dcrat | 5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Size

1.5MB
MD5

cac1d4f15ef3ded5035137eb65f76334
SHA1

e8765a89bb9095471a3c267bdfe501729a20d6e3
SHA256

5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235
SHA512

f01c944e01587c14d2a16f88b24e6eb65e9eb6ad354132c426d8df2cdfc203b2817e0e5bc2f4d34abda11c2e8d67ec112972c283690e966f0fae637758def8ad
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRP:kzhWhCXQFN+0IEuQgyiVKH

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		236	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
		2616	schtasks.exe
		3060	schtasks.exe
		2060	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe\", \"C:\\ProgramData\\Favorites\\csrss.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe\", \"C:\\ProgramData\\Favorites\\csrss.exe\", \"C:\\Windows\\System32\\wpcsvc\\wininit.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe\", \"C:\\ProgramData\\Favorites\\csrss.exe\", \"C:\\Windows\\System32\\wpcsvc\\wininit.exe\", \"C:\\Windows\\System32\\rastapi\\csrss.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2608	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2608	schtasks.exe	30

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.exe
2648	powershell.exe
2220	powershell.exe
2148	powershell.exe
644	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Executes dropped EXE 13 IoCs

pid	Process
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
3000	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
780	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
2004	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1648	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
2792	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
2092	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
2368	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
2004	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
2536	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
2684	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\wpcsvc\\wininit.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\rastapi\\csrss.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\rastapi\\csrss.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235 = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235 = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Favorites\\csrss.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Favorites\\csrss.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\wpcsvc\\wininit.exe\""	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\rastapi\csrss.exe	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
File created	C:\Windows\System32\rastapi\886983d96e3d3e	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
File opened for modification	C:\Windows\System32\wpcsvc\RCX37C6.tmp	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
File opened for modification	C:\Windows\System32\wpcsvc\wininit.exe	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
File opened for modification	C:\Windows\System32\rastapi\RCX39CA.tmp	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
File opened for modification	C:\Windows\System32\rastapi\csrss.exe	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
File created	C:\Windows\System32\wpcsvc\wininit.exe	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
File created	C:\Windows\System32\wpcsvc\56085415360792	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\schemas\EAPMethods\dllhost.exe	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
2060	schtasks.exe
236	schtasks.exe
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
2648	powershell.exe
644	powershell.exe
2220	powershell.exe
2444	powershell.exe
2148	powershell.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	3000	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	780	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	2004	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	1648	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	2792	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	2092	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	2368	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	2004	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	2536	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Token: SeDebugPrivilege	2684	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2444	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	35
PID 1072 wrote to memory of 2444	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	35
PID 1072 wrote to memory of 2444	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	35
PID 1072 wrote to memory of 2648	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	36
PID 1072 wrote to memory of 2648	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	36
PID 1072 wrote to memory of 2648	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	36
PID 1072 wrote to memory of 2220	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	37
PID 1072 wrote to memory of 2220	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	37
PID 1072 wrote to memory of 2220	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	37
PID 1072 wrote to memory of 2148	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	38
PID 1072 wrote to memory of 2148	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	38
PID 1072 wrote to memory of 2148	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	38
PID 1072 wrote to memory of 644	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	39
PID 1072 wrote to memory of 644	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	39
PID 1072 wrote to memory of 644	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	39
PID 1072 wrote to memory of 1352	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	45
PID 1072 wrote to memory of 1352	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	45
PID 1072 wrote to memory of 1352	1072	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	45
PID 1352 wrote to memory of 616	1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	46
PID 1352 wrote to memory of 616	1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	46
PID 1352 wrote to memory of 616	1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	46
PID 1352 wrote to memory of 1940	1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	47
PID 1352 wrote to memory of 1940	1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	47
PID 1352 wrote to memory of 1940	1352	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	47
PID 616 wrote to memory of 1096	616	WScript.exe	48
PID 616 wrote to memory of 1096	616	WScript.exe	48
PID 616 wrote to memory of 1096	616	WScript.exe	48
PID 1096 wrote to memory of 996	1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	49
PID 1096 wrote to memory of 996	1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	49
PID 1096 wrote to memory of 996	1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	49
PID 1096 wrote to memory of 2108	1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	50
PID 1096 wrote to memory of 2108	1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	50
PID 1096 wrote to memory of 2108	1096	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	50
PID 996 wrote to memory of 1620	996	WScript.exe	51
PID 996 wrote to memory of 1620	996	WScript.exe	51
PID 996 wrote to memory of 1620	996	WScript.exe	51
PID 1620 wrote to memory of 2604	1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	52
PID 1620 wrote to memory of 2604	1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	52
PID 1620 wrote to memory of 2604	1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	52
PID 1620 wrote to memory of 2616	1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	53
PID 1620 wrote to memory of 2616	1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	53
PID 1620 wrote to memory of 2616	1620	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	53
PID 2604 wrote to memory of 3000	2604	WScript.exe	54
PID 2604 wrote to memory of 3000	2604	WScript.exe	54
PID 2604 wrote to memory of 3000	2604	WScript.exe	54
PID 3000 wrote to memory of 2804	3000	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	55
PID 3000 wrote to memory of 2804	3000	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	55
PID 3000 wrote to memory of 2804	3000	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	55
PID 3000 wrote to memory of 2800	3000	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	56
PID 3000 wrote to memory of 2800	3000	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	56
PID 3000 wrote to memory of 2800	3000	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	56
PID 2804 wrote to memory of 780	2804	WScript.exe	57
PID 2804 wrote to memory of 780	2804	WScript.exe	57
PID 2804 wrote to memory of 780	2804	WScript.exe	57
PID 780 wrote to memory of 1776	780	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	58
PID 780 wrote to memory of 1776	780	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	58
PID 780 wrote to memory of 1776	780	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	58
PID 780 wrote to memory of 936	780	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	59
PID 780 wrote to memory of 936	780	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	59
PID 780 wrote to memory of 936	780	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	59
PID 1776 wrote to memory of 2004	1776	WScript.exe	60
PID 1776 wrote to memory of 2004	1776	WScript.exe	60
PID 1776 wrote to memory of 2004	1776	WScript.exe	60
PID 2004 wrote to memory of 404	2004	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe	61

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
"C:\Users\Admin\AppData\Local\Temp\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Favorites\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wpcsvc\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\rastapi\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1352
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78eb36e9-352c-49be-8c2c-6b4dce80b015.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
      "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1096
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86d88473-9897-417a-970f-0f5de666e192.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:996
      - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c016689-e256-41e0-a5aa-883abef7945c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72ba75f7-620c-482d-beb7-5af82ed09947.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20bb547d-a8a3-42f5-ada7-8d292885c98e.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c946131-59e3-459d-820f-c3d91ba96654.vbs"
        13⤵
        
        PID:404
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e50dc164-6cb6-42db-932d-a9d3e65a2abd.vbs"
        15⤵
        
        PID:2940
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a1e58a9-c548-44e5-8ddc-aa7b4d27c35d.vbs"
        17⤵
        
        PID:1100
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa7153c4-f323-4c4c-bc35-c3e19d0cc5c1.vbs"
        19⤵
        
        PID:2620
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9ded9dc-b675-4dcc-9696-54e3a3c32740.vbs"
        21⤵
        
        PID:1900
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1b620d8-9f6b-46f7-9237-48c989692e5b.vbs"
        23⤵
        
        PID:1704
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f672c25c-065d-431b-baaa-8560f7c5679c.vbs"
        25⤵
        
        PID:2672
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe"
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f47db6-6bc7-4f47-993f-183a130f7e8c.vbs"
        27⤵
        
        PID:344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d641436-2c5b-4e8e-bd7a-56b708e9e613.vbs"
        27⤵
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\870b6ee5-819c-4f4a-accd-57cad72ec8c9.vbs"
        25⤵
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba9f78b6-696b-4358-b979-77e25d6abf49.vbs"
        23⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e378365c-1a5a-4c72-a10b-f42fd36800f7.vbs"
        21⤵
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61dc0113-078a-43a6-abaf-9c6dc8bf0b3b.vbs"
        19⤵
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\028bb729-619e-4cc5-be05-d8cedabb896a.vbs"
        17⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7810a45-7ece-444e-84ec-8c636474123a.vbs"
        15⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ae9405a-3511-427f-b44a-e556e9bbed02.vbs"
        13⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f56cee0c-96b4-4491-b9db-a90ac88f2c3d.vbs"
        11⤵
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff04fa74-858d-440d-a6f0-41a407c1c6b9.vbs"
        9⤵
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d783d30b-54f0-44dc-877a-47c19d4f1554.vbs"
        7⤵
        
        PID:2616
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\786f0307-2548-4c2b-a997-0fa84b13cbc7.vbs"
        5⤵
        
        PID:2108
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03555356-542d-4fc1-a1b2-ed25ee0b42c9.vbs"
    3⤵
    PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\wpcsvc\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\rastapi\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235.exe

Filesize
1.5MB

MD5
cac1d4f15ef3ded5035137eb65f76334

SHA1
e8765a89bb9095471a3c267bdfe501729a20d6e3

SHA256
5fcdf7299d3e8c4725a52546214411d8466ac6ed4a7d721474c1a6d2cdf7d235

SHA512
f01c944e01587c14d2a16f88b24e6eb65e9eb6ad354132c426d8df2cdfc203b2817e0e5bc2f4d34abda11c2e8d67ec112972c283690e966f0fae637758def8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\03555356-542d-4fc1-a1b2-ed25ee0b42c9.vbs

Filesize
583B

MD5
f26aa252ca037219a1268a6ed569f631

SHA1
54226be4ae7d4fa9d27ee1e2c730eb125f968467

SHA256
bae0c662ac0c35754c0bbaeed7bb2528e7c5c8234be2a4ab09f10d63b84cb269

SHA512
7e485ecf8195ae46b0768791600a68a95b41b33a34603f57e2f308b19c20b6c90eb3305949517c421dfc10185de36de17045dec3a59c47f22bc7f57966e54c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a1e58a9-c548-44e5-8ddc-aa7b4d27c35d.vbs

Filesize
807B

MD5
5bd9146e92121f87c7a9f115f291889e

SHA1
4b5f2398d48d81f64d2bb2baff05218de53b4f77

SHA256
e99ef03d5727d56e1118cd0fe5fc06d4337162f101f7d3e43a7f0dd749762762

SHA512
bd910966bee00129f07692fa4d21c330cf25ae73f8db48bb9894c0cfd14df2124c663631f49b8ee3333c377fb2874b1f332af71b5b66876593f136ddd9d96898

Download Submit
C:\Users\Admin\AppData\Local\Temp\20bb547d-a8a3-42f5-ada7-8d292885c98e.vbs

Filesize
806B

MD5
4466493bd1491a6194a5c506ce1b45f5

SHA1
e1ef7094a3df69f8221ff53dfc8ab83abd306058

SHA256
240ed67874d3b621e5cfa0abff393a93cbcd5b13c5d742086c00ec4e33397382

SHA512
b0a9041917e1c47f6483e90e857c3f922bdd06f73636f09b1e352ef46912cb3413e5c6b0e131b9e2ceff6e3adf5e9f2e42463f96820a74e08f6755c31e44b5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c946131-59e3-459d-820f-c3d91ba96654.vbs

Filesize
807B

MD5
7618d8b73bcd39a3dee57f330491eb12

SHA1
430afe6e4d381d44f3aa2ceaa62f13b3c4ff0bb3

SHA256
5744726678c37bfc9ed5e19da89981de8c6ff7b5ebc00c69cec788d4f1fc41b7

SHA512
cc13a0defe7deeca2b97d0f8f52558b75fefbfd473e7e34e0f49c7a36b66cacf84423c14e09a558a0dac9d2bbd6bec6629878bbe566c9d9ebf9504c9306ce575

Download Submit
C:\Users\Admin\AppData\Local\Temp\72ba75f7-620c-482d-beb7-5af82ed09947.vbs

Filesize
807B

MD5
d951be9165fe79217036e4ffa3024d97

SHA1
0c6862f87c9b3f29abb2a4982e1443ec169caf37

SHA256
16866a1ff5538dd66e022f3896c5f2f2c2649b60b65f29cf5d87c1b9df6a7911

SHA512
5967dbd9e0cfb9675cda4254d316645c33848383b8fc99f3c741b6e3fd2670a3519177237a7f148243df5ab8fa3309cac719d097b6c2888f7ee31b8ccca0d930

Download Submit
C:\Users\Admin\AppData\Local\Temp\78eb36e9-352c-49be-8c2c-6b4dce80b015.vbs

Filesize
807B

MD5
8320479267632f3a8cb4707ab5aebeb6

SHA1
88991bac8771b27a680123580e6d6b2b33b7fa17

SHA256
906071bcbcc238a584c1ead79f9e592120d434105de1b61dd9cd7644c447f4cd

SHA512
ed9b04ab49dcb11d729e72ea74929642b238ee7b1b905e3b5c347e896530bd6d1e41f283791d5fb4610040a591acea514f55cd44a9c1dd0cb7c967387672d11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\86d88473-9897-417a-970f-0f5de666e192.vbs

Filesize
807B

MD5
6718d870aeccf2735e5153ad72fb03d6

SHA1
3db8d1a6e97345f125d5020a423ac5aa80615e19

SHA256
3459e7d17f971582f5c4a8b0605a069ec1d6aec04e44cf915802c69df32edc0d

SHA512
c895c7bd009b87e00550c74ad69eabf73572f86bded2335e505f21ea6d3baedb6c824173b512b2804926cf2b0271f59ee6adbfda8a3b023187a09a5475263d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c016689-e256-41e0-a5aa-883abef7945c.vbs

Filesize
807B

MD5
7208d3424ab9dff4b9f655108be609c2

SHA1
54e836dd8ed40f51c834775fbe4917e13ee6b5d3

SHA256
252514e41aaa7784b8801a0302832811a750082716c3c0e105334c72c0334af4

SHA512
50d65507259e5aa1d1f0e3cf1ab895eca9fa29c37dd97918bbca0ebf5fcd6c346b011b6a5253ce03d9c16a99b5252644aa6af8b5d47fe631abe3cbbba91e67b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa7153c4-f323-4c4c-bc35-c3e19d0cc5c1.vbs

Filesize
807B

MD5
5051a0f729ee0fccc429a5ce5351f4a6

SHA1
f60fa0263538717adf213722e25adf4c16bbe4ca

SHA256
7a6eb1db24ced0a335d92cc5a8019ef75040dbf605ca87818d58629b6d93ca25

SHA512
bcd665f8e533cd69ab5a493a5cfc1a67964082f0c42dade521a1f78d7016e3810fdb2cbcb0469ebe93094321537513e839641c09edcef92371255997a6199d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4f47db6-6bc7-4f47-993f-183a130f7e8c.vbs

Filesize
807B

MD5
2639364721378423a6d95a6423fe9f8c

SHA1
27090c14ac38ecd08877d0a9b29dc26e87f0e3c3

SHA256
5ebf21fa0474721e904293177625df03f0fb29031b7e9421e7d2658844319281

SHA512
afe6db0a3e2180b5c64e19f50a7bdea7b2d677e0143d5a6ea8967e64efef6c8899d8ed731469d8c23f0aa46f5b63c586146051d12af44fefb270a8c773a73f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9ded9dc-b675-4dcc-9696-54e3a3c32740.vbs

Filesize
807B

MD5
151eb30d8a39043676e67781c2114829

SHA1
fa4fb03768db76464328f830397088e154235778

SHA256
bd06113f9a75a885318d341847cebb8dbe74cbc3547ceaf8113386a6f75f3b3b

SHA512
c69e32ad859944bdce9b2d2562178f879dc65834a0bfbfc8cac065a5f2535b8dfab1ca7afabd6394e9ab9b02f00217fb14a9556242b88cff8361ef3a5573f8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e50dc164-6cb6-42db-932d-a9d3e65a2abd.vbs

Filesize
807B

MD5
34dd0153069a9238c6f52c7c0f17d4f6

SHA1
e5886e928e929ba950d702126221626968fead9a

SHA256
83f76790a71ba09cf867435a010b0bbb9b21720d2bebc21788c493278068fe1d

SHA512
33f88d837266adf8a4a6f444afafea48b2432ed6b669fa3b8e0b2cf895c793e3ea05e1b20b4385c5c505c48ac2ac3f8c381e7f749e1c01be05d808d2ae7d0024

Download Submit
C:\Users\Admin\AppData\Local\Temp\f672c25c-065d-431b-baaa-8560f7c5679c.vbs

Filesize
807B

MD5
4a624fd9a98a0fdc564488abb9e7307d

SHA1
d60dee518f58f7c90df733a4a1efad67a564f356

SHA256
3e032bc2c258404123e48413590e29c0cf9c9a7b41077ca82ad43c788531fcb8

SHA512
dd2d79bb4f5093335eaec47c07b7b69e2046e2f0a00f48f87f8b34e8adf38cf13988893bcaa3bb7ad99eaecf87edcadfa4063dfcda05c1747a5c5a746e051644

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb06ee35daef4de4ecb7f55a120f4d79

SHA1
abb899c446144439663c943dd972ea86fa5bea87

SHA256
f420ed02d82cb1f73a63756a7eba348f51f296c4eed011fbcef5a6556acca16b

SHA512
c11bcc7136021d5a74ec9491d0d5d6aa86e9b2fdcfc39f9fd09f75a9e26d24ce59f50ace47d1e7ca005d080acc20d927d256a876ed7e8a1753f33f60210f4413

Download Submit
memory/1072-6-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/1072-14-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/1072-17-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/1072-18-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/1072-20-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/1072-21-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/1072-24-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-7-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/1072-48-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-71-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-9-0x0000000002100000-0x000000000210C000-memory.dmp

Filesize
48KB

Download
memory/1072-8-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1072-11-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/1072-12-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/1072-16-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/1072-15-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/1072-3-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/1072-10-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1072-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/1072-1-0x00000000000A0000-0x000000000021E000-memory.dmp

Filesize
1.5MB

Download
memory/1072-5-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/1072-4-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1072-13-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/1072-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1096-108-0x0000000000E60000-0x0000000000FDE000-memory.dmp

Filesize
1.5MB

Download
memory/1096-109-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/1352-70-0x0000000000080000-0x00000000001FE000-memory.dmp

Filesize
1.5MB

Download
memory/1620-121-0x0000000001260000-0x00000000013DE000-memory.dmp

Filesize
1.5MB

Download
memory/2648-88-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2648-87-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download