dcrat | 70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28

Analysis

max time kernel
117s
max time network
112s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
Size

4.9MB
MD5

4c15b0d03df11adc117efa496536e522
SHA1

d0fae02a4a40b1c0fb98e8ea9da4bdec941ec471
SHA256

70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28
SHA512

ae900037ef1b05771365096f2e3b73353f3c7ff627f130134278d427ac0d414b234cec161bf6f76b860bf0a691dc65cfc8e281b176752550bf989edd82309121
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8R:J

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2708	schtasks.exe	31

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

WMIADAP.exe70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2448-3-0x000000001B140000-0x000000001B26E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
268	powershell.exe
648	powershell.exe
1652	powershell.exe
916	powershell.exe
1756	powershell.exe
1392	powershell.exe
2180	powershell.exe
1696	powershell.exe
928	powershell.exe
2624	powershell.exe
1312	powershell.exe
1792	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

WMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exe

pid	Process
2460	WMIADAP.exe
1776	WMIADAP.exe
1152	WMIADAP.exe
764	WMIADAP.exe
3012	WMIADAP.exe
2940	WMIADAP.exe
2816	WMIADAP.exe
944	WMIADAP.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe

Drops file in Program Files directory 20 IoCs

Processes:

70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\csrss.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Program Files (x86)\Common Files\Services\f3b6ecef712a24	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\taskhost.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\b75386f1303e64	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\csrss.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\spoolsv.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\RCXF7DC.tmp	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\explorer.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\taskhost.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\System.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Program Files (x86)\Internet Explorer\7a0fd90576e088	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\RCXF3D5.tmp	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\System.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXFBE4.tmp	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Program Files\Windows NT\TableTextService\886983d96e3d3e	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Program Files (x86)\Common Files\Services\spoolsv.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\27d1bcfc3c54e0	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Program Files (x86)\Internet Explorer\explorer.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXF5D9.tmp	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXFDE8.tmp	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe

Drops file in Windows directory 10 IoCs

Processes:

70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\886983d96e3d3e	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Windows\Speech\Common\de-DE\OSPPSVC.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Windows\Boot\PCAT\OSPPSVC.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Windows\TAPI\WmiPrvSE.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Windows\TAPI\24dbde2999530e	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Windows\TAPI\WmiPrvSE.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\csrss.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\RCXF1D0.tmp	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\csrss.exe	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
File opened for modification	C:\Windows\TAPI\RCXF9E0.tmp	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2688	schtasks.exe
2580	schtasks.exe
2620	schtasks.exe
1720	schtasks.exe
1052	schtasks.exe
2820	schtasks.exe
2804	schtasks.exe
1980	schtasks.exe
1036	schtasks.exe
2780	schtasks.exe
2596	schtasks.exe
2736	schtasks.exe
2616	schtasks.exe
1484	schtasks.exe
2004	schtasks.exe
320	schtasks.exe
580	schtasks.exe
2024	schtasks.exe
1948	schtasks.exe
1152	schtasks.exe
1700	schtasks.exe
2556	schtasks.exe
1760	schtasks.exe
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exe

pid	Process
2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
916	powershell.exe
2624	powershell.exe
648	powershell.exe
1696	powershell.exe
1756	powershell.exe
2180	powershell.exe
1392	powershell.exe
1312	powershell.exe
1792	powershell.exe
1652	powershell.exe
928	powershell.exe
268	powershell.exe
2460	WMIADAP.exe
1776	WMIADAP.exe
1152	WMIADAP.exe
764	WMIADAP.exe
3012	WMIADAP.exe
2940	WMIADAP.exe
2816	WMIADAP.exe
944	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	2460	WMIADAP.exe
Token: SeDebugPrivilege	1776	WMIADAP.exe
Token: SeDebugPrivilege	1152	WMIADAP.exe
Token: SeDebugPrivilege	764	WMIADAP.exe
Token: SeDebugPrivilege	3012	WMIADAP.exe
Token: SeDebugPrivilege	2940	WMIADAP.exe
Token: SeDebugPrivilege	2816	WMIADAP.exe
Token: SeDebugPrivilege	944	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exeWMIADAP.exeWScript.exeWMIADAP.exeWScript.exeWMIADAP.exeWScript.exe

description	pid	Process	procid_target
PID 2448 wrote to memory of 648	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	56
PID 2448 wrote to memory of 648	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	56
PID 2448 wrote to memory of 648	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	56
PID 2448 wrote to memory of 1792	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	57
PID 2448 wrote to memory of 1792	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	57
PID 2448 wrote to memory of 1792	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	57
PID 2448 wrote to memory of 268	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	58
PID 2448 wrote to memory of 268	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	58
PID 2448 wrote to memory of 268	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	58
PID 2448 wrote to memory of 1312	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	60
PID 2448 wrote to memory of 1312	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	60
PID 2448 wrote to memory of 1312	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	60
PID 2448 wrote to memory of 1652	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	62
PID 2448 wrote to memory of 1652	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	62
PID 2448 wrote to memory of 1652	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	62
PID 2448 wrote to memory of 2180	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	63
PID 2448 wrote to memory of 2180	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	63
PID 2448 wrote to memory of 2180	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	63
PID 2448 wrote to memory of 1696	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	64
PID 2448 wrote to memory of 1696	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	64
PID 2448 wrote to memory of 1696	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	64
PID 2448 wrote to memory of 916	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	65
PID 2448 wrote to memory of 916	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	65
PID 2448 wrote to memory of 916	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	65
PID 2448 wrote to memory of 928	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	66
PID 2448 wrote to memory of 928	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	66
PID 2448 wrote to memory of 928	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	66
PID 2448 wrote to memory of 1756	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	67
PID 2448 wrote to memory of 1756	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	67
PID 2448 wrote to memory of 1756	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	67
PID 2448 wrote to memory of 1392	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	68
PID 2448 wrote to memory of 1392	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	68
PID 2448 wrote to memory of 1392	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	68
PID 2448 wrote to memory of 2624	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	69
PID 2448 wrote to memory of 2624	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	69
PID 2448 wrote to memory of 2624	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	69
PID 2448 wrote to memory of 2460	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	80
PID 2448 wrote to memory of 2460	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	80
PID 2448 wrote to memory of 2460	2448	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe	80
PID 2460 wrote to memory of 2224	2460	WMIADAP.exe	81
PID 2460 wrote to memory of 2224	2460	WMIADAP.exe	81
PID 2460 wrote to memory of 2224	2460	WMIADAP.exe	81
PID 2460 wrote to memory of 2064	2460	WMIADAP.exe	82
PID 2460 wrote to memory of 2064	2460	WMIADAP.exe	82
PID 2460 wrote to memory of 2064	2460	WMIADAP.exe	82
PID 2224 wrote to memory of 1776	2224	WScript.exe	83
PID 2224 wrote to memory of 1776	2224	WScript.exe	83
PID 2224 wrote to memory of 1776	2224	WScript.exe	83
PID 1776 wrote to memory of 2688	1776	WMIADAP.exe	84
PID 1776 wrote to memory of 2688	1776	WMIADAP.exe	84
PID 1776 wrote to memory of 2688	1776	WMIADAP.exe	84
PID 1776 wrote to memory of 2024	1776	WMIADAP.exe	85
PID 1776 wrote to memory of 2024	1776	WMIADAP.exe	85
PID 1776 wrote to memory of 2024	1776	WMIADAP.exe	85
PID 2688 wrote to memory of 1152	2688	WScript.exe	86
PID 2688 wrote to memory of 1152	2688	WScript.exe	86
PID 2688 wrote to memory of 1152	2688	WScript.exe	86
PID 1152 wrote to memory of 2752	1152	WMIADAP.exe	87
PID 1152 wrote to memory of 2752	1152	WMIADAP.exe	87
PID 1152 wrote to memory of 2752	1152	WMIADAP.exe	87
PID 1152 wrote to memory of 1600	1152	WMIADAP.exe	88
PID 1152 wrote to memory of 1600	1152	WMIADAP.exe	88
PID 1152 wrote to memory of 1600	1152	WMIADAP.exe	88
PID 2752 wrote to memory of 764	2752	WScript.exe	89

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

WMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exe70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exeWMIADAP.exeWMIADAP.exeWMIADAP.exeWMIADAP.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe
"C:\Users\Admin\AppData\Local\Temp\70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\MSOCache\All Users\WMIADAP.exe
  "C:\MSOCache\All Users\WMIADAP.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2460
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\650763ce-da8a-4210-8496-34d452a099d9.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\MSOCache\All Users\WMIADAP.exe
      "C:\MSOCache\All Users\WMIADAP.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1776
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cba9a60e-9992-473c-a223-a2d1798f323e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\MSOCache\All Users\WMIADAP.exe
        
        "C:\MSOCache\All Users\WMIADAP.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6253a9ef-6b90-4ece-9b80-1b2f3c52b2d9.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\MSOCache\All Users\WMIADAP.exe
        
        "C:\MSOCache\All Users\WMIADAP.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac802db6-499d-417a-9e1d-3b9c40137d2b.vbs"
        9⤵
        
        PID:2964
        
        C:\MSOCache\All Users\WMIADAP.exe
        
        "C:\MSOCache\All Users\WMIADAP.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f5d227b-6782-4cb7-80c3-a1d92cdab14d.vbs"
        11⤵
        
        PID:976
        
        C:\MSOCache\All Users\WMIADAP.exe
        
        "C:\MSOCache\All Users\WMIADAP.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3537db8a-3669-4c78-9864-b97a0d9113ac.vbs"
        13⤵
        
        PID:2076
        
        C:\MSOCache\All Users\WMIADAP.exe
        
        "C:\MSOCache\All Users\WMIADAP.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81ea1b17-7a16-48b0-8d22-c5244c6008f4.vbs"
        15⤵
        
        PID:1728
        
        C:\MSOCache\All Users\WMIADAP.exe
        
        "C:\MSOCache\All Users\WMIADAP.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac71a660-e64f-4409-9fa8-0488a78949e4.vbs"
        17⤵
        
        PID:1240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e09fa30a-3a43-4e94-9816-5ffc4c075299.vbs"
        17⤵
        
        PID:1876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b69b287-9f46-42e7-bce1-26a305a8ab02.vbs"
        15⤵
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0ed4900-bfc2-4396-844b-f0d3aa1d8d30.vbs"
        13⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f721409-8ad1-4610-9b17-17d57a83c458.vbs"
        11⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d22eeee7-e585-428e-9d46-ccf6e859dfc8.vbs"
        9⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c690cda4-60fe-4234-b1f0-19e4903c0181.vbs"
        7⤵
        
        PID:1600
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f195e80-cf10-439d-a9fa-225f59778980.vbs"
        5⤵
        
        PID:2024
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c45e1f2-0ecc-4001-b4bb-0dcd804e0450.vbs"
    3⤵
    PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\System.exe

Filesize
4.9MB

MD5
4c15b0d03df11adc117efa496536e522

SHA1
d0fae02a4a40b1c0fb98e8ea9da4bdec941ec471

SHA256
70c569ce0cef24601ebc96812d06c4fa8c422b7bdf7b86a73ec2ec4a69e14c28

SHA512
ae900037ef1b05771365096f2e3b73353f3c7ff627f130134278d427ac0d414b234cec161bf6f76b860bf0a691dc65cfc8e281b176752550bf989edd82309121

Download Submit
C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXFDE8.tmp

Filesize
4.9MB

MD5
1be7f43633deb3704868bf71fd335bac

SHA1
e118b51a2211c9161b0917846d0b3e621a4f25af

SHA256
5cd7b9d07b42475368f105880e1c2543c53601b366f49c3a113441116d9182df

SHA512
1bf6ced412f542df8d1c83ab646ea618320b1e9c4711a40480cbc4a56a22231ed2cd34dd215ef1ad2ad9acff07d5a3479aff862616affe0aa8ce6deafa104a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\25e5c97c67c57ef9b1ec77b808c3fc3df07db528.exe

Filesize
4.9MB

MD5
4374ed4f60874dbf5b712bb89f996abe

SHA1
8e49b94618fddd5e0a4b36999ae9cfa400f326a3

SHA256
4dea8f05d7f8d12be7d2744d02086136c6879209e765749dfdc770effa245224

SHA512
262571ed48a230ada77fd17916fe8e1dd5f946dd8a55e8d946a601a50fe7fac911a72608c3f86638f9baa6d7692dbc8c34b5672dd5b58ac2c536b2fcf7557aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f5d227b-6782-4cb7-80c3-a1d92cdab14d.vbs

Filesize
709B

MD5
f9f5d8ec87e4368e763bdbff9ed8b28f

SHA1
e61dd4a105aaed04411afb7cf76e2eef74f55384

SHA256
5dd75d0b6b340023a1e3ade2cb0093d39d39f0f42e91256816561017d918943f

SHA512
aa70e26fb403bc9c60723e6356ea0568d26d2c4f4d2a6cc395514bc1e5aa04817d76b0920ef0335a4f2beacd15aa28748b08145e168d0bcff26ab0f7341a94be

Download Submit
C:\Users\Admin\AppData\Local\Temp\3537db8a-3669-4c78-9864-b97a0d9113ac.vbs

Filesize
709B

MD5
032e6421e2064f01ec71265fd5cf47a7

SHA1
e851a47150d3b7930f10a09075c2154c14b43f4b

SHA256
5951e1604056c980d04ec102bc37d61af99274b31e6800adbc685636656148fe

SHA512
2da51aa00e6de0eff269d4b52681d40f7424dd636cbd49e1832af21564a99b805317e0d1ee8940c887466a073930959cb38567abfb3a8aef2f722a672095a839

Download Submit
C:\Users\Admin\AppData\Local\Temp\6253a9ef-6b90-4ece-9b80-1b2f3c52b2d9.vbs

Filesize
709B

MD5
92fa1cc84814be093e70d15bb4afe71c

SHA1
9f150c5409adf09885f65a3abd4efb6d156b7339

SHA256
5e96f2765dcba1327dcde33acc9f63fbb6ccb774026e06dd9cfdf2c59d6e20d7

SHA512
6fae83ca7df24427f44bae589e1a89cab4a8804167059506726852d1813b033bc3d51dda095d24581d039c7cd8224f06bc336578de8d80b24a128e39c36cae03

Download Submit
C:\Users\Admin\AppData\Local\Temp\650763ce-da8a-4210-8496-34d452a099d9.vbs

Filesize
709B

MD5
61705cad31a23106baf7f8fe843d8e61

SHA1
1ef7fef25b5b1331e14b867d081f5b9a390207d4

SHA256
34a68ba6b14d21fc198384bca45491b67d71bbf8ef548e72775f2c77169b481f

SHA512
80d2142c4e7af07e3b967797dcd73ee4c111e4bf163bf87cf9fe5611f1f399a73c9a2de1cc343b4c961bcf4452f9fece5f788325e088072341b492c78ae17647

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c45e1f2-0ecc-4001-b4bb-0dcd804e0450.vbs

Filesize
485B

MD5
50d677940614f64271caacc61166edde

SHA1
1835d413154fc3a5730dd5b1ba92ea9a360f63e2

SHA256
ed5925f61f10b9d5278498af0935cbe656eb259e8d453d25ba66e103764c56fb

SHA512
b1d2ef247ea8ea11d06d32456ef0f1dea02d50e603a80eac5680a2340f51de5b380ffd232248710925bd29d22073f8d0fe1197de1995dfa85f3164d8026d09d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\81ea1b17-7a16-48b0-8d22-c5244c6008f4.vbs

Filesize
709B

MD5
0e9080b7c30dce779412cbee10e88ff7

SHA1
c0c0bda958101bde9c44d9f8054072173b34df32

SHA256
b3684196a68328c4545ec7d12b1631f5beef2d488cf64bc8324159b4220b9436

SHA512
707f9dc7561656f310b0e016b8a87c2c4d111fcf58477f474a5a847bc5f01b1fac0b707caea7498dbcd500d3db98602e2d78d63a4454bef7f631858a23e64fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac71a660-e64f-4409-9fa8-0488a78949e4.vbs

Filesize
708B

MD5
6dcf41726123a638a7bc7125397f1809

SHA1
808d7f7cd2cdef37dcb5764fa8c955d8e00caadc

SHA256
5624567b8445ee57adeb7c087271060612276cc022540640d0f7fa9214a563cd

SHA512
a96fed3a033370fc8f9c9146176da669c016487fa91a312d30b85c41f72fe2e6bd231611db8b87483e48e96d7acd8951fe71c98ecca505a7fdd2b19941ac90dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac802db6-499d-417a-9e1d-3b9c40137d2b.vbs

Filesize
708B

MD5
918b477faba12d8057c058e35522d782

SHA1
7229f6297b72b9468b04197f8560e57921c2f764

SHA256
8d830bf55ec96c728514e6f1f6a5abfc8f96a9098e40156d4a29375c731f5b87

SHA512
dd9e366aa64f10909dc4588e09ba656066c4bf570440d1b1e6110a466606324d9ee1636a671957a9257ae40efced844e8422a61914e49b58b8662087ccfb8d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cba9a60e-9992-473c-a223-a2d1798f323e.vbs

Filesize
709B

MD5
90cc9b8112f0e981d76582073abaf5bc

SHA1
0a5fbb73b051acae8f41ca9e6ee06c5e63c4cd28

SHA256
99c6550b414c76dcbe22a0f780ae704c08faeb68f12480ae3b210476bca28f18

SHA512
bb325e63809268017ecb2e6ba5e1d85534069a1e255f6b12fd6ab57497fff0ccad69fff2c422edb03033e954222335db96a7cfb58b2feb5bfd0fab5981a8da8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A73.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
741da87bb32011c66d2e799cd37e8a3c

SHA1
ed44c5b2b0eff8dd06aab2d790473701693f1cb7

SHA256
e4dbe87f4aa4b39065a8f57a0d692d151f240142793d245e5aad0e4c5bd8b727

SHA512
b730f865431095b880cfe98ee946a8120345a4c3ba17bc8530ab36876602807c60ae3012171991c17e4b1302c1636c71087d018431986ae845a4f296c6427735

Download Submit
memory/764-204-0x0000000001320000-0x0000000001814000-memory.dmp

Filesize
5.0MB

Download
memory/916-114-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/916-116-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/944-264-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/944-263-0x00000000003A0000-0x0000000000894000-memory.dmp

Filesize
5.0MB

Download
memory/1152-189-0x0000000000170000-0x0000000000664000-memory.dmp

Filesize
5.0MB

Download
memory/1776-173-0x0000000000270000-0x0000000000764000-memory.dmp

Filesize
5.0MB

Download
memory/1776-174-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2448-9-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/2448-7-0x0000000002310000-0x0000000002326000-memory.dmp

Filesize
88KB

Download
memory/2448-1-0x00000000001A0000-0x0000000000694000-memory.dmp

Filesize
5.0MB

Download
memory/2448-12-0x00000000024F0000-0x00000000024FE000-memory.dmp

Filesize
56KB

Download
memory/2448-11-0x00000000024E0000-0x00000000024EA000-memory.dmp

Filesize
40KB

Download
memory/2448-10-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2448-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/2448-15-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2448-16-0x000000001ABA0000-0x000000001ABAC000-memory.dmp

Filesize
48KB

Download
memory/2448-13-0x0000000002580000-0x000000000258E000-memory.dmp

Filesize
56KB

Download
memory/2448-8-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/2448-158-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-6-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/2448-5-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2448-4-0x0000000000A20000-0x0000000000A3C000-memory.dmp

Filesize
112KB

Download
memory/2448-14-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2448-3-0x000000001B140000-0x000000001B26E000-memory.dmp

Filesize
1.2MB

Download
memory/2448-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2460-108-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/2460-159-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2816-248-0x0000000000250000-0x0000000000744000-memory.dmp

Filesize
5.0MB

Download
memory/2940-233-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download