dcrat | 477803b49dfa3b686c7eee0b25448d71e00ffd3bdabcd3d590cda750bb67c9df

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-01-2023 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Size

1.7MB
MD5

a8490ec288042a275cc34152e7e38e58
SHA1

55d45e8d0818b6549104b8656462125cb1ef9d46
SHA256

878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682
SHA512

9cae5d7b7fb1c1919849c9ff66cbdf0c709021da6147e360416c7795bd621afb4a6880ad91abce55594fbc56725dc165a7c8b4d6fca7c50c4ba60294dd971a8f
SSDEEP

24576:oVvACGOfLOiwzatXNbn11rHfq+XwXwIfBnshZWU/8WT1HNg9o71rRS:oVvACGpAj11hgpJs/FUW89SV

Score

10^/10

dcrat evasion infostealer persistence rat spyware stealer trojan

Malware Config

Signatures

DcRat 44 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1764	schtasks.exe
		1552	schtasks.exe
		1464	schtasks.exe
		2016	schtasks.exe
		1176	schtasks.exe
		684	schtasks.exe
		268	schtasks.exe
		1540	schtasks.exe
		1732	schtasks.exe
		2208	schtasks.exe
		2232	schtasks.exe
		672	schtasks.exe
		1900	schtasks.exe
		808	schtasks.exe
		2028	schtasks.exe
		1428	schtasks.exe
		2092	schtasks.exe
		2164	schtasks.exe
		892	schtasks.exe
		548	schtasks.exe
		2072	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
		1596	schtasks.exe
		984	schtasks.exe
		844	schtasks.exe
		1508	schtasks.exe
		552	schtasks.exe
		1824	schtasks.exe
		1392	schtasks.exe
		1832	schtasks.exe
		2188	schtasks.exe
		1372	schtasks.exe
		1548	schtasks.exe
		1984	schtasks.exe
		2140	schtasks.exe
		1612	schtasks.exe
		1128	schtasks.exe
		2256	schtasks.exe
File created	C:\Program Files\7-Zip\Lang\b75386f1303e64		878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
		924	schtasks.exe
		992	schtasks.exe
		1920	schtasks.exe
		1068	schtasks.exe
		2108	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\", \"C:\\Program Files\\Google\\dwm.exe\", \"C:\\Users\\Default User\\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\WMIADAP.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\", \"C:\\Program Files\\Google\\dwm.exe\", \"C:\\Users\\Default User\\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\wininit.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\", \"C:\\Program Files\\Google\\dwm.exe\", \"C:\\Users\\Default User\\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\wininit.exe\", \"C:\\Windows\\IME\\IMESC5\\spoolsv.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Windows\\Fonts\\services.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\", \"C:\\Program Files\\Google\\dwm.exe\", \"C:\\Users\\Default User\\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\wininit.exe\", \"C:\\Windows\\IME\\IMESC5\\spoolsv.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Windows\\Fonts\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\", \"C:\\Program Files\\Google\\dwm.exe\", \"C:\\Users\\Default User\\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\", \"C:\\Program Files\\Google\\dwm.exe\", \"C:\\Users\\Default User\\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\wininit.exe\", \"C:\\Windows\\IME\\IMESC5\\spoolsv.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\", \"C:\\Program Files\\Google\\dwm.exe\", \"C:\\Users\\Default User\\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\WMIADAP.exe\", \"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\wininit.exe\", \"C:\\Windows\\IME\\IMESC5\\spoolsv.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\", \"C:\\Program Files\\Google\\dwm.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\", \"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\", \"C:\\Users\\Admin\\Templates\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1724	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1724	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1224-54-0x00000000012A0000-0x0000000001454000-memory.dmp	dcrat
behavioral1/files/0x0006000000016566-104.dat	dcrat
behavioral1/memory/3044-108-0x0000000001260000-0x0000000001414000-memory.dmp	dcrat
behavioral1/files/0x0006000000016566-106.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
3044	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Fonts\\services.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682 = "\"C:\\Users\\Default User\\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\IME\\IMESC5\\spoolsv.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\IME\\IMESC5\\spoolsv.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Downloaded Program Files\\winlogon.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Google\\dwm.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\WmiPrvSE.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\lsass.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682 = "\"C:\\Users\\Default User\\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\csrss.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\services.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\wininit.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Downloaded Program Files\\winlogon.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Defender\\ja-JP\\spoolsv.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Templates\\System.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\WMIADAP.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\wininit.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\Templates\\System.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\7-Zip\\Lang\\taskhost.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Google\\dwm.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\\WMIADAP.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Fonts\\services.exe\""	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX7472.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX7741.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files\Windows Defender\ja-JP\spoolsv.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsass.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCX31CF.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCX377C.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCX3A3B.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files\7-Zip\Lang\taskhost.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files\7-Zip\Lang\b75386f1303e64	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\c5b4cb5e9653cc	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\lsm.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX2C03.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files\Google\RCX4DB2.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\taskhost.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\24dbde2999530e	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCX349E.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCX4566.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files\Google\RCX5071.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files\Google\dwm.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files\Google\6cb0b6c459d5d3	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCX4297.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX4AF3.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\6203df4a6bafc7	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX4834.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX2ED2.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\WmiPrvSE.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Program Files\Windows Defender\ja-JP\f3b6ecef712a24	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\RCX6C26.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Windows\Fonts\RCX6EE5.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Windows\IME\IMESC5\spoolsv.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Windows\IME\IMESC5\f3b6ecef712a24	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Windows\Downloaded Program Files\cc11b995f2a76d	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Windows\Fonts\c5b4cb5e9653cc	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX6957.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Windows\Fonts\RCX71B3.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Windows\Downloaded Program Files\winlogon.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File created	C:\Windows\Fonts\services.exe	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Windows\IME\IMESC5\RCX63D9.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
File opened for modification	C:\Windows\IME\IMESC5\RCX6698.tmp	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
984	schtasks.exe
268	schtasks.exe
2072	schtasks.exe
2256	schtasks.exe
2016	schtasks.exe
548	schtasks.exe
1612	schtasks.exe
1428	schtasks.exe
2092	schtasks.exe
2164	schtasks.exe
2232	schtasks.exe
684	schtasks.exe
1392	schtasks.exe
1764	schtasks.exe
992	schtasks.exe
2140	schtasks.exe
1176	schtasks.exe
1540	schtasks.exe
2108	schtasks.exe
892	schtasks.exe
672	schtasks.exe
1596	schtasks.exe
924	schtasks.exe
1732	schtasks.exe
1832	schtasks.exe
1068	schtasks.exe
2188	schtasks.exe
1552	schtasks.exe
1372	schtasks.exe
1128	schtasks.exe
1984	schtasks.exe
552	schtasks.exe
1464	schtasks.exe
1900	schtasks.exe
844	schtasks.exe
1920	schtasks.exe
1508	schtasks.exe
808	schtasks.exe
1824	schtasks.exe
2028	schtasks.exe
1548	schtasks.exe
2208	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
3044	spoolsv.exe
2288	powershell.exe
2496	powershell.exe
2604	powershell.exe
2540	powershell.exe
2396	powershell.exe
2356	powershell.exe
2424	powershell.exe
2436	powershell.exe
2300	powershell.exe
2312	powershell.exe
2344	powershell.exe
2700	powershell.exe
3044	spoolsv.exe
3044	spoolsv.exe
3044	spoolsv.exe
3044	spoolsv.exe
3044	spoolsv.exe
3044	spoolsv.exe
3044	spoolsv.exe
3044	spoolsv.exe
3044	spoolsv.exe
3044	spoolsv.exe
3044	spoolsv.exe
3044	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Token: SeDebugPrivilege	3044	spoolsv.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2288	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	71
PID 1224 wrote to memory of 2288	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	71
PID 1224 wrote to memory of 2288	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	71
PID 1224 wrote to memory of 2300	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	76
PID 1224 wrote to memory of 2300	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	76
PID 1224 wrote to memory of 2300	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	76
PID 1224 wrote to memory of 2312	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	74
PID 1224 wrote to memory of 2312	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	74
PID 1224 wrote to memory of 2312	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	74
PID 1224 wrote to memory of 2344	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	75
PID 1224 wrote to memory of 2344	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	75
PID 1224 wrote to memory of 2344	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	75
PID 1224 wrote to memory of 2356	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	78
PID 1224 wrote to memory of 2356	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	78
PID 1224 wrote to memory of 2356	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	78
PID 1224 wrote to memory of 2396	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	79
PID 1224 wrote to memory of 2396	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	79
PID 1224 wrote to memory of 2396	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	79
PID 1224 wrote to memory of 2424	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	80
PID 1224 wrote to memory of 2424	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	80
PID 1224 wrote to memory of 2424	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	80
PID 1224 wrote to memory of 2436	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	82
PID 1224 wrote to memory of 2436	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	82
PID 1224 wrote to memory of 2436	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	82
PID 1224 wrote to memory of 2496	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	85
PID 1224 wrote to memory of 2496	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	85
PID 1224 wrote to memory of 2496	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	85
PID 1224 wrote to memory of 2540	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	86
PID 1224 wrote to memory of 2540	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	86
PID 1224 wrote to memory of 2540	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	86
PID 1224 wrote to memory of 2604	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	87
PID 1224 wrote to memory of 2604	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	87
PID 1224 wrote to memory of 2604	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	87
PID 1224 wrote to memory of 2700	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	95
PID 1224 wrote to memory of 2700	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	95
PID 1224 wrote to memory of 2700	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	95
PID 1224 wrote to memory of 2816	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	93
PID 1224 wrote to memory of 2816	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	93
PID 1224 wrote to memory of 2816	1224	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe	93
PID 2816 wrote to memory of 2988	2816	cmd.exe	94
PID 2816 wrote to memory of 2988	2816	cmd.exe	94
PID 2816 wrote to memory of 2988	2816	cmd.exe	94
PID 2816 wrote to memory of 3044	2816	cmd.exe	98
PID 2816 wrote to memory of 3044	2816	cmd.exe	98
PID 2816 wrote to memory of 3044	2816	cmd.exe	98

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe

C:\Users\Admin\AppData\Local\Temp\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe
"C:\Users\Admin\AppData\Local\Temp\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZXxtgsrOoz.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2988
- - C:\Program Files\Windows Defender\ja-JP\spoolsv.exe
    "C:\Program Files\Windows Defender\ja-JP\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a556828" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682" /sc ONLOGON /tr "'C:\Users\Default User\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a556828" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\878ca94c0a87add5a199309ba3bbb222e7cfe76f118b3f9e00f82a11c5a55682.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\IMESC5\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\IME\IMESC5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\IMESC5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\ja-JP\spoolsv.exe

Filesize
1.7MB

MD5
241e073f1a28ac63fa500fa983921fc3

SHA1
e7269473312a1540d30d85d95cd68784734d83c6

SHA256
4d2a09157e90274944d8467d6f4faebe02785661c795e95247e1ba2c64a4e399

SHA512
09ea89be810d66fcd5a5e6c1663950feb6e23b2fd742ea8eb6d54847ee50a2acf61496106077b902614b7de71bbec9867897bbbc2e5bb84bf9f530169b7660a0

Download Submit
C:\Program Files\Windows Defender\ja-JP\spoolsv.exe

Filesize
1.7MB

MD5
241e073f1a28ac63fa500fa983921fc3

SHA1
e7269473312a1540d30d85d95cd68784734d83c6

SHA256
4d2a09157e90274944d8467d6f4faebe02785661c795e95247e1ba2c64a4e399

SHA512
09ea89be810d66fcd5a5e6c1663950feb6e23b2fd742ea8eb6d54847ee50a2acf61496106077b902614b7de71bbec9867897bbbc2e5bb84bf9f530169b7660a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZXxtgsrOoz.bat

Filesize
216B

MD5
e4d7787a289b1fc4484532058280ebf4

SHA1
aaef1e198bf966eca1ad6131bc5b0d3e3e32f8e3

SHA256
ba35c17c8a2c59c863289e0d10be8db3416660110ed48aa194794926c1239b16

SHA512
cd8e4b91e813fd5d93cec2de43d2d1078b3feedf8a0df978f0214fb26c999e00915c727d5b8ab085d65f7418a09376bac591365b5de26f42028b203cf6c83c8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
efb69641256c84db9a0ef8d39be2a31b

SHA1
8f87fe34a99bad5e7c1001c74bd9eb6f71a4cd0d

SHA256
f394741acd60d89e10bb4df3f8bad48eebaccb7f9325d5774bb14ec32d074fc8

SHA512
4ce361896e857a2c365e85fd9d05117f53061fecab4757cd1d8a195cbe7dee8bf795e097b87fdd8c185999b428819f7bca5fbba56e4a16ce1975371dadb4bde7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
efb69641256c84db9a0ef8d39be2a31b

SHA1
8f87fe34a99bad5e7c1001c74bd9eb6f71a4cd0d

SHA256
f394741acd60d89e10bb4df3f8bad48eebaccb7f9325d5774bb14ec32d074fc8

SHA512
4ce361896e857a2c365e85fd9d05117f53061fecab4757cd1d8a195cbe7dee8bf795e097b87fdd8c185999b428819f7bca5fbba56e4a16ce1975371dadb4bde7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
efb69641256c84db9a0ef8d39be2a31b

SHA1
8f87fe34a99bad5e7c1001c74bd9eb6f71a4cd0d

SHA256
f394741acd60d89e10bb4df3f8bad48eebaccb7f9325d5774bb14ec32d074fc8

SHA512
4ce361896e857a2c365e85fd9d05117f53061fecab4757cd1d8a195cbe7dee8bf795e097b87fdd8c185999b428819f7bca5fbba56e4a16ce1975371dadb4bde7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
efb69641256c84db9a0ef8d39be2a31b

SHA1
8f87fe34a99bad5e7c1001c74bd9eb6f71a4cd0d

SHA256
f394741acd60d89e10bb4df3f8bad48eebaccb7f9325d5774bb14ec32d074fc8

SHA512
4ce361896e857a2c365e85fd9d05117f53061fecab4757cd1d8a195cbe7dee8bf795e097b87fdd8c185999b428819f7bca5fbba56e4a16ce1975371dadb4bde7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
efb69641256c84db9a0ef8d39be2a31b

SHA1
8f87fe34a99bad5e7c1001c74bd9eb6f71a4cd0d

SHA256
f394741acd60d89e10bb4df3f8bad48eebaccb7f9325d5774bb14ec32d074fc8

SHA512
4ce361896e857a2c365e85fd9d05117f53061fecab4757cd1d8a195cbe7dee8bf795e097b87fdd8c185999b428819f7bca5fbba56e4a16ce1975371dadb4bde7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
efb69641256c84db9a0ef8d39be2a31b

SHA1
8f87fe34a99bad5e7c1001c74bd9eb6f71a4cd0d

SHA256
f394741acd60d89e10bb4df3f8bad48eebaccb7f9325d5774bb14ec32d074fc8

SHA512
4ce361896e857a2c365e85fd9d05117f53061fecab4757cd1d8a195cbe7dee8bf795e097b87fdd8c185999b428819f7bca5fbba56e4a16ce1975371dadb4bde7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
efb69641256c84db9a0ef8d39be2a31b

SHA1
8f87fe34a99bad5e7c1001c74bd9eb6f71a4cd0d

SHA256
f394741acd60d89e10bb4df3f8bad48eebaccb7f9325d5774bb14ec32d074fc8

SHA512
4ce361896e857a2c365e85fd9d05117f53061fecab4757cd1d8a195cbe7dee8bf795e097b87fdd8c185999b428819f7bca5fbba56e4a16ce1975371dadb4bde7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
efb69641256c84db9a0ef8d39be2a31b

SHA1
8f87fe34a99bad5e7c1001c74bd9eb6f71a4cd0d

SHA256
f394741acd60d89e10bb4df3f8bad48eebaccb7f9325d5774bb14ec32d074fc8

SHA512
4ce361896e857a2c365e85fd9d05117f53061fecab4757cd1d8a195cbe7dee8bf795e097b87fdd8c185999b428819f7bca5fbba56e4a16ce1975371dadb4bde7

Download Submit
memory/1224-65-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

Filesize
56KB

Download
memory/1224-56-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/1224-67-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

Filesize
48KB

Download
memory/1224-55-0x00000000006E0000-0x00000000006FC000-memory.dmp

Filesize
112KB

Download
memory/1224-57-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/1224-54-0x00000000012A0000-0x0000000001454000-memory.dmp

Filesize
1.7MB

Download
memory/1224-58-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/1224-59-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/1224-60-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/1224-66-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

Filesize
32KB

Download
memory/1224-61-0x0000000000E50000-0x0000000000E5C000-memory.dmp

Filesize
48KB

Download
memory/1224-62-0x0000000000F70000-0x0000000000F78000-memory.dmp

Filesize
32KB

Download
memory/1224-63-0x0000000000F80000-0x0000000000F88000-memory.dmp

Filesize
32KB

Download
memory/1224-64-0x0000000000F90000-0x0000000000F9E000-memory.dmp

Filesize
56KB

Download
memory/2288-112-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2288-144-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/2288-122-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2288-113-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2300-173-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/2300-73-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/2300-147-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2300-131-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2300-78-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2300-187-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/2300-127-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2300-160-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/2300-178-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2312-152-0x0000000001E80000-0x0000000001F00000-memory.dmp

Filesize
512KB

Download
memory/2312-136-0x0000000001E80000-0x0000000001F00000-memory.dmp

Filesize
512KB

Download
memory/2312-124-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2312-117-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2312-165-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/2344-116-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2344-135-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2344-171-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/2344-151-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2344-179-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2344-142-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2344-188-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/2356-175-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/2356-145-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/2356-133-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2356-149-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2356-111-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2356-177-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2356-126-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2356-186-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/2396-87-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2396-129-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2396-157-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/2396-167-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/2396-132-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/2396-185-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/2396-148-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/2396-176-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/2424-172-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/2424-139-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/2424-191-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/2424-182-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/2424-154-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/2424-121-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2424-125-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2436-146-0x00000000029F4000-0x00000000029F7000-memory.dmp

Filesize
12KB

Download
memory/2436-114-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2436-190-0x00000000029FB000-0x0000000002A1A000-memory.dmp

Filesize
124KB

Download
memory/2436-162-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/2436-110-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2436-174-0x00000000029FB000-0x0000000002A1A000-memory.dmp

Filesize
124KB

Download
memory/2436-181-0x00000000029F4000-0x00000000029F7000-memory.dmp

Filesize
12KB

Download
memory/2436-128-0x00000000029F4000-0x00000000029F7000-memory.dmp

Filesize
12KB

Download
memory/2496-134-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/2496-158-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/2496-168-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/2496-130-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2496-115-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2496-183-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/2496-150-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/2540-137-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/2540-153-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/2540-159-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/2540-118-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2540-169-0x00000000029BB000-0x00000000029DA000-memory.dmp

Filesize
124KB

Download
memory/2540-184-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/2540-141-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2604-140-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2604-120-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2604-123-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/2604-170-0x000000000293B000-0x000000000295A000-memory.dmp

Filesize
124KB

Download
memory/2604-161-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/2604-155-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2700-138-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/2700-189-0x00000000026BB000-0x00000000026DA000-memory.dmp

Filesize
124KB

Download
memory/2700-156-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2700-119-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/2700-166-0x00000000026BB000-0x00000000026DA000-memory.dmp

Filesize
124KB

Download
memory/2700-180-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/2700-143-0x000007FEEB080000-0x000007FEEBBDD000-memory.dmp

Filesize
11.4MB

Download
memory/3044-109-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/3044-108-0x0000000001260000-0x0000000001414000-memory.dmp

Filesize
1.7MB

Download