dcrat | 5e807de88a43edb7b341ed17b4e218f35c3204bf5dc969c131792b0a23e9ddc1

Analysis

max time kernel
154s
max time network
172s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e282def0d26b0a0ace50c80bd0d3e389.exe
Size

1.1MB
MD5

e282def0d26b0a0ace50c80bd0d3e389
SHA1

aad1e263222141dab481347dc60f033ffc3e86cb
SHA256

e8fa1ef4d468a51c9aabb390609c63f549b8693592d23160d5459817d3fefe88
SHA512

8966a24026b973dfa147d697ef7d659ff3f1b8ec11ea3971593667cd637655edaad4370683069ea2ecea21c1b0863ef79cf46effb8736328c3db010b25299b33
SSDEEP

12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\p2p-crp\\WMIADAP.exe\", \"C:\\Windows\\System32\\profsvc\\winlogon.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\p2p-crp\\WMIADAP.exe\", \"C:\\Windows\\System32\\profsvc\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\WMIADAP.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\p2p-crp\\WMIADAP.exe\", \"C:\\Windows\\System32\\profsvc\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\WMIADAP.exe\", \"C:\\Windows\\System32\\TsUsbRedirectionGroupPolicyControl\\wininit.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\p2p-crp\\WMIADAP.exe\", \"C:\\Windows\\System32\\profsvc\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\WMIADAP.exe\", \"C:\\Windows\\System32\\TsUsbRedirectionGroupPolicyControl\\wininit.exe\", \"C:\\Windows\\System32\\wbem\\stortrace\\WmiPrvSE.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\p2p-crp\\WMIADAP.exe\", \"C:\\Windows\\System32\\profsvc\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\WMIADAP.exe\", \"C:\\Windows\\System32\\TsUsbRedirectionGroupPolicyControl\\wininit.exe\", \"C:\\Windows\\System32\\wbem\\stortrace\\WmiPrvSE.exe\", \"C:\\Windows\\Migration\\WTR\\lsass.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\p2p-crp\\WMIADAP.exe\", \"C:\\Windows\\System32\\profsvc\\winlogon.exe\", \"C:\\PerfLogs\\Admin\\WMIADAP.exe\", \"C:\\Windows\\System32\\TsUsbRedirectionGroupPolicyControl\\wininit.exe\", \"C:\\Windows\\System32\\wbem\\stortrace\\WmiPrvSE.exe\", \"C:\\Windows\\Migration\\WTR\\lsass.exe\", \"C:\\Windows\\System32\\rastls\\taskhost.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\p2p-crp\\WMIADAP.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2684	schtasks.exe	31

UAC bypass 3 TTPs 39 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2960	powershell.exe
2984	powershell.exe
2776	powershell.exe
1992	powershell.exe
1984	powershell.exe
2016	powershell.exe
3020	powershell.exe
2940	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e282def0d26b0a0ace50c80bd0d3e389.exe

Executes dropped EXE 12 IoCs

pid	Process
1700	WMIADAP.exe
2732	WMIADAP.exe
2008	WMIADAP.exe
1552	WMIADAP.exe
2488	WMIADAP.exe
1796	WMIADAP.exe
2672	WMIADAP.exe
1620	WMIADAP.exe
2088	WMIADAP.exe
1916	WMIADAP.exe
2012	WMIADAP.exe
396	WMIADAP.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\rastls\\taskhost.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\p2p-crp\\WMIADAP.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\profsvc\\winlogon.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\profsvc\\winlogon.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\stortrace\\WmiPrvSE.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Migration\\WTR\\lsass.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Migration\\WTR\\lsass.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\rastls\\taskhost.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Windows\\System32\\wbem\\p2p-crp\\WMIADAP.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\PerfLogs\\Admin\\WMIADAP.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\PerfLogs\\Admin\\WMIADAP.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\TsUsbRedirectionGroupPolicyControl\\wininit.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\TsUsbRedirectionGroupPolicyControl\\wininit.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\stortrace\\WmiPrvSE.exe\""	e282def0d26b0a0ace50c80bd0d3e389.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e282def0d26b0a0ace50c80bd0d3e389.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\rastls\RCX3CAA.tmp	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\System32\wbem\p2p-crp\75a57c1bdf437c	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\System32\profsvc\winlogon.exe	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\System32\rastls\b75386f1303e64	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\System32\profsvc\RCX319D.tmp	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\System32\TsUsbRedirectionGroupPolicyControl\wininit.exe	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\System32\wbem\p2p-crp\WMIADAP.exe	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\System32\wbem\stortrace\WmiPrvSE.exe	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\System32\wbem\p2p-crp\RCX2F99.tmp	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\System32\profsvc\cc11b995f2a76d	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\System32\TsUsbRedirectionGroupPolicyControl\wininit.exe	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\System32\rastls\taskhost.exe	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\System32\TsUsbRedirectionGroupPolicyControl\RCX35B4.tmp	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\System32\wbem\stortrace\RCX3825.tmp	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\System32\wbem\stortrace\WmiPrvSE.exe	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\System32\rastls\taskhost.exe	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\System32\wbem\p2p-crp\WMIADAP.exe	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\System32\TsUsbRedirectionGroupPolicyControl\56085415360792	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\System32\wbem\stortrace\24dbde2999530e	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\System32\profsvc\winlogon.exe	e282def0d26b0a0ace50c80bd0d3e389.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\lsass.exe	e282def0d26b0a0ace50c80bd0d3e389.exe
File created	C:\Windows\Migration\WTR\6203df4a6bafc7	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\Migration\WTR\RCX3A96.tmp	e282def0d26b0a0ace50c80bd0d3e389.exe
File opened for modification	C:\Windows\Migration\WTR\lsass.exe	e282def0d26b0a0ace50c80bd0d3e389.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1144	schtasks.exe
2044	schtasks.exe
2912	schtasks.exe
2948	schtasks.exe
2848	schtasks.exe
2672	schtasks.exe
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2620	e282def0d26b0a0ace50c80bd0d3e389.exe
2016	powershell.exe
2984	powershell.exe
2776	powershell.exe
3020	powershell.exe
1984	powershell.exe
1992	powershell.exe
2940	powershell.exe
2960	powershell.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe
1700	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	e282def0d26b0a0ace50c80bd0d3e389.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1700	WMIADAP.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2732	WMIADAP.exe
Token: SeDebugPrivilege	2008	WMIADAP.exe
Token: SeDebugPrivilege	1552	WMIADAP.exe
Token: SeDebugPrivilege	2488	WMIADAP.exe
Token: SeDebugPrivilege	1796	WMIADAP.exe
Token: SeDebugPrivilege	2672	WMIADAP.exe
Token: SeDebugPrivilege	1620	WMIADAP.exe
Token: SeDebugPrivilege	2088	WMIADAP.exe
Token: SeDebugPrivilege	1916	WMIADAP.exe
Token: SeDebugPrivilege	2012	WMIADAP.exe
Token: SeDebugPrivilege	396	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2016	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	39
PID 2620 wrote to memory of 2016	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	39
PID 2620 wrote to memory of 2016	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	39
PID 2620 wrote to memory of 1984	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	40
PID 2620 wrote to memory of 1984	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	40
PID 2620 wrote to memory of 1984	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	40
PID 2620 wrote to memory of 1992	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	41
PID 2620 wrote to memory of 1992	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	41
PID 2620 wrote to memory of 1992	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	41
PID 2620 wrote to memory of 2776	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	42
PID 2620 wrote to memory of 2776	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	42
PID 2620 wrote to memory of 2776	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	42
PID 2620 wrote to memory of 2984	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	44
PID 2620 wrote to memory of 2984	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	44
PID 2620 wrote to memory of 2984	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	44
PID 2620 wrote to memory of 2960	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	45
PID 2620 wrote to memory of 2960	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	45
PID 2620 wrote to memory of 2960	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	45
PID 2620 wrote to memory of 2940	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	47
PID 2620 wrote to memory of 2940	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	47
PID 2620 wrote to memory of 2940	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	47
PID 2620 wrote to memory of 3020	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	48
PID 2620 wrote to memory of 3020	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	48
PID 2620 wrote to memory of 3020	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	48
PID 2620 wrote to memory of 1700	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	55
PID 2620 wrote to memory of 1700	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	55
PID 2620 wrote to memory of 1700	2620	e282def0d26b0a0ace50c80bd0d3e389.exe	55
PID 1700 wrote to memory of 1704	1700	WMIADAP.exe	56
PID 1700 wrote to memory of 1704	1700	WMIADAP.exe	56
PID 1700 wrote to memory of 1704	1700	WMIADAP.exe	56
PID 1700 wrote to memory of 2964	1700	WMIADAP.exe	57
PID 1700 wrote to memory of 2964	1700	WMIADAP.exe	57
PID 1700 wrote to memory of 2964	1700	WMIADAP.exe	57
PID 1704 wrote to memory of 2732	1704	WScript.exe	58
PID 1704 wrote to memory of 2732	1704	WScript.exe	58
PID 1704 wrote to memory of 2732	1704	WScript.exe	58
PID 2732 wrote to memory of 1032	2732	WMIADAP.exe	59
PID 2732 wrote to memory of 1032	2732	WMIADAP.exe	59
PID 2732 wrote to memory of 1032	2732	WMIADAP.exe	59
PID 2732 wrote to memory of 2368	2732	WMIADAP.exe	60
PID 2732 wrote to memory of 2368	2732	WMIADAP.exe	60
PID 2732 wrote to memory of 2368	2732	WMIADAP.exe	60
PID 1032 wrote to memory of 2008	1032	WScript.exe	61
PID 1032 wrote to memory of 2008	1032	WScript.exe	61
PID 1032 wrote to memory of 2008	1032	WScript.exe	61
PID 2008 wrote to memory of 2088	2008	WMIADAP.exe	62
PID 2008 wrote to memory of 2088	2008	WMIADAP.exe	62
PID 2008 wrote to memory of 2088	2008	WMIADAP.exe	62
PID 2008 wrote to memory of 2988	2008	WMIADAP.exe	63
PID 2008 wrote to memory of 2988	2008	WMIADAP.exe	63
PID 2008 wrote to memory of 2988	2008	WMIADAP.exe	63
PID 2088 wrote to memory of 1552	2088	WScript.exe	64
PID 2088 wrote to memory of 1552	2088	WScript.exe	64
PID 2088 wrote to memory of 1552	2088	WScript.exe	64
PID 1552 wrote to memory of 2704	1552	WMIADAP.exe	65
PID 1552 wrote to memory of 2704	1552	WMIADAP.exe	65
PID 1552 wrote to memory of 2704	1552	WMIADAP.exe	65
PID 1552 wrote to memory of 1028	1552	WMIADAP.exe	66
PID 1552 wrote to memory of 1028	1552	WMIADAP.exe	66
PID 1552 wrote to memory of 1028	1552	WMIADAP.exe	66
PID 2704 wrote to memory of 2488	2704	WScript.exe	67
PID 2704 wrote to memory of 2488	2704	WScript.exe	67
PID 2704 wrote to memory of 2488	2704	WScript.exe	67
PID 2488 wrote to memory of 2620	2488	WMIADAP.exe	68

System policy modification 1 TTPs 39 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e282def0d26b0a0ace50c80bd0d3e389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e282def0d26b0a0ace50c80bd0d3e389.exe
"C:\Users\Admin\AppData\Local\Temp\e282def0d26b0a0ace50c80bd0d3e389.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e282def0d26b0a0ace50c80bd0d3e389.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\p2p-crp\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\profsvc\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\TsUsbRedirectionGroupPolicyControl\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\stortrace\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\rastls\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\PerfLogs\Admin\WMIADAP.exe
  "C:\PerfLogs\Admin\WMIADAP.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1700
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c52c7bd-6377-42e0-9f12-a18a7cc4f678.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\PerfLogs\Admin\WMIADAP.exe
      C:\PerfLogs\Admin\WMIADAP.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2732
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abc27e25-f934-424b-8702-ba4a8dd4cfc3.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\PerfLogs\Admin\WMIADAP.exe
        
        C:\PerfLogs\Admin\WMIADAP.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\764116b6-2f30-4d1d-9b6c-1cc6d3ef157a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\PerfLogs\Admin\WMIADAP.exe
        
        C:\PerfLogs\Admin\WMIADAP.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99ab941e-0526-4ff9-a4ed-9f002fead758.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\PerfLogs\Admin\WMIADAP.exe
        
        C:\PerfLogs\Admin\WMIADAP.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\182a00d1-f4a4-46cc-a565-3786edf83d26.vbs"
        11⤵
        
        PID:2620
        
        C:\PerfLogs\Admin\WMIADAP.exe
        
        C:\PerfLogs\Admin\WMIADAP.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38699da0-30f3-4c62-b694-180099d0c882.vbs"
        13⤵
        
        PID:3016
        
        C:\PerfLogs\Admin\WMIADAP.exe
        
        C:\PerfLogs\Admin\WMIADAP.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cb6b656-eddc-411c-96de-7b09d8e89f09.vbs"
        15⤵
        
        PID:2928
        
        C:\PerfLogs\Admin\WMIADAP.exe
        
        C:\PerfLogs\Admin\WMIADAP.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d0deca7-b326-4ada-b143-fc6602bff426.vbs"
        17⤵
        
        PID:2636
        
        C:\PerfLogs\Admin\WMIADAP.exe
        
        C:\PerfLogs\Admin\WMIADAP.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a99c03e8-51fd-451d-a488-adeb2cd2ab5f.vbs"
        19⤵
        
        PID:2264
        
        C:\PerfLogs\Admin\WMIADAP.exe
        
        C:\PerfLogs\Admin\WMIADAP.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67d17496-7b26-43af-9fac-0d8e09598509.vbs"
        21⤵
        
        PID:2188
        
        C:\PerfLogs\Admin\WMIADAP.exe
        
        C:\PerfLogs\Admin\WMIADAP.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbc15265-c319-4884-8a00-3d74b60356f6.vbs"
        23⤵
        
        PID:2480
        
        C:\PerfLogs\Admin\WMIADAP.exe
        
        C:\PerfLogs\Admin\WMIADAP.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfed8ffd-bd36-40d1-bfff-cd0c9723f0df.vbs"
        25⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a1f96fd-b2ec-47b8-b12c-f08a28971a03.vbs"
        25⤵
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e4a77e3-5873-4a07-8860-12733435a51c.vbs"
        23⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\641f77f9-5436-4f71-b503-052073242b4a.vbs"
        21⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3cd9c92-5cea-4fbe-8b45-ddcbf3a57445.vbs"
        19⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4e5ddf9-2002-42f8-80bb-4f0b2bc225bf.vbs"
        17⤵
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e70cfa7-3607-4f1b-a3bd-02fb72bc428c.vbs"
        15⤵
        
        PID:744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1e31b49-21e7-4459-a7e4-a98d9e8b75b6.vbs"
        13⤵
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ded01fd-aa01-4c59-87a6-120970504b6a.vbs"
        11⤵
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64952989-3fd2-4661-8fc0-c2297658bf24.vbs"
        9⤵
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43252126-1089-401e-9d12-807aac8fe86d.vbs"
        7⤵
        
        PID:2988
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\973d6021-62e1-4ce4-b61f-7f026f9ad0d1.vbs"
        5⤵
        
        PID:2368
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c3c8c3b-1e0b-4b85-b4e3-08d9c931e873.vbs"
    3⤵
    PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\p2p-crp\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\profsvc\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\TsUsbRedirectionGroupPolicyControl\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\stortrace\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\rastls\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\182a00d1-f4a4-46cc-a565-3786edf83d26.vbs

Filesize
705B

MD5
0e3b09cd03e7106e5a1ca2916ea327e0

SHA1
106ad738212a34f210ecbe8b2c831ecbb5c10fee

SHA256
d20665907c5a4efb2d80c7a6413ab14a33f67deb23ed537995d3374b81e5cf01

SHA512
cf51450a900e744e2f786aa1fe615017c003b5d7769b4c54d5a4be1c507c3d9787070c06e079d963cdd76643c300cb621a6b2793e8c80e57bfecdd99d2a0d592

Download Submit
C:\Users\Admin\AppData\Local\Temp\38699da0-30f3-4c62-b694-180099d0c882.vbs

Filesize
705B

MD5
e1b3aa9ba706430b26855d9d9e762c68

SHA1
d3f09ac029e9a3d12fced71e8fbe65fea80a32f0

SHA256
c372c9411a0531959cbfd10ae565187951b3b8b828b1fbbb8e43819aef49712a

SHA512
3e5d49721bd494a151b745f935c9e2a41d938a785dc00db2cb00daf9b087ee6941ea3f1c992821bac35487c880ea6f841f251e0026d849518f49588f9cb8c900

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c3c8c3b-1e0b-4b85-b4e3-08d9c931e873.vbs

Filesize
481B

MD5
431926a8cf2f8155b83078a1b9030ee8

SHA1
2a0231d1fbbf5f7420fb1d24d4fc67b896bd7515

SHA256
4695bd0d87d261fbd59f8f5be78e4b3c5ac7682b9c1a048a768241ea5ff9a01e

SHA512
0a9d4a8c79a42d35092ec803ab8c4e540d56eb31e1d3920fa0d56be43eec7599cd3c97cf74afd8db00af9145fffd5878f1e33ab0bced3aebdbe9f695a0db15df

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6b656-eddc-411c-96de-7b09d8e89f09.vbs

Filesize
705B

MD5
86fcfbd04d1799b28a0acc92e3bfa5b9

SHA1
8d42918348677eeda0b4a103a989cae53c2bb057

SHA256
c3f4d1b096d9c87fabb20c4a66cd34bcb1e8253e9dc87bbdf504decf81c9c746

SHA512
ff5e1600916e24e9358f1db75b21e3120f73092836916ab134dc822ed9c76419447e96e8e8fc7ed2b283801ece9954cc20addda6b2d880d4770fd8848c0c1554

Download Submit
C:\Users\Admin\AppData\Local\Temp\67d17496-7b26-43af-9fac-0d8e09598509.vbs

Filesize
705B

MD5
67cc9a8f82841719524454d5d4e51b7b

SHA1
d0b7843f753cc022fe807d85afcd2596aabec31d

SHA256
bf5d40da266977337fa23197c32734343c051b5d1144dc69fd127a845667814f

SHA512
4135bd52d227a7f89f2299e22be3a3f8c26a3e32cbc4a10aa709cae00f1d50b45791ba4c7f192109788eeea7aff0ef6921304879c1054c1f3fe9fd86fa1a46b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c52c7bd-6377-42e0-9f12-a18a7cc4f678.vbs

Filesize
705B

MD5
ba06e6a463415b994fbd2dea51c03464

SHA1
aabc49a53fb69a643d21f20a4208f30fa2096546

SHA256
3139a889e5806add777b0d675c8229253c63d660ce0d7773ac564681f33c8660

SHA512
ad5617dddc68bd79dea1a9e4054449d14239c6c1c52d7cb2b809193db979326307a96f808612dafbbbfe2ac7c23ee52afbb6f54fe8d6ece83ad0208e8ccf07c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d0deca7-b326-4ada-b143-fc6602bff426.vbs

Filesize
705B

MD5
65b9aa640f7dd1bc134857e83d446acf

SHA1
46896d901abc9bbab503ec3d6bcccc3f1d50c302

SHA256
42e687bb132a03027df9610a6240170f59feb9e70b3ae86ee1b2fa4ac8f4b0c3

SHA512
8229da546b004ebcde6be63532acfe944c40a3c0d90d27baa691de5bef59dc8dbc5d5d3606cee2c8b6004a26611100252d62cd5f2f8ad74134b65e1223f02f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\764116b6-2f30-4d1d-9b6c-1cc6d3ef157a.vbs

Filesize
705B

MD5
e00ed7ebd73d8bd3bb5b5a3986d3fce0

SHA1
366db3a5af1912513a77b95fa36a20adabdd46b8

SHA256
71d9d74afe7e9307fed1e6551346760c144527730e6edadfd70708d66c7df957

SHA512
16f58e5cce2521845d1531f550df76b6dbf518ca26c940032afa4910cbf36c1586be10bf7e638aee13f71709dcbb0dffb63c32b3b04ebe2ca8569117360431af

Download Submit
C:\Users\Admin\AppData\Local\Temp\99ab941e-0526-4ff9-a4ed-9f002fead758.vbs

Filesize
705B

MD5
113baf33ce107d2cc34ebfb0605b6838

SHA1
d166ae4982cf5d7b7413dbd12e16b541a2a9f3b8

SHA256
59ccb5c7a4acfd4c170646595a059bb56e7b85617fc133e684c90a1b6aff67fd

SHA512
64ac8df9d9daf3b8542545752bedb48d6521da66ea75b36814d7b9e540341562e7e1964321c3853c4aa2c5db922577b6034d1ac73354f6819eccf91e15c9da3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a99c03e8-51fd-451d-a488-adeb2cd2ab5f.vbs

Filesize
705B

MD5
50bc61019baf7642ce94b7a0c5ba9cb9

SHA1
63c530322c024243345f44a90f92e28f75c83a0a

SHA256
016ed7a084d2598772eee2b831554d5ca8bb7dec70ca88009f0d1ed5c4c6f1dd

SHA512
e9f1316e5e2d70190f643b2db6cb45c1b20543d8d24cf6ad52ab4bc8a104b5c2620f30670f48580f653f9fea5fbfa62d71a0e3f4989e2c07e0858b71826d6bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc27e25-f934-424b-8702-ba4a8dd4cfc3.vbs

Filesize
705B

MD5
16f80de1e0a575d3887c7584adae7290

SHA1
7b7b47115227f22ebded74bc2e0c734a6abead26

SHA256
549cd172f3ac0fd1b57bf4784a2621605472cd099408352a96035e1ac79568ee

SHA512
07624fe0c53b074e4cd79ffe62f00f6106154553a1cb93d6d8039f00b04d3c24837758f9ee0af5b781626961e100ac41736269e677f51398d0333127aa35cc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfed8ffd-bd36-40d1-bfff-cd0c9723f0df.vbs

Filesize
704B

MD5
280cd394f1c9259624021cb8aa933a19

SHA1
5fb1cf25035dba1b91e9aa19b5301c53efe924ec

SHA256
878c432dd4432a385ecc5f76287936150aef1fbb114c8639a942614cba832533

SHA512
ee8e5581f5927ba7378d3062e2ef5f93ce263558cbc4e3c8eb976c898e17c23d631bd42595e1489ca7b8a7dece3f285ab65dc226352cf8b3398c7b1ecee0b526

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbc15265-c319-4884-8a00-3d74b60356f6.vbs

Filesize
705B

MD5
ce7a3bf46835c6c104024b075dc62f92

SHA1
e4631af089acdf953eb71021b45804276486aa2e

SHA256
93d5ca0eb00aedcdf2e1a09c0680b89e12979dceddb567b671b56a87844c3089

SHA512
e7e7a3c889a3aa99c560add1a11205d6e82067b735a4a9ea7d3ce6362eefe4a47d2415ee411b3f41278f9d1a83d7d8af68a603205c9042ecf4be7dfbd2670929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
708f44a9ea22b82a5129427d3c2b92ab

SHA1
eacaf44b440d1ca1615ed9f2c53d7b0cc3eda95d

SHA256
e0d788e343e0da1754c0edcdf3f03f53d9b1f3465a02cc8a28bb52a152400f72

SHA512
03427eddd2ff34d4765d473b56566a5d928c81d6c41895ccf9b0d6b4450eb8117db528e1e9d1f5b4be225e09143324e0b094799e0e74c79bdea4a741b0531dd8

Download Submit
C:\Windows\System32\wbem\stortrace\WmiPrvSE.exe

Filesize
1.1MB

MD5
e282def0d26b0a0ace50c80bd0d3e389

SHA1
aad1e263222141dab481347dc60f033ffc3e86cb

SHA256
e8fa1ef4d468a51c9aabb390609c63f549b8693592d23160d5459817d3fefe88

SHA512
8966a24026b973dfa147d697ef7d659ff3f1b8ec11ea3971593667cd637655edaad4370683069ea2ecea21c1b0863ef79cf46effb8736328c3db010b25299b33

Download Submit
memory/396-271-0x0000000001090000-0x00000000011A4000-memory.dmp

Filesize
1.1MB

Download
memory/1552-173-0x0000000000960000-0x0000000000A74000-memory.dmp

Filesize
1.1MB

Download
memory/1620-221-0x0000000000C70000-0x0000000000D84000-memory.dmp

Filesize
1.1MB

Download
memory/1620-222-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1700-105-0x0000000000970000-0x0000000000A84000-memory.dmp

Filesize
1.1MB

Download
memory/1796-197-0x0000000001200000-0x0000000001314000-memory.dmp

Filesize
1.1MB

Download
memory/1916-246-0x00000000010B0000-0x00000000011C4000-memory.dmp

Filesize
1.1MB

Download
memory/2008-161-0x00000000003E0000-0x00000000004F4000-memory.dmp

Filesize
1.1MB

Download
memory/2012-258-0x00000000000E0000-0x00000000001F4000-memory.dmp

Filesize
1.1MB

Download
memory/2012-259-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2016-106-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2088-234-0x0000000000F00000-0x0000000001014000-memory.dmp

Filesize
1.1MB

Download
memory/2488-185-0x0000000001020000-0x0000000001134000-memory.dmp

Filesize
1.1MB

Download
memory/2620-14-0x0000000000F10000-0x0000000000F1C000-memory.dmp

Filesize
48KB

Download
memory/2620-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2620-1-0x0000000001040000-0x0000000001154000-memory.dmp

Filesize
1.1MB

Download
memory/2620-62-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2620-2-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-37-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-24-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-21-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/2620-20-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/2620-16-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/2620-18-0x0000000000F50000-0x0000000000F58000-memory.dmp

Filesize
32KB

Download
memory/2620-17-0x0000000000F40000-0x0000000000F4C000-memory.dmp

Filesize
48KB

Download
memory/2620-12-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2620-138-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-3-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2620-15-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Filesize
40KB

Download
memory/2620-13-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/2620-6-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2620-11-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2620-8-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2620-9-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/2620-10-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/2620-7-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/2620-5-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/2620-4-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2672-209-0x0000000000350000-0x0000000000464000-memory.dmp

Filesize
1.1MB

Download
memory/2732-149-0x0000000000D10000-0x0000000000E24000-memory.dmp

Filesize
1.1MB

Download
memory/2776-116-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download