dcrat | 1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7

Analysis

max time kernel
123s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Size

1.2MB
MD5

f9d2c2af142780d56f0949bc70c9d527
SHA1

418c50d37d67303d10618b471b8184d4e49f6a46
SHA256

1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7
SHA512

b45f4329cf966c51febcf495364be4f63ce955d3ebe11ebdf1d65846f4b7b06279a2cce875c6385b38b2637b7be9617dbf71b3c62326ca518b3fcc923a584957
SSDEEP

24576:linPXeVB3y6h9Q7T3UlJkbuIkpcJwOUP49sV:ry6XxkbnEP1

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 46 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1772	schtasks.exe
		832	schtasks.exe
		2160	schtasks.exe
		2244	schtasks.exe
		2260	schtasks.exe
		1600	schtasks.exe
		548	schtasks.exe
		1784	schtasks.exe
		596	schtasks.exe
		1924	schtasks.exe
		1304	schtasks.exe
		2064	schtasks.exe
		1152	schtasks.exe
		1948	schtasks.exe
		360	schtasks.exe
		1164	schtasks.exe
		1932	schtasks.exe
		848	schtasks.exe
		1724	schtasks.exe
		2088	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
		1396	schtasks.exe
		680	schtasks.exe
		2132	schtasks.exe
		1580	schtasks.exe
		928	schtasks.exe
		2000	schtasks.exe
		1512	schtasks.exe
		1800	schtasks.exe
		1012	schtasks.exe
		1716	schtasks.exe
		680	schtasks.exe
		2176	schtasks.exe
		1520	schtasks.exe
		1544	schtasks.exe
		1108	schtasks.exe
		2200	schtasks.exe
		976	schtasks.exe
		2112	schtasks.exe
		2220	schtasks.exe
		108	schtasks.exe
		2024	schtasks.exe
		1388	schtasks.exe
		1836	schtasks.exe
		1624	schtasks.exe
		268	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\", \"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\csrss.exe\", \"C:\\Windows\\ja-JP\\smss.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\csrss.exe\", \"C:\\Windows\\es-ES\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\", \"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\csrss.exe\", \"C:\\Windows\\ja-JP\\smss.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\csrss.exe\", \"C:\\Windows\\es-ES\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Mail\\ja-JP\\lsass.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\", \"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\csrss.exe\", \"C:\\Windows\\ja-JP\\smss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\", \"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\csrss.exe\", \"C:\\Windows\\ja-JP\\smss.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\", \"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\csrss.exe\", \"C:\\Windows\\ja-JP\\smss.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\csrss.exe\", \"C:\\Windows\\es-ES\\lsm.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\", \"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\", \"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\csrss.exe\", \"C:\\Windows\\ja-JP\\smss.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\csrss.exe\", \"C:\\Windows\\es-ES\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\lsass.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\", \"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\csrss.exe\", \"C:\\Windows\\ja-JP\\smss.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\csrss.exe\", \"C:\\Windows\\es-ES\\lsm.exe\", \"C:\\Program Files\\Windows Sidebar\\de-DE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\lsass.exe\", \"C:\\Program Files (x86)\\Windows Mail\\ja-JP\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\WmiPrvSE.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Desktop\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\", \"C:\\Windows\\Web\\taskhost.exe\", \"C:\\Users\\Default\\Downloads\\WMIADAP.exe\", \"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\", \"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1720	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1720	schtasks.exe	28

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1680-54-0x0000000000090000-0x00000000001C6000-memory.dmp	dcrat
behavioral1/files/0x00090000000126c7-113.dat	dcrat
behavioral1/files/0x00090000000126c7-114.dat	dcrat
behavioral1/memory/2236-115-0x0000000000C40000-0x0000000000D76000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2236	smss.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Downloaded Program Files\\spoolsv.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\WmiPrvSE.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Web\\taskhost.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Sidebar\\de-DE\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\ja-JP\\smss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\es-ES\\lsm.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\lsass.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Mail\\ja-JP\\lsass.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Desktop\\taskhost.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\smss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\WmiPrvSE.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Mail\\ja-JP\\lsass.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\de-DE\\dwm.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Users\\Default\\Downloads\\WMIADAP.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\es-ES\\lsm.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Sidebar\\de-DE\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\All Users\\Desktop\\taskhost.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\ja-JP\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\ja-JP\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\System\\ado\\de-DE\\csrss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Mail\\fr-FR\\lsass.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Web\\taskhost.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Users\\Default\\Downloads\\WMIADAP.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\ja-JP\\smss.exe\""	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RCX5814.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\RCX4388.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCX73A4.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\6cb0b6c459d5d3	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\csrss.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files\Windows Sidebar\de-DE\csrss.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files\Windows Sidebar\de-DE\886983d96e3d3e	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\6203df4a6bafc7	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\de-DE\RCXFB75.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\de-DE\dwm.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\RCX400E.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\886983d96e3d3e	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files\Internet Explorer\ja-JP\csrss.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files\Internet Explorer\ja-JP\886983d96e3d3e	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\lsass.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\lsass.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\6203df4a6bafc7	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\csrss.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCX701B.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX7FA8.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RCX5B8E.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\dwm.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\de-DE\RCXF7FA.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\csrss.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\csrss.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\lsass.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\RCX8831.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX7C2D.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\RCX8BAB.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\lsass.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\Web\taskhost.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Windows\Web\b75386f1303e64	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Windows\ja-JP\smss.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Windows\es-ES\101b941d020240	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\Web\taskhost.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\Downloaded Program Files\spoolsv.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Windows\Downloaded Program Files\spoolsv.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Windows\ja-JP\69ddcba757bf72	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\Web\RCX1001.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\ja-JP\RCX4F8B.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Windows\Downloaded Program Files\f3b6ecef712a24	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File created	C:\Windows\es-ES\lsm.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX2807.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX2B82.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\es-ES\RCX6417.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\Web\RCX137B.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\ja-JP\RCX4C11.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\ja-JP\smss.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\es-ES\RCX6792.tmp	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
File opened for modification	C:\Windows\es-ES\lsm.exe	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
928	schtasks.exe
2000	schtasks.exe
680	schtasks.exe
1724	schtasks.exe
1304	schtasks.exe
2064	schtasks.exe
1948	schtasks.exe
1108	schtasks.exe
976	schtasks.exe
2160	schtasks.exe
2200	schtasks.exe
2244	schtasks.exe
596	schtasks.exe
1716	schtasks.exe
1800	schtasks.exe
848	schtasks.exe
1580	schtasks.exe
1836	schtasks.exe
680	schtasks.exe
1784	schtasks.exe
108	schtasks.exe
1388	schtasks.exe
1512	schtasks.exe
548	schtasks.exe
1924	schtasks.exe
2112	schtasks.exe
1520	schtasks.exe
360	schtasks.exe
1544	schtasks.exe
1164	schtasks.exe
1624	schtasks.exe
2088	schtasks.exe
2260	schtasks.exe
1152	schtasks.exe
1396	schtasks.exe
1012	schtasks.exe
1600	schtasks.exe
268	schtasks.exe
2132	schtasks.exe
2220	schtasks.exe
1772	schtasks.exe
2024	schtasks.exe
2176	schtasks.exe
1932	schtasks.exe
832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
2912	powershell.exe
2372	powershell.exe
2448	powershell.exe
2336	powershell.exe
2404	powershell.exe
2612	powershell.exe
2556	powershell.exe
2984	powershell.exe
2300	powershell.exe
2768	powershell.exe
2856	powershell.exe
2476	powershell.exe
2496	powershell.exe
2356	powershell.exe
2320	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Token: SeDebugPrivilege	2236	smss.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2300	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	75
PID 1680 wrote to memory of 2300	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	75
PID 1680 wrote to memory of 2300	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	75
PID 1680 wrote to memory of 2320	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	77
PID 1680 wrote to memory of 2320	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	77
PID 1680 wrote to memory of 2320	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	77
PID 1680 wrote to memory of 2336	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	78
PID 1680 wrote to memory of 2336	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	78
PID 1680 wrote to memory of 2336	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	78
PID 1680 wrote to memory of 2356	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	80
PID 1680 wrote to memory of 2356	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	80
PID 1680 wrote to memory of 2356	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	80
PID 1680 wrote to memory of 2372	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	82
PID 1680 wrote to memory of 2372	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	82
PID 1680 wrote to memory of 2372	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	82
PID 1680 wrote to memory of 2404	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	83
PID 1680 wrote to memory of 2404	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	83
PID 1680 wrote to memory of 2404	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	83
PID 1680 wrote to memory of 2416	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	85
PID 1680 wrote to memory of 2416	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	85
PID 1680 wrote to memory of 2416	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	85
PID 1680 wrote to memory of 2448	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	87
PID 1680 wrote to memory of 2448	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	87
PID 1680 wrote to memory of 2448	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	87
PID 1680 wrote to memory of 2476	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	88
PID 1680 wrote to memory of 2476	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	88
PID 1680 wrote to memory of 2476	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	88
PID 1680 wrote to memory of 2496	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	92
PID 1680 wrote to memory of 2496	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	92
PID 1680 wrote to memory of 2496	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	92
PID 1680 wrote to memory of 2556	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	100
PID 1680 wrote to memory of 2556	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	100
PID 1680 wrote to memory of 2556	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	100
PID 1680 wrote to memory of 2612	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	94
PID 1680 wrote to memory of 2612	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	94
PID 1680 wrote to memory of 2612	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	94
PID 1680 wrote to memory of 2768	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	97
PID 1680 wrote to memory of 2768	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	97
PID 1680 wrote to memory of 2768	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	97
PID 1680 wrote to memory of 2856	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	99
PID 1680 wrote to memory of 2856	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	99
PID 1680 wrote to memory of 2856	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	99
PID 1680 wrote to memory of 2912	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	102
PID 1680 wrote to memory of 2912	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	102
PID 1680 wrote to memory of 2912	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	102
PID 1680 wrote to memory of 2984	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	103
PID 1680 wrote to memory of 2984	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	103
PID 1680 wrote to memory of 2984	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	103
PID 1680 wrote to memory of 2236	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	107
PID 1680 wrote to memory of 2236	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	107
PID 1680 wrote to memory of 2236	1680	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe	107

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe

C:\Users\Admin\AppData\Local\Temp\1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe
"C:\Users\Admin\AppData\Local\Temp\1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1eb103ff7cb38fac0cd822ceed53ed7cc5ebc4646fe739049f1ca1de9156aed7.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\taskhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\de-DE\dwm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\taskhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\WMIADAP.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\spoolsv.exe'
  2⤵
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ado\de-DE\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\lsm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WmiPrvSE.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\smss.exe
  "C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Web\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Downloads\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\ado\de-DE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ado\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\ado\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\smss.exe

Filesize
1.2MB

MD5
c5e53f7ad387b7ed01c6dcb483e1c646

SHA1
6283492194ff610f2adb699bcefac9958166fbd2

SHA256
848c3ebf7ab6fa1c7a6bfd66b28ccfdf57cabeeb812749efcb4a6a8daa6daf20

SHA512
6177ee740f3c5ed8fa40bc0d4439679070678bc241b86502cfe55b0706c9df6d0242c72920f18a4d7a556fe809e338ccc93266245f8c9e923e866a6d98e0b14a

Download Submit
C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\smss.exe

Filesize
1.2MB

MD5
c5e53f7ad387b7ed01c6dcb483e1c646

SHA1
6283492194ff610f2adb699bcefac9958166fbd2

SHA256
848c3ebf7ab6fa1c7a6bfd66b28ccfdf57cabeeb812749efcb4a6a8daa6daf20

SHA512
6177ee740f3c5ed8fa40bc0d4439679070678bc241b86502cfe55b0706c9df6d0242c72920f18a4d7a556fe809e338ccc93266245f8c9e923e866a6d98e0b14a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0924d34e221887f38b81d5ce818e1d02

SHA1
0ee5b3d4255e193c7dd0749f7a2a167cf3ce5e54

SHA256
751e8e4fc40bd23a78f9283d317847278cc3dc578b8afc6bf53818061acb8efa

SHA512
d5ea856fe8b542ad1e97912847bb28f1de8337bb954b510ab3726aa9f26dd2254a457ba6cee64497864fcdf1f58c8e42fa71b6f6971514554ced9dc4de6c3b72

Download Submit
memory/1680-63-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/1680-62-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1680-55-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1680-56-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1680-57-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1680-58-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/1680-59-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/1680-54-0x0000000000090000-0x00000000001C6000-memory.dmp

Filesize
1.2MB

Download
memory/1680-60-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1680-61-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2236-115-0x0000000000C40000-0x0000000000D76000-memory.dmp

Filesize
1.2MB

Download
memory/2300-197-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/2300-87-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2300-168-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/2300-133-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2300-198-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/2300-201-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/2300-144-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/2300-74-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/2320-202-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2320-150-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2320-158-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2320-86-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2320-200-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/2320-204-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/2336-169-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/2336-134-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2336-193-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/2336-194-0x000000000269B000-0x00000000026BA000-memory.dmp

Filesize
124KB

Download
memory/2336-123-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2336-211-0x000000000269B000-0x00000000026BA000-memory.dmp

Filesize
124KB

Download
memory/2336-145-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/2356-173-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/2356-153-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2356-205-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/2356-209-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/2356-207-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2372-121-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2372-132-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2372-172-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/2372-203-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/2372-208-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/2372-143-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/2372-206-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/2404-184-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/2404-135-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2404-159-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/2404-210-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/2404-146-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/2404-124-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2404-180-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/2448-130-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2448-186-0x000000000207B000-0x000000000209A000-memory.dmp

Filesize
124KB

Download
memory/2448-179-0x0000000002074000-0x0000000002077000-memory.dmp

Filesize
12KB

Download
memory/2448-119-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2448-164-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/2448-141-0x0000000002074000-0x0000000002077000-memory.dmp

Filesize
12KB

Download
memory/2476-126-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2476-151-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/2476-182-0x0000000002654000-0x0000000002657000-memory.dmp

Filesize
12KB

Download
memory/2476-190-0x000000000265B000-0x000000000267A000-memory.dmp

Filesize
124KB

Download
memory/2476-154-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2476-166-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/2496-192-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/2496-156-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2496-195-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/2496-127-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2496-152-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/2556-188-0x00000000022BB000-0x00000000022DA000-memory.dmp

Filesize
124KB

Download
memory/2556-129-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2556-160-0x000000001B8C0000-0x000000001BBBF000-memory.dmp

Filesize
3.0MB

Download
memory/2556-120-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2556-176-0x00000000022BB000-0x00000000022DA000-memory.dmp

Filesize
124KB

Download
memory/2556-136-0x00000000022B4000-0x00000000022B7000-memory.dmp

Filesize
12KB

Download
memory/2556-177-0x00000000022B4000-0x00000000022B7000-memory.dmp

Filesize
12KB

Download
memory/2612-137-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2612-174-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/2612-125-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2612-183-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/2612-157-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/2612-175-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/2612-162-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/2768-196-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/2768-199-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/2768-148-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/2768-139-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2768-122-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2768-171-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/2856-185-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/2856-149-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/2856-140-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2856-118-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2856-165-0x000000001B8D0000-0x000000001BBCF000-memory.dmp

Filesize
3.0MB

Download
memory/2856-191-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/2912-187-0x00000000027CB000-0x00000000027EA000-memory.dmp

Filesize
124KB

Download
memory/2912-147-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/2912-178-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/2912-161-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/2912-117-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download
memory/2912-138-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2984-142-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/2984-131-0x000007FEF54B0000-0x000007FEF600D000-memory.dmp

Filesize
11.4MB

Download
memory/2984-181-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/2984-163-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/2984-189-0x000000000245B000-0x000000000247A000-memory.dmp

Filesize
124KB

Download
memory/2984-116-0x000007FEEBC30000-0x000007FEEC653000-memory.dmp

Filesize
10.1MB

Download