dcrat | 68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Size

1.5MB
MD5

d38d717691c05fac4769e664d6e53248
SHA1

33bef9a88e278cc160f053a9ba87b2a16f7108b7
SHA256

68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46
SHA512

811186aaeece8a84e6c6bf6b520660858a12a57229b9bb337f1edf916435b9d8679c301ba5737f6233e06c47965eedde7d522a8cb04d782705522ab2cf488c09
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2848	schtasks.exe
		2800	schtasks.exe
		2676	schtasks.exe
		2440	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\cmipnpinstall\0a1fd5f707cd16		68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
		2712	schtasks.exe
		2612	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\cmipnpinstall\\sppsvc.exe\", \"C:\\Users\\All Users\\Desktop\\lsm.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\cmipnpinstall\\sppsvc.exe\", \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\wbem\\whqlprov\\WMIADAP.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\cmipnpinstall\\sppsvc.exe\", \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\wbem\\whqlprov\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\cmipnpinstall\\sppsvc.exe\", \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\wbem\\whqlprov\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\System.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\cmipnpinstall\\sppsvc.exe\", \"C:\\Users\\All Users\\Desktop\\lsm.exe\", \"C:\\Windows\\System32\\wbem\\whqlprov\\WMIADAP.exe\", \"C:\\MSOCache\\All Users\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Windows\\System32\\NlsLexicons000f\\services.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\cmipnpinstall\\sppsvc.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2636	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2280	powershell.exe
2248	powershell.exe
816	powershell.exe
620	powershell.exe
1996	powershell.exe
2404	powershell.exe
2268	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Executes dropped EXE 11 IoCs

pid	Process
1548	System.exe
2428	System.exe
2400	System.exe
2336	System.exe
1532	System.exe
2132	System.exe
2772	System.exe
1264	System.exe
632	System.exe
1848	System.exe
2596	System.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\cmipnpinstall\\sppsvc.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Desktop\\lsm.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\whqlprov\\WMIADAP.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\OSPPSVC.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\OSPPSVC.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\NlsLexicons000f\\services.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\cmipnpinstall\\sppsvc.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Desktop\\lsm.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\whqlprov\\WMIADAP.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\NlsLexicons000f\\services.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\wbem\whqlprov\WMIADAP.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\cmipnpinstall\RCXD8E2.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\wbem\whqlprov\RCXDD57.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\wbem\whqlprov\WMIADAP.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\cmipnpinstall\sppsvc.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\cmipnpinstall\sppsvc.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\NlsLexicons000f\services.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\NlsLexicons000f\c5b4cb5e9653cc	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\NlsLexicons000f\RCXE3D0.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\NlsLexicons000f\services.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\cmipnpinstall\0a1fd5f707cd16	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\wbem\whqlprov\75a57c1bdf437c	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
2440	schtasks.exe
2712	schtasks.exe
2612	schtasks.exe
2848	schtasks.exe
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1996	powershell.exe
2280	powershell.exe
816	powershell.exe
2404	powershell.exe
620	powershell.exe
2268	powershell.exe
2248	powershell.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
1548	System.exe
2428	System.exe
2428	System.exe
2428	System.exe
2428	System.exe
2428	System.exe
2428	System.exe
2428	System.exe
2428	System.exe
2428	System.exe
2428	System.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1548	System.exe
Token: SeDebugPrivilege	2428	System.exe
Token: SeDebugPrivilege	2400	System.exe
Token: SeDebugPrivilege	2336	System.exe
Token: SeDebugPrivilege	1532	System.exe
Token: SeDebugPrivilege	2132	System.exe
Token: SeDebugPrivilege	2772	System.exe
Token: SeDebugPrivilege	1264	System.exe
Token: SeDebugPrivilege	632	System.exe
Token: SeDebugPrivilege	1848	System.exe
Token: SeDebugPrivilege	2596	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 620	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	39
PID 2236 wrote to memory of 620	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	39
PID 2236 wrote to memory of 620	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	39
PID 2236 wrote to memory of 1996	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	40
PID 2236 wrote to memory of 1996	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	40
PID 2236 wrote to memory of 1996	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	40
PID 2236 wrote to memory of 2404	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	41
PID 2236 wrote to memory of 2404	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	41
PID 2236 wrote to memory of 2404	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	41
PID 2236 wrote to memory of 2268	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	42
PID 2236 wrote to memory of 2268	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	42
PID 2236 wrote to memory of 2268	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	42
PID 2236 wrote to memory of 2280	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	43
PID 2236 wrote to memory of 2280	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	43
PID 2236 wrote to memory of 2280	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	43
PID 2236 wrote to memory of 2248	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	44
PID 2236 wrote to memory of 2248	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	44
PID 2236 wrote to memory of 2248	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	44
PID 2236 wrote to memory of 816	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	45
PID 2236 wrote to memory of 816	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	45
PID 2236 wrote to memory of 816	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	45
PID 2236 wrote to memory of 1884	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	53
PID 2236 wrote to memory of 1884	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	53
PID 2236 wrote to memory of 1884	2236	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	53
PID 1884 wrote to memory of 2728	1884	cmd.exe	55
PID 1884 wrote to memory of 2728	1884	cmd.exe	55
PID 1884 wrote to memory of 2728	1884	cmd.exe	55
PID 1884 wrote to memory of 1548	1884	cmd.exe	56
PID 1884 wrote to memory of 1548	1884	cmd.exe	56
PID 1884 wrote to memory of 1548	1884	cmd.exe	56
PID 1548 wrote to memory of 2152	1548	System.exe	57
PID 1548 wrote to memory of 2152	1548	System.exe	57
PID 1548 wrote to memory of 2152	1548	System.exe	57
PID 1548 wrote to memory of 1484	1548	System.exe	58
PID 1548 wrote to memory of 1484	1548	System.exe	58
PID 1548 wrote to memory of 1484	1548	System.exe	58
PID 2152 wrote to memory of 2428	2152	WScript.exe	59
PID 2152 wrote to memory of 2428	2152	WScript.exe	59
PID 2152 wrote to memory of 2428	2152	WScript.exe	59
PID 2428 wrote to memory of 2820	2428	System.exe	60
PID 2428 wrote to memory of 2820	2428	System.exe	60
PID 2428 wrote to memory of 2820	2428	System.exe	60
PID 2428 wrote to memory of 2956	2428	System.exe	61
PID 2428 wrote to memory of 2956	2428	System.exe	61
PID 2428 wrote to memory of 2956	2428	System.exe	61
PID 2820 wrote to memory of 2400	2820	WScript.exe	62
PID 2820 wrote to memory of 2400	2820	WScript.exe	62
PID 2820 wrote to memory of 2400	2820	WScript.exe	62
PID 2400 wrote to memory of 1540	2400	System.exe	63
PID 2400 wrote to memory of 1540	2400	System.exe	63
PID 2400 wrote to memory of 1540	2400	System.exe	63
PID 2400 wrote to memory of 2988	2400	System.exe	64
PID 2400 wrote to memory of 2988	2400	System.exe	64
PID 2400 wrote to memory of 2988	2400	System.exe	64
PID 1540 wrote to memory of 2336	1540	WScript.exe	65
PID 1540 wrote to memory of 2336	1540	WScript.exe	65
PID 1540 wrote to memory of 2336	1540	WScript.exe	65
PID 2336 wrote to memory of 708	2336	System.exe	66
PID 2336 wrote to memory of 708	2336	System.exe	66
PID 2336 wrote to memory of 708	2336	System.exe	66
PID 2336 wrote to memory of 1996	2336	System.exe	67
PID 2336 wrote to memory of 1996	2336	System.exe	67
PID 2336 wrote to memory of 1996	2336	System.exe	67
PID 708 wrote to memory of 1532	708	WScript.exe	68

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
"C:\Users\Admin\AppData\Local\Temp\68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\cmipnpinstall\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\whqlprov\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsLexicons000f\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dJjkaXuHDz.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2728
- - C:\MSOCache\All Users\System.exe
    "C:\MSOCache\All Users\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1548
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\818918c2-af48-42ec-ac56-9dddba45fde0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2428
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cabb4bd7-cfc5-45e5-9293-bedcf872e868.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\067557cf-789f-48e3-9418-f8845c290066.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3c94522-74e7-431c-b4c3-609286292949.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4bdcb65-9ee1-4673-9e07-72553499c94c.vbs"
        12⤵
        
        PID:1964
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73a9a198-82ec-4f3b-80eb-fe604d7b943b.vbs"
        14⤵
        
        PID:2668
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e71888f4-a35d-4280-81ab-ddaec2e2d0bb.vbs"
        16⤵
        
        PID:2760
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12a9e014-18f6-46c9-a8cb-89f98b5190ee.vbs"
        18⤵
        
        PID:1704
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed15baf6-d063-4130-a808-efbf9dafa8e9.vbs"
        20⤵
        
        PID:2008
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eb4d18d-16c0-46b0-b338-e25c2a8d22e8.vbs"
        22⤵
        
        PID:2704
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba3385f1-a597-4e98-94ee-990aa56e2284.vbs"
        24⤵
        
        PID:1400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7931d035-6f2b-4d98-a958-0e7a030e327b.vbs"
        24⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c6f51eb-b5b8-4975-84ff-8061997b5853.vbs"
        22⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\564cc399-b226-4f7b-86dd-d37f91da815c.vbs"
        20⤵
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6db79f9-800b-443d-80fa-1ad0a27e4fe4.vbs"
        18⤵
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ee1a9e3-aa84-4aa8-894f-b3675650b42e.vbs"
        16⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d335787-c816-43c1-9d03-be9eacf02413.vbs"
        14⤵
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca1c9993-762c-467b-911f-9fc0f60f023f.vbs"
        12⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74ad80db-471d-4f30-85e6-96aeaf4539f1.vbs"
        10⤵
        
        PID:1996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec3c8a16-ca15-4b11-92b9-fab7eb0528b3.vbs"
        8⤵
        
        PID:2988
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea0356f3-6fca-4fc6-b39b-ca2961f366d6.vbs"
        6⤵
        
        PID:2956
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2314f77f-4b14-4a97-ac48-d029b8379059.vbs"
      4⤵
      PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\cmipnpinstall\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\whqlprov\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons000f\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\System.exe

Filesize
1.5MB

MD5
d38d717691c05fac4769e664d6e53248

SHA1
33bef9a88e278cc160f053a9ba87b2a16f7108b7

SHA256
68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46

SHA512
811186aaeece8a84e6c6bf6b520660858a12a57229b9bb337f1edf916435b9d8679c301ba5737f6233e06c47965eedde7d522a8cb04d782705522ab2cf488c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\067557cf-789f-48e3-9418-f8845c290066.vbs

Filesize
708B

MD5
8bea00fd37b39d6c2b8613fb22407500

SHA1
a3ebc14ab8aef462cc95e67034f87fd914ee09a1

SHA256
4bdabceede24ed2e26f66fada818d57433d45e96254f823a733d5be598418d08

SHA512
0ae86629871e75f5c3c157643f38761be0e697c5767ad2edfc66d15811d167de52ea8e8c2b7992cd6dbe000db0550726df013f483e1f2667c72d63f0af1fffe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\12a9e014-18f6-46c9-a8cb-89f98b5190ee.vbs

Filesize
708B

MD5
a9f1385d7c4592c786ba3a7db2d933d4

SHA1
1e3816586fc5118fdd24780a6eed893b853192d8

SHA256
92e16dc85b493218af67ec74d2fedd87323314da265a6a0d38acc2eab4a53821

SHA512
ea86fbbf64d283bcb299cda536b2ee4d5373a7278f9a887dfd51623c5a674425170ed2f2cf8184de6646827c2f02a2575e401357103bd53fbc9a2846524579c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2314f77f-4b14-4a97-ac48-d029b8379059.vbs

Filesize
484B

MD5
0c3fca380f00e3f15d1578e6f46ecb8f

SHA1
e6120fedaf56fa3f648d06f73be7409b0547ebef

SHA256
fa5b86a9c9b722d8054f3fd940beafa6f543a491cbe7f69cc99b25d31934ac5d

SHA512
48da9dbdd2ba9fad025a88a86ecfe371ab5296583f786d08f7f8b81a3017d8d4a73fa174c1fa249303eda38cfdfc57b4b6c76b6325b6ce9d88f94d329c808ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4eb4d18d-16c0-46b0-b338-e25c2a8d22e8.vbs

Filesize
708B

MD5
6b730a9a13eac832d6188f862070853d

SHA1
3a301eb12e112032c0701b8594fa584021ca06d8

SHA256
7c2678a3f8709fa410bd771b42c4b6e8bbeb08abccb7eae093a1e9c0bcce6f92

SHA512
c34e44b1fdd46eb4e0745adb645bc838000adb148d6129b609994c3e04d4f8d63d260e1923dbb13284b9fc0855d9aa4c2ff16e1e7238369ee850d818dfb64f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\73a9a198-82ec-4f3b-80eb-fe604d7b943b.vbs

Filesize
708B

MD5
b5a442c6df5a6ca0700de82d103897f0

SHA1
131bf6a06b9ccd27241defb3e13bc9f8dc769309

SHA256
8e9d6f0454317518bf7b5bb97547f84d6d61cb13e5f1ceeea7bd7d01563d9bf9

SHA512
5e99ddbfc791b156c8a8090b1df980d6eb1e364c43f7cbdb7ba22228c063151135334c70763a45c8808f3aad172cd0583cfc7e67be7f52a1fff38d1c6299b9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\818918c2-af48-42ec-ac56-9dddba45fde0.vbs

Filesize
708B

MD5
b029813584ec510f12968b2a8c626f49

SHA1
feba5a726d5f96ef330fe1bb13a648385bf04559

SHA256
ddbc1eba31e938349b21026d1b23e569d0e38e9a57ccfab6fa2545bc08b5b6bd

SHA512
27bc7378a5b5483e5cfc647fe258f8df9bb9bf09cf31ba4754b523cf204a2486de6f8899e4dae71b21a85e2913b44c868f8991824517b51f1c3a0b9f007c7bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3c94522-74e7-431c-b4c3-609286292949.vbs

Filesize
708B

MD5
07cf7578f46e6af81954379c5ef0c5b8

SHA1
8f55ddb158edc6dc15388fb2b7c623703fdd9f23

SHA256
fc271c544e22022fc3eb600593a8710897e152cd4e5a763abe690f1609892e52

SHA512
410afa17c503003842b088d57d353d43b7706d4cb28e90f26d989e63d791bf703e954e60186f97d25e9f4f393687158c475ace546edebed1ee5da885cc250e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba3385f1-a597-4e98-94ee-990aa56e2284.vbs

Filesize
708B

MD5
57c9e60bf1c0dfc85dc822f7b512718c

SHA1
b214a86dd5af5066e23c0f86ba526e44571f5e73

SHA256
d1b804e20691feb09998c664d1c65f76de906d44a302a01669adeb34951e8e05

SHA512
ed252c778fe7006b05e93364ebb74b0fdec213cea6b58fb2dba53cd6ccffcea3f71919247889fa8014e11b1d488ae58f97842b6c686a96bb0a6bcd4dd624174a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cabb4bd7-cfc5-45e5-9293-bedcf872e868.vbs

Filesize
708B

MD5
e8d1f0cdb63936fe3cba28e190871ae9

SHA1
88ff2d78e698c12f100879b2751b05f095a22864

SHA256
c057a76baedd63b56f70aeffa737dcd745cc672669c6da6ea2fd0e1b856c6c91

SHA512
8266d366c6a4904117f32860e241060c78dd3dd990e76c95e9171b5392675fec06b3beb47feb88037250b98810a23a2c3207f890496de49603d9c9deafc03281

Download Submit
C:\Users\Admin\AppData\Local\Temp\dJjkaXuHDz.bat

Filesize
196B

MD5
f9609876399b09e8718ad998905f3d76

SHA1
44dfa6b0ff71a32cd6f07bfdbb7f354c225c7655

SHA256
7fcfdcd824200398b46319de02899c024b324cabaa3f4614cd8c243eb8a91d40

SHA512
fa5beefd99ce3ace6d81e174fc14279b84702375b6022caa9f3beaf7c859e99d20de551b1662e46e132f895b4fc635c14d9d83ad7e4b47369ab0f321c4c923b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e71888f4-a35d-4280-81ab-ddaec2e2d0bb.vbs

Filesize
708B

MD5
e6703ca34d4ab6d3e219dc9328bbb87e

SHA1
f22a384b539324d42f33b677d77d041b1cd0491a

SHA256
9c517542a6fe29cd8068ba843a9f41fb9d2c64e090f82ff88ade6ff1e92a7123

SHA512
815191bee8759f847e5cd9063b518a8195576a257b07c3690993a93243b0bfe7e94ec8497e15426eb5295b8fc1d43fa8efc6b472ac4717aa17f76be387793514

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed15baf6-d063-4130-a808-efbf9dafa8e9.vbs

Filesize
707B

MD5
f553c389a364a2078f0314495c41aacb

SHA1
d74b6ac52559164fbf3e8020f401d3b953f91182

SHA256
848fc4ebbcee841ff5b19ef02f8ab2a888f1df813b03f90a0ebef6a092648b10

SHA512
66a6efe3c0ed5da18954932091ee2f86c90030b4a6f07c2a9200af56afccea021f1fb3b1793c6fee8af6c00a2d1c2efb110bfdf87198b5617f39755470ad385f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4bdcb65-9ee1-4673-9e07-72553499c94c.vbs

Filesize
708B

MD5
237a5f15a1d5cee7b00f62cb710e241a

SHA1
407079fca7d6f67eee6c5d3beba6b46eea893481

SHA256
3166eaf62b0a8a4996cd647af9c3dc7e25fa109f873cc8a5f4646e4754702dbe

SHA512
762fa13d03bf656df9ed60e8589cae9591584d41cc9d8b1c7949e945113d5c456fec8f2bbbbd7fe52b419604464983ec8c05156b8443f09299b0cdf5755f6433

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
df9c9b90e87553ec086dc598aea9032c

SHA1
f66d205045d7107b359628520b3719279fd0af3f

SHA256
3e8635dc1014f8a0a288743251d1baf26c7b12b05fb526f221eed90ccb8088c7

SHA512
72867eaac0895ad8c421ddb5406db163d566e3a6139e2fe1ddac48c2e78e776d513781a1eaf8992bb1b7619127907f47f98e6a22bfb446374ee38a0606ad68bc

Download Submit
memory/632-215-0x0000000000AD0000-0x0000000000C4E000-memory.dmp

Filesize
1.5MB

Download
memory/1264-203-0x00000000001F0000-0x000000000036E000-memory.dmp

Filesize
1.5MB

Download
memory/1532-167-0x0000000001110000-0x000000000128E000-memory.dmp

Filesize
1.5MB

Download
memory/1532-168-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1548-120-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1548-119-0x0000000000160000-0x00000000002DE000-memory.dmp

Filesize
1.5MB

Download
memory/1848-227-0x0000000000220000-0x000000000039E000-memory.dmp

Filesize
1.5MB

Download
memory/1996-90-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/1996-84-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2236-13-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/2236-5-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2236-12-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/2236-21-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/2236-11-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2236-18-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/2236-17-0x0000000002160000-0x000000000216C000-memory.dmp

Filesize
48KB

Download
memory/2236-16-0x0000000002150000-0x0000000002158000-memory.dmp

Filesize
32KB

Download
memory/2236-1-0x0000000000AC0000-0x0000000000C3E000-memory.dmp

Filesize
1.5MB

Download
memory/2236-15-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2236-2-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2236-8-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/2236-3-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/2236-24-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2236-85-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2236-20-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2236-14-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2236-9-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/2236-4-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2236-10-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2236-7-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/2236-6-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2236-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/2336-155-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2400-143-0x0000000001070000-0x00000000011EE000-memory.dmp

Filesize
1.5MB

Download
memory/2428-131-0x0000000000D50000-0x0000000000ECE000-memory.dmp

Filesize
1.5MB

Download
memory/2596-239-0x0000000001340000-0x00000000014BE000-memory.dmp

Filesize
1.5MB

Download
memory/2596-240-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2772-191-0x00000000000F0000-0x000000000026E000-memory.dmp

Filesize
1.5MB

Download