Filesize
5.0MB

Download
memory/2844-75-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download