dcrat | 9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Size

4.9MB
MD5

6fffc1e333969842f53c8ccc15fc56e0
SHA1

5b11ed152f48402f76af5291115599635a0f5323
SHA256

9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54
SHA512

f7108a3213d454094fcbbc21ccb84837d31c81cbb0776593e591685b8b34d5a676aec610603b94de849a867eed84b9d5881421669418f546acf99ceb9dbf6225
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2812	schtasks.exe	30

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2368-3-0x000000001B430000-0x000000001B55E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1992	powershell.exe
1768	powershell.exe
2652	powershell.exe
856	powershell.exe
636	powershell.exe
1972	powershell.exe
3000	powershell.exe
3060	powershell.exe
3024	powershell.exe
1428	powershell.exe
1492	powershell.exe
1372	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1732	audiodg.exe
2100	audiodg.exe
2648	audiodg.exe
2564	audiodg.exe
920	audiodg.exe
2596	audiodg.exe
940	audiodg.exe
2648	audiodg.exe
1036	audiodg.exe
2744	audiodg.exe
1576	audiodg.exe
276	audiodg.exe
2356	audiodg.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe
2760	schtasks.exe
2932	schtasks.exe
2928	schtasks.exe
2704	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
3000	powershell.exe
3024	powershell.exe
636	powershell.exe
1768	powershell.exe
1972	powershell.exe
1492	powershell.exe
1372	powershell.exe
3060	powershell.exe
856	powershell.exe
2652	powershell.exe
1992	powershell.exe
1428	powershell.exe
1732	audiodg.exe
2100	audiodg.exe
2648	audiodg.exe
2564	audiodg.exe
920	audiodg.exe
2596	audiodg.exe
940	audiodg.exe
2648	audiodg.exe
1036	audiodg.exe
2744	audiodg.exe
1576	audiodg.exe
276	audiodg.exe
2356	audiodg.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	1732	audiodg.exe
Token: SeDebugPrivilege	2100	audiodg.exe
Token: SeDebugPrivilege	2648	audiodg.exe
Token: SeDebugPrivilege	2564	audiodg.exe
Token: SeDebugPrivilege	920	audiodg.exe
Token: SeDebugPrivilege	2596	audiodg.exe
Token: SeDebugPrivilege	940	audiodg.exe
Token: SeDebugPrivilege	2648	audiodg.exe
Token: SeDebugPrivilege	1036	audiodg.exe
Token: SeDebugPrivilege	2744	audiodg.exe
Token: SeDebugPrivilege	1576	audiodg.exe
Token: SeDebugPrivilege	276	audiodg.exe
Token: SeDebugPrivilege	2356	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3000	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	37
PID 2368 wrote to memory of 3000	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	37
PID 2368 wrote to memory of 3000	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	37
PID 2368 wrote to memory of 3060	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	38
PID 2368 wrote to memory of 3060	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	38
PID 2368 wrote to memory of 3060	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	38
PID 2368 wrote to memory of 2652	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	39
PID 2368 wrote to memory of 2652	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	39
PID 2368 wrote to memory of 2652	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	39
PID 2368 wrote to memory of 3024	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	42
PID 2368 wrote to memory of 3024	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	42
PID 2368 wrote to memory of 3024	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	42
PID 2368 wrote to memory of 1768	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	43
PID 2368 wrote to memory of 1768	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	43
PID 2368 wrote to memory of 1768	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	43
PID 2368 wrote to memory of 1372	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	44
PID 2368 wrote to memory of 1372	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	44
PID 2368 wrote to memory of 1372	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	44
PID 2368 wrote to memory of 1972	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	46
PID 2368 wrote to memory of 1972	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	46
PID 2368 wrote to memory of 1972	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	46
PID 2368 wrote to memory of 636	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	47
PID 2368 wrote to memory of 636	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	47
PID 2368 wrote to memory of 636	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	47
PID 2368 wrote to memory of 856	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	48
PID 2368 wrote to memory of 856	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	48
PID 2368 wrote to memory of 856	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	48
PID 2368 wrote to memory of 1492	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	49
PID 2368 wrote to memory of 1492	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	49
PID 2368 wrote to memory of 1492	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	49
PID 2368 wrote to memory of 1428	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	50
PID 2368 wrote to memory of 1428	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	50
PID 2368 wrote to memory of 1428	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	50
PID 2368 wrote to memory of 1992	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	51
PID 2368 wrote to memory of 1992	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	51
PID 2368 wrote to memory of 1992	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	51
PID 2368 wrote to memory of 2888	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	61
PID 2368 wrote to memory of 2888	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	61
PID 2368 wrote to memory of 2888	2368	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	61
PID 2888 wrote to memory of 2192	2888	cmd.exe	63
PID 2888 wrote to memory of 2192	2888	cmd.exe	63
PID 2888 wrote to memory of 2192	2888	cmd.exe	63
PID 2888 wrote to memory of 1732	2888	cmd.exe	64
PID 2888 wrote to memory of 1732	2888	cmd.exe	64
PID 2888 wrote to memory of 1732	2888	cmd.exe	64
PID 1732 wrote to memory of 2852	1732	audiodg.exe	65
PID 1732 wrote to memory of 2852	1732	audiodg.exe	65
PID 1732 wrote to memory of 2852	1732	audiodg.exe	65
PID 1732 wrote to memory of 1988	1732	audiodg.exe	66
PID 1732 wrote to memory of 1988	1732	audiodg.exe	66
PID 1732 wrote to memory of 1988	1732	audiodg.exe	66
PID 2852 wrote to memory of 2100	2852	WScript.exe	68
PID 2852 wrote to memory of 2100	2852	WScript.exe	68
PID 2852 wrote to memory of 2100	2852	WScript.exe	68
PID 2100 wrote to memory of 1644	2100	audiodg.exe	69
PID 2100 wrote to memory of 1644	2100	audiodg.exe	69
PID 2100 wrote to memory of 1644	2100	audiodg.exe	69
PID 2100 wrote to memory of 1612	2100	audiodg.exe	70
PID 2100 wrote to memory of 1612	2100	audiodg.exe	70
PID 2100 wrote to memory of 1612	2100	audiodg.exe	70
PID 1644 wrote to memory of 2648	1644	WScript.exe	71
PID 1644 wrote to memory of 2648	1644	WScript.exe	71
PID 1644 wrote to memory of 2648	1644	WScript.exe	71
PID 2648 wrote to memory of 1908	2648	audiodg.exe	72

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
"C:\Users\Admin\AppData\Local\Temp\9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3qIDwt1oDr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2192
- - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
    "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1732
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6ba3060-b293-410a-9843-d7269b4d7e4c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2100
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4bfbb6d-be14-4774-8916-4f2ae816c2e3.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81a44bd6-c1dd-4133-916e-c7d182ed231a.vbs"
        8⤵
        
        PID:1908
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65c04d59-1db1-4e52-b17e-96263f0b9ea3.vbs"
        10⤵
        
        PID:2356
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b6761ab-7384-4600-aefc-af0a8223be5a.vbs"
        12⤵
        
        PID:2332
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f00b6a72-0f36-44c2-83ee-cb322696086f.vbs"
        14⤵
        
        PID:2464
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e0cc6a2-655d-4feb-98bd-8f9a83ceaedf.vbs"
        16⤵
        
        PID:2168
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57b9c3f6-133f-4b85-8dea-d45f2ff4d024.vbs"
        18⤵
        
        PID:1492
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50995871-dadb-47d9-8275-8ede4a72d19c.vbs"
        20⤵
        
        PID:2368
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\800e8ced-9b0d-44f5-8542-632471757841.vbs"
        22⤵
        
        PID:2416
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a133860-98d5-4f7d-864d-fb97f0e2647a.vbs"
        24⤵
        
        PID:2432
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f493230f-ba2b-4c5d-8caf-033683807d50.vbs"
        26⤵
        
        PID:2176
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe"
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b6c54ef-1759-4756-9756-41aaee931a0d.vbs"
        28⤵
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d36af6-d044-4278-806c-6a8bd083b19a.vbs"
        28⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce6ee18c-4f84-43e8-923d-98fc0e2354a1.vbs"
        26⤵
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e72e7dc-c401-4796-9d04-916ecdfe1b35.vbs"
        24⤵
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a8e10c-2872-4a8f-ba35-eca88cd08be5.vbs"
        22⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\215a059d-d065-41d5-b395-30c8df71b366.vbs"
        20⤵
        
        PID:860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be216d79-cdee-4217-a64a-ec3b806750d0.vbs"
        18⤵
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b11b7a9-5c00-4a28-8e82-df2a25525e95.vbs"
        16⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1721a9b5-fe63-4773-b174-89899b02afb0.vbs"
        14⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfe6109a-40af-49a5-bc01-b0dcffd35c36.vbs"
        12⤵
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\356114e6-92d0-428a-8d0e-d7071af60ad9.vbs"
        10⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\800dfae3-ee59-47e3-8a5c-69a9e9603133.vbs"
        8⤵
        
        PID:600
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81b8a249-9126-4662-85e3-63e7df508df7.vbs"
        6⤵
        
        PID:1612
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\520c7291-0fd5-450c-97cb-9be7b131217e.vbs"
      4⤵
      PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe

Filesize
4.9MB

MD5
6fffc1e333969842f53c8ccc15fc56e0

SHA1
5b11ed152f48402f76af5291115599635a0f5323

SHA256
9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54

SHA512
f7108a3213d454094fcbbc21ccb84837d31c81cbb0776593e591685b8b34d5a676aec610603b94de849a867eed84b9d5881421669418f546acf99ceb9dbf6225

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
4.9MB

MD5
42e6d9ddd03a894510eb0d9d325ad36a

SHA1
ea16e3e37436504f4ca3c4efaee0bddbb3072fb4

SHA256
7792e18100e7511d6cf20d34269c589d1d54c8e9076c84729dc3ae97a7bd0733

SHA512
2506ed672c3533a6e031631c45fba51de1bbc369a6f44b832b3a817ea4ed5f2a0e61dfdc22df41c807cdafe6cdf07e7e54e413d090b3c5a672fa342290b7cc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e0cc6a2-655d-4feb-98bd-8f9a83ceaedf.vbs

Filesize
749B

MD5
451dd024ea252337fb21bbce3b686ae5

SHA1
df19125f06b3fbd338338862f0576ab1307bc112

SHA256
67c0d47961529fd210a8f36835bec20b3157138e62c4de9698714a5d17734368

SHA512
d31782fe76858bca5ba763d7ccf5bb0764899e13109763348f3ebddaf4a71c8659abe78e94fdb0d1bf5e92a241a4a922984114fbf99d13bb60682d0e30820ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a133860-98d5-4f7d-864d-fb97f0e2647a.vbs

Filesize
750B

MD5
5002a82ff8298e7f4f6762e7e9a39961

SHA1
ab8f97063b1b5a8768b590fb9fe56769f1efb12a

SHA256
9dd4aef8c5b6d4e8a02182e9e30c9015b8c6cd0d0e1a960cae72c989678fa540

SHA512
c22ebcb8879ccdaaca161d7d10a23af4388464d905af8fb124921a110fc8c2bbe647148ad360991b805343590284d1685c272403e09e658dfdabf0cc55df30d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b6761ab-7384-4600-aefc-af0a8223be5a.vbs

Filesize
749B

MD5
689e75c4554f19b373ec984989bd935b

SHA1
bf56e8f3ecef584b96c665a3f069b667d550985a

SHA256
b3d87de184cb209af43b559fae3b786eae2710c54b86a948403e6f4871345174

SHA512
1ec7d35c7ac3be10c2302684e215a77180623151709fc5f3a8de420f6310948b32eb63dd3bfbdc706d56d489cf85cae01d8bc25c6278e7aab75b0b85376f6f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b6c54ef-1759-4756-9756-41aaee931a0d.vbs

Filesize
750B

MD5
e9406a29b13b488e2dfd8b2510dac7b0

SHA1
e702f19ab77af480a3eeb92cb60d6d1f94772fd0

SHA256
7b290b6f2c6fcae8b607c67ceb413abf21818a511bd9bd844117707ce7fcada5

SHA512
743ebcd1f257d8743e499c36991c5ca0b4de961064c545e9a7dbe092887ef9b9d96334152e84da708185281b658b4639162f63c4ec785b307479c95ea21ba100

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qIDwt1oDr.bat

Filesize
239B

MD5
172889e8cc3c107bb3184a69d538df94

SHA1
e97ce4d4a796451fe4ec5022c1b39dbf12cca06d

SHA256
c866843caf6c4ecddd8e6752cdd4df9a5612676cc429ac278fc8ace1d51791c9

SHA512
64d842a148bf9fbca0546773395d6fd08023a4db3e62fa6af4ee9bbe0ed47054464651ab7da84bb6ed809d5c154de8f702242e7cdf80034eb67c54feecffeec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\50995871-dadb-47d9-8275-8ede4a72d19c.vbs

Filesize
750B

MD5
0fcf7cee14f7b9d6a308f41fb179df7d

SHA1
d2f66003eac853ca372a30cea7e116f32c569935

SHA256
2d14d2b8c31a8846a4b96f4d2fcfdc634255349e218891f65bb3fda028b32699

SHA512
c8356f79cfb97e545a67f2409ca0fe41e33d011c3545211fda84b68e2ce0bc7b805d477d94d9f3d91659f8baa5358dc003c9aeaa8da8b23b7526b2f4c338bfe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\520c7291-0fd5-450c-97cb-9be7b131217e.vbs

Filesize
526B

MD5
f44cd7db5e2d490ae8670b97e1fff1a9

SHA1
f50e115ed3362d341dacdc977e901084aadcbcb0

SHA256
0afd5e5f0ab19d4cc054b90aa8bcc2f235667ca44a40607e3d5bb69d542c682c

SHA512
d7fb23df2db6a352201b09f4e83806e0bd5affe88bc19b16f1b011de551d08d8db818260523dfa4840eecb21f1b338fa530163fdbe3b2e63641df5aee63e0db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\65c04d59-1db1-4e52-b17e-96263f0b9ea3.vbs

Filesize
750B

MD5
6731430761eca7ffe795795702c3c44c

SHA1
0b71e027b58f0dc3282262435a9b246c50d2b941

SHA256
5ba45908f63274e55fb5482bc37c2d3665399abecaacf9e792f6797c6fddaecb

SHA512
824d0358bf19104eb6ec66b9d5ea30a7c92b1cf6afb19b2d99a4a79cc3f2aa57a2d82afba04d1fc7f69def52aae9bfb89cb208bfcced45055f9410650d92d6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\800e8ced-9b0d-44f5-8542-632471757841.vbs

Filesize
750B

MD5
011ba604199c7f730fa171040dc9e3f6

SHA1
4095c6857c2c9046c93f26e556d07256860c4287

SHA256
4c83f014b53e4e170694e8be9f12509e49048d05e31c5a29f756f3385af4f1af

SHA512
c126abb58815307c0ef1fed4a16027637d9f3b34fbd11553876d8b948160f33d203393307cdf6a381860cafa534a78a3f61d8c57f944d6a4422d49da66529951

Download Submit
C:\Users\Admin\AppData\Local\Temp\81a44bd6-c1dd-4133-916e-c7d182ed231a.vbs

Filesize
750B

MD5
abc70030006a3be97497108924a82923

SHA1
1b82d9473829d6330a23ad0812aec6107b4b66c7

SHA256
d1c4e6d4709037247d106521b4625104ed7926e9d1c6b9c25bf2bf4e7423027b

SHA512
532aa2fc1ff1ca8f7881b1c12bdcb8259b8631dccef76da0f8e9bde9e9d0193777261e2dac12c6524ddbffe45f772afc56a0196b631a8e2f5c64eca7d22b15a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6ba3060-b293-410a-9843-d7269b4d7e4c.vbs

Filesize
750B

MD5
3b5e301eefd447f611c5ff9d61d99d91

SHA1
bc578b0151f3a5ebeb65c3ee255df7846b9492a3

SHA256
66426e44b3be4d90ef6cfc10474e1d695e0a6d9414b072b2b668aa8609fa8f35

SHA512
40262341cfac0860c367bf4161e61e97afeaf0485942f27aff18c9e2ec6d2e5e813f214282ff011dd56bf2a7f992603e5a97a6aa729e0a3aa1a95839844fa030

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4bfbb6d-be14-4774-8916-4f2ae816c2e3.vbs

Filesize
750B

MD5
3838ddbe08299e47a84e4aff4e48223f

SHA1
30f0f696adec962a00572bdba357099fd84cec25

SHA256
68376f5af835a1424bf60dedf2550ef691c60efd15c8b7ba8d8f2d14f35fb4d0

SHA512
73b1e9d0ca393c9f499effda7ca1bd31af5fa246fa7367b502583a70b3828600a0afde7b61d5a159e744b337d9281d6bf438cb343d38f8e1d1b73d1656ccde7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f00b6a72-0f36-44c2-83ee-cb322696086f.vbs

Filesize
750B

MD5
5df4b204f54476cf0499e12516f754af

SHA1
b25be3556329ab7bbcb0ee882059257b18fc70d4

SHA256
3d39a12cb0bae6d29dd73616662581bb87339f06b2e1dbd0a172ada6ca5d56d2

SHA512
22480a064ba1cefd53e6e4e010a7b6c4057c888f9ae3450c37b93deec7a8809dd952b2bf5d92bb4d278119116515a5e88efcb5a5cc2925e6bd2c0ccb64425ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f493230f-ba2b-4c5d-8caf-033683807d50.vbs

Filesize
749B

MD5
4aef08ec50cfc930fc485719946d7784

SHA1
c8ac557372bc626e88300a7c104c8618e2b04376

SHA256
4ecc0dde9a0e3875b4e995943b2891eaf2629513c60cceab3bed4bf3ba6ce9eb

SHA512
48a150813eaef16cf9567446846c59b71b418e35fb6b70179b18973012e1d078792f6309a281086e62ab8414c627b46b555655168c6dc7098f252c10063b542e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6E6.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2e16609324c68fa8a903e08d991fabb4

SHA1
c7d8cb13d8c31f70d26c83f87f006c886d2a9aa9

SHA256
8612fb496352d8d78ae9031270453b81466349a9ad440f215f983711dd84f22c

SHA512
5efb5c396d67a10454c6a739eaf64ab8604741cca9b461b4cf7ec847f0ec76f5e604700a9fd5057b332fc79fe70718902f1780bb43dfe031a71c4b6ebdbb4a9a

Download Submit
memory/276-275-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/920-168-0x0000000000880000-0x0000000000D74000-memory.dmp

Filesize
5.0MB

Download
memory/940-199-0x00000000009E0000-0x0000000000ED4000-memory.dmp

Filesize
5.0MB

Download
memory/1036-229-0x0000000000C80000-0x0000000001174000-memory.dmp

Filesize
5.0MB

Download
memory/1576-260-0x0000000000D20000-0x0000000001214000-memory.dmp

Filesize
5.0MB

Download
memory/1732-107-0x0000000001240000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/1732-108-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/2100-122-0x0000000000100000-0x00000000005F4000-memory.dmp

Filesize
5.0MB

Download
memory/2356-290-0x0000000001370000-0x0000000001864000-memory.dmp

Filesize
5.0MB

Download
memory/2368-13-0x0000000001300000-0x000000000130E000-memory.dmp

Filesize
56KB

Download
memory/2368-14-0x0000000001310000-0x0000000001318000-memory.dmp

Filesize
32KB

Download
memory/2368-1-0x00000000013A0000-0x0000000001894000-memory.dmp

Filesize
5.0MB

Download
memory/2368-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-3-0x000000001B430000-0x000000001B55E000-memory.dmp

Filesize
1.2MB

Download
memory/2368-4-0x00000000009D0000-0x00000000009EC000-memory.dmp

Filesize
112KB

Download
memory/2368-16-0x0000000001330000-0x000000000133C000-memory.dmp

Filesize
48KB

Download
memory/2368-67-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-15-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/2368-8-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2368-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/2368-5-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2368-6-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/2368-12-0x00000000012F0000-0x00000000012FE000-memory.dmp

Filesize
56KB

Download
memory/2368-11-0x00000000012E0000-0x00000000012EA000-memory.dmp

Filesize
40KB

Download
memory/2368-10-0x0000000001250000-0x0000000001262000-memory.dmp

Filesize
72KB

Download
memory/2368-7-0x0000000000C20000-0x0000000000C36000-memory.dmp

Filesize
88KB

Download
memory/2368-9-0x0000000001140000-0x000000000114A000-memory.dmp

Filesize
40KB

Download
memory/2564-153-0x0000000000210000-0x0000000000704000-memory.dmp

Filesize
5.0MB

Download
memory/2596-184-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2596-183-0x0000000000890000-0x0000000000D84000-memory.dmp

Filesize
5.0MB

Download
memory/2648-214-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/2648-138-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2648-137-0x0000000000B60000-0x0000000001054000-memory.dmp

Filesize
5.0MB

Download
memory/2744-244-0x0000000000D00000-0x00000000011F4000-memory.dmp

Filesize
5.0MB

Download
memory/2744-245-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/3000-45-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/3000-46-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download