dcrat | e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Size

4.9MB
MD5

c19d6e26d2bb9da6cfe5d93f0c7123c0
SHA1

4c7b1e4dd55956143de9bbdda2fb4b72792a2993
SHA256

e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0
SHA512

c4da5528b43be763d6ce388f5774bf2a131a75277dbab1623695652737c1d967690d569dd529da670e4fa3eb4651c423ec4e017d2bb34a2de27418c7b6adb50f
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2576	schtasks.exe
		2284	schtasks.exe
		2296	schtasks.exe
		1600	schtasks.exe
		3020	schtasks.exe
		2644	schtasks.exe
		540	schtasks.exe
		2040	schtasks.exe
		1044	schtasks.exe
		1892	schtasks.exe
		1980	schtasks.exe
		2928	schtasks.exe
		300	schtasks.exe
		828	schtasks.exe
		2184	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
		2248	schtasks.exe
		2752	schtasks.exe
File created	C:\Program Files\Windows Sidebar\20760e1e75d844		e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
		1692	schtasks.exe
		2108	schtasks.exe
		2364	schtasks.exe
		1480	schtasks.exe
		1684	schtasks.exe
		2716	schtasks.exe
		2964	schtasks.exe
		1636	schtasks.exe
		1940	schtasks.exe
		3068	schtasks.exe
		756	schtasks.exe
		2424	schtasks.exe
		1792	schtasks.exe
		2628	schtasks.exe
		2132	schtasks.exe
		1380	schtasks.exe
		1584	schtasks.exe
		3008	schtasks.exe
		880	schtasks.exe
		548	schtasks.exe
		3028	schtasks.exe
		288	schtasks.exe
		1312	schtasks.exe
		2512	schtasks.exe
File created	C:\Windows\Migration\WTR\42af1c969fbb7b		e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
		2868	schtasks.exe
		928	schtasks.exe
		2120	schtasks.exe
		1508	schtasks.exe
		1472	schtasks.exe
		1932	schtasks.exe
		2556	schtasks.exe
		2256	schtasks.exe
		1504	schtasks.exe
File created	C:\Windows\Logs\CBS\6cb0b6c459d5d3		e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
		984	schtasks.exe
		2600	schtasks.exe
File created	C:\Program Files\Google\Chrome\886983d96e3d3e		e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
		2276	schtasks.exe
		2896	schtasks.exe
		2512	schtasks.exe
		2532	schtasks.exe
		668	schtasks.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\101b941d020240		e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
		2856	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2744	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1984-3-0x000000001B480000-0x000000001B5AE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe
2716	powershell.exe
1996	powershell.exe
2664	powershell.exe
1772	powershell.exe
3028	powershell.exe
2164	powershell.exe
2980	powershell.exe
1980	powershell.exe
2088	powershell.exe
1472	powershell.exe
2012	powershell.exe
2424	powershell.exe
2628	powershell.exe
1700	powershell.exe
2824	powershell.exe
2916	powershell.exe
2760	powershell.exe
2456	powershell.exe
2768	powershell.exe
2372	powershell.exe
2632	powershell.exe
1920	powershell.exe
2584	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
1492	csrss.exe
2904	csrss.exe
1324	csrss.exe
2268	csrss.exe
2220	csrss.exe
1196	csrss.exe
2580	csrss.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\dwm.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\6cb0b6c459d5d3	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\explorer.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\dwm.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files\Google\Chrome\886983d96e3d3e	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6203df4a6bafc7	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXAA01.tmp	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files\Windows Sidebar\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\7a0fd90576e088	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\1610b97d3ab4a7	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files\7-Zip\Lang\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\24dbde2999530e	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\101b941d020240	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files\7-Zip\Lang\20760e1e75d844	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\explorer.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\lsm.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files\Google\Chrome\csrss.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files\Windows Sidebar\20760e1e75d844	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXA31C.tmp	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files\Google\Chrome\csrss.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXAEE3.tmp	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files\Windows NT\TableTextService\5940a34987c991	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\lsm.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\dllhost.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files\Windows Sidebar\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCX9C93.tmp	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Program Files\Windows NT\TableTextService\dllhost.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\tracing\b75386f1303e64	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\Logs\CBS\dwm.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\Migration\WTR\42af1c969fbb7b	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Windows\Migration\WTR\audiodg.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\Downloaded Program Files\7a0fd90576e088	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\twain_32\audiodg.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\twain_32\42af1c969fbb7b	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\tracing\taskhost.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Windows\twain_32\audiodg.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\Logs\CBS\6cb0b6c459d5d3	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXAC72.tmp	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\Migration\WTR\audiodg.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Windows\Logs\CBS\RCXA118.tmp	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Windows\Logs\CBS\dwm.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Windows\Vss\Writers\System\spoolsv.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Windows\Migration\WTR\RCXB627.tmp	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\Vss\Writers\System\spoolsv.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\Vss\Writers\System\f3b6ecef712a24	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\CSC\v2.0.6\smss.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File created	C:\Windows\Downloaded Program Files\explorer.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Windows\Downloaded Program Files\explorer.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
File opened for modification	C:\Windows\tracing\taskhost.exe	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
928	schtasks.exe
2184	schtasks.exe
3020	schtasks.exe
2868	schtasks.exe
2920	schtasks.exe
3028	schtasks.exe
2896	schtasks.exe
2248	schtasks.exe
900	schtasks.exe
1512	schtasks.exe
292	schtasks.exe
1044	schtasks.exe
1792	schtasks.exe
740	schtasks.exe
2512	schtasks.exe
2736	schtasks.exe
2296	schtasks.exe
1600	schtasks.exe
1700	schtasks.exe
2752	schtasks.exe
2644	schtasks.exe
1504	schtasks.exe
288	schtasks.exe
2928	schtasks.exe
1332	schtasks.exe
2356	schtasks.exe
532	schtasks.exe
1892	schtasks.exe
2132	schtasks.exe
1940	schtasks.exe
1312	schtasks.exe
1520	schtasks.exe
2120	schtasks.exe
1768	schtasks.exe
2952	schtasks.exe
1684	schtasks.exe
828	schtasks.exe
1836	schtasks.exe
1432	schtasks.exe
2120	schtasks.exe
2856	schtasks.exe
2628	schtasks.exe
2964	schtasks.exe
2232	schtasks.exe
2376	schtasks.exe
1636	schtasks.exe
300	schtasks.exe
3056	schtasks.exe
1692	schtasks.exe
1508	schtasks.exe
2296	schtasks.exe
1472	schtasks.exe
2540	schtasks.exe
2256	schtasks.exe
340	schtasks.exe
2716	schtasks.exe
2364	schtasks.exe
2000	schtasks.exe
2276	schtasks.exe
2576	schtasks.exe
2512	schtasks.exe
540	schtasks.exe
2108	schtasks.exe
1932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
3028	powershell.exe
1772	powershell.exe
2648	powershell.exe
2916	powershell.exe
2664	powershell.exe
2012	powershell.exe
2716	powershell.exe
2628	powershell.exe
1996	powershell.exe
2824	powershell.exe
1700	powershell.exe
2424	powershell.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
2584	powershell.exe
1920	powershell.exe
2632	powershell.exe
2164	powershell.exe
1980	powershell.exe
2456	powershell.exe
2372	powershell.exe
2980	powershell.exe
2088	powershell.exe
2760	powershell.exe
1472	powershell.exe
2768	powershell.exe
1492	csrss.exe
2904	csrss.exe
1324	csrss.exe
2268	csrss.exe
2220	csrss.exe
1196	csrss.exe
2580	csrss.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1492	csrss.exe
Token: SeDebugPrivilege	2904	csrss.exe
Token: SeDebugPrivilege	1324	csrss.exe
Token: SeDebugPrivilege	2268	csrss.exe
Token: SeDebugPrivilege	2220	csrss.exe
Token: SeDebugPrivilege	1196	csrss.exe
Token: SeDebugPrivilege	2580	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2648	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	79
PID 1984 wrote to memory of 2648	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	79
PID 1984 wrote to memory of 2648	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	79
PID 1984 wrote to memory of 3028	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	80
PID 1984 wrote to memory of 3028	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	80
PID 1984 wrote to memory of 3028	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	80
PID 1984 wrote to memory of 1700	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	81
PID 1984 wrote to memory of 1700	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	81
PID 1984 wrote to memory of 1700	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	81
PID 1984 wrote to memory of 1772	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	83
PID 1984 wrote to memory of 1772	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	83
PID 1984 wrote to memory of 1772	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	83
PID 1984 wrote to memory of 2664	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	85
PID 1984 wrote to memory of 2664	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	85
PID 1984 wrote to memory of 2664	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	85
PID 1984 wrote to memory of 1996	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	86
PID 1984 wrote to memory of 1996	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	86
PID 1984 wrote to memory of 1996	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	86
PID 1984 wrote to memory of 2716	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	87
PID 1984 wrote to memory of 2716	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	87
PID 1984 wrote to memory of 2716	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	87
PID 1984 wrote to memory of 2628	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	88
PID 1984 wrote to memory of 2628	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	88
PID 1984 wrote to memory of 2628	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	88
PID 1984 wrote to memory of 2424	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	89
PID 1984 wrote to memory of 2424	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	89
PID 1984 wrote to memory of 2424	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	89
PID 1984 wrote to memory of 2916	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	90
PID 1984 wrote to memory of 2916	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	90
PID 1984 wrote to memory of 2916	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	90
PID 1984 wrote to memory of 2012	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	91
PID 1984 wrote to memory of 2012	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	91
PID 1984 wrote to memory of 2012	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	91
PID 1984 wrote to memory of 2824	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	92
PID 1984 wrote to memory of 2824	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	92
PID 1984 wrote to memory of 2824	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	92
PID 1984 wrote to memory of 2968	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	103
PID 1984 wrote to memory of 2968	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	103
PID 1984 wrote to memory of 2968	1984	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	103
PID 2968 wrote to memory of 1856	2968	cmd.exe	105
PID 2968 wrote to memory of 1856	2968	cmd.exe	105
PID 2968 wrote to memory of 1856	2968	cmd.exe	105
PID 2968 wrote to memory of 2700	2968	cmd.exe	107
PID 2968 wrote to memory of 2700	2968	cmd.exe	107
PID 2968 wrote to memory of 2700	2968	cmd.exe	107
PID 2700 wrote to memory of 2760	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	157
PID 2700 wrote to memory of 2760	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	157
PID 2700 wrote to memory of 2760	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	157
PID 2700 wrote to memory of 1920	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	158
PID 2700 wrote to memory of 1920	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	158
PID 2700 wrote to memory of 1920	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	158
PID 2700 wrote to memory of 2584	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	160
PID 2700 wrote to memory of 2584	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	160
PID 2700 wrote to memory of 2584	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	160
PID 2700 wrote to memory of 2164	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	162
PID 2700 wrote to memory of 2164	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	162
PID 2700 wrote to memory of 2164	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	162
PID 2700 wrote to memory of 2632	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	163
PID 2700 wrote to memory of 2632	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	163
PID 2700 wrote to memory of 2632	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	163
PID 2700 wrote to memory of 1472	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	165
PID 2700 wrote to memory of 1472	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	165
PID 2700 wrote to memory of 1472	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	165
PID 2700 wrote to memory of 2088	2700	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe	166

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
"C:\Users\Admin\AppData\Local\Temp\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eiSKMyn5o9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1856
- - C:\Users\Admin\AppData\Local\Temp\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2980
  - - C:\Users\Default User\csrss.exe
      "C:\Users\Default User\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:1492
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c7b6872-a4d6-4d9a-9d23-09aaffa991b6.vbs"
        5⤵
        
        PID:2024
      - C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e038d59c-fef9-4dac-b123-ba80eeffa0b4.vbs"
        7⤵
        
        PID:2684
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f2f28e0-c818-49df-ba76-8587d4a6e6db.vbs"
        9⤵
        
        PID:2640
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc46619d-510c-4f54-b36c-35f795fa94db.vbs"
        11⤵
        
        PID:2532
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dbb147f-5f6e-4fed-802d-52fd6fec35c9.vbs"
        13⤵
        
        PID:2060
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7de88139-3da1-4343-af9d-c443e02e6b65.vbs"
        15⤵
        
        PID:1848
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5adbbb50-f461-406f-bc77-68b1edcfee8b.vbs"
        17⤵
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\101ade58-72a1-4376-bb22-c8c9d2901024.vbs"
        17⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d700a490-8f71-4bee-bd59-77a86754f906.vbs"
        15⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae6ea2f2-d7f8-45cc-92c6-da20e2671454.vbs"
        13⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44eef6c3-6674-4d90-90e3-227db4461512.vbs"
        11⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d9a7046-9894-48b0-a25f-7d6f97024e5d.vbs"
        9⤵
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d8c6cd2-9da1-4f19-b8c1-6f75b0088fa6.vbs"
        7⤵
        
        PID:2056
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dc09171-b633-49fe-86ad-5607de313ebd.vbs"
        5⤵
        
        PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0Ne" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0Ne" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\CBS\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\CBS\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0Ne" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0Ne" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Application Data\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\audiodg.exe'" /f
1⤵
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /f
1⤵
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
1⤵
- DcRat
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0Ne" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0Ne" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0N.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\tracing\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
4.9MB

MD5
683a123737b4660978ed9f0f47f595ce

SHA1
775b5d0a8fdd0ea65daf87ef698dfb0581da5c57

SHA256
7d4f6a4677047db010256e63863d6a52fe44291cf70474394cb2fc7d1f5b6f10

SHA512
22da445df52c6f4be11b56a81b52d8255c7fbd803f723f318153a92fd1a692ca9a371b3000fc7e8dfe5a0c2b957a73378f6703ba6881e1635d5b6e57c8b52d8b

Download Submit
C:\Program Files (x86)\Windows Mail\de-DE\lsm.exe

Filesize
4.9MB

MD5
c19d6e26d2bb9da6cfe5d93f0c7123c0

SHA1
4c7b1e4dd55956143de9bbdda2fb4b72792a2993

SHA256
e9f29aa8cb2cd0a51f1efa943e5d0fc1c49d39dec5e7dfd9c0d38612bc504cc0

SHA512
c4da5528b43be763d6ce388f5774bf2a131a75277dbab1623695652737c1d967690d569dd529da670e4fa3eb4651c423ec4e017d2bb34a2de27418c7b6adb50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dc09171-b633-49fe-86ad-5607de313ebd.vbs

Filesize
483B

MD5
ee3f7fad503b830248ccf3c95a1b9f3f

SHA1
45f09ff8ea800f48b5dec7da8f8f84539c43e10e

SHA256
0e8f263f8a50091c82aa89614b57da66a3d0c95519bd954a59b35440632cc77f

SHA512
a5e574c74b6b38e036c92975cc313602806e15b95f7e88409c4fc00c849a3ba9e928097f90dd5369402a7d3820d88efdb6b54a1579141ee5526d1c634c131523

Download Submit
C:\Users\Admin\AppData\Local\Temp\5adbbb50-f461-406f-bc77-68b1edcfee8b.vbs

Filesize
707B

MD5
578cbc9a950c4e862b7f61ab417cbd41

SHA1
68bf3d5dd499964cdfb5edc0d26ff75f7771b55c

SHA256
2bbf31872c6b5685c8f7c78385c9a31bb4b2b5d55b36747ac12dc08f1af2b5e1

SHA512
f43fd12f00fb32f9f7125db0a1b85c611d05cbc500c878c16ef1e0c14735d7048b2dda667df1ad67d3ff096c2941b8c772053c810448d2d2ad2d330c3f7a0091

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c7b6872-a4d6-4d9a-9d23-09aaffa991b6.vbs

Filesize
707B

MD5
ae4fe73e0a5d28e3a4750a62eab27b4c

SHA1
a42fb56d3a79e4db32683af22ad922c834807c9f

SHA256
4de957b75a18827af7c35646eaffd2f26c578c669c0c7797b068945066b53f2c

SHA512
849e2485d8a953701794d521b9b7a47ff95ed759612e90942cf53fe16058371a9c5498b2117b8707dba978e6fb60ed8de31760dba96243f96114f3e4badbca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7de88139-3da1-4343-af9d-c443e02e6b65.vbs

Filesize
707B

MD5
eaf3867fbf08a3f3dc9f21a802ce688f

SHA1
02752e5d39826f6edb0884c8adf0b875ce56bcb3

SHA256
579595ce9ae6a4d5e995f6588b7a77b32071d7ec810bb0fb6ba81c3ba93772f9

SHA512
3be7063b3ab16647b7bd0d538488bc00938a60e4a61b514f9594d2734e14c69f0176c9aedea6c20f0d00bd85a8a32ad0fb75011fb57fc1a5afa01737f0d98359

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f2f28e0-c818-49df-ba76-8587d4a6e6db.vbs

Filesize
707B

MD5
5c1d899bb3a06b6dd1c1d02c65e908b9

SHA1
a14e9363f636643bf4c305f89dc4a78f200aa107

SHA256
d433e851df377427a0fe4274c178abb3effd4c3ef4f16a6b1bf641c3ac362681

SHA512
8a58dd00a58a479b21402b7961faf77dc160197c0cbae50371fea198f721deb65e28b4e73ce1334c6f15da9ec294cc19f826ab65127820e70fd91798d9253a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dbb147f-5f6e-4fed-802d-52fd6fec35c9.vbs

Filesize
707B

MD5
32b10cbe70a5ecdd3be3f9357e54f852

SHA1
1f68694517cef086a5a98f55518e38804ebe1b68

SHA256
a229b3f459dc0013b9c34b5eca9edd1020bcca0b6286ea579f74aa0fc1619998

SHA512
cfd76874ea9d06345dea6de905b2ca9e9b082cad31241ec9b710c2bf8837953a03e6f5c0a5a0da2d732bfac1dc6bd2d1dffd18441cee623a910edb6069e3c7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e038d59c-fef9-4dac-b123-ba80eeffa0b4.vbs

Filesize
707B

MD5
76a000f04ec3affa0feedc922c82232c

SHA1
624518dc3cde8604b0e462650863b9d374a3f284

SHA256
dbf7e6305da53a59b9238adf3d3895ea62e295edc3aa06fb1dd4b42e221b4272

SHA512
9077edb5aa44880078db9018fc4beaa1326566c90b7b867d5e476cca2289f4a8df0e338f807ec607a51c418cbe143875d69eef4d7aad7fff88ed7c19b26e0d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiSKMyn5o9.bat

Filesize
268B

MD5
66c5e916d78511011d1313d4c34f6b3c

SHA1
0689c3b8d56bafcccce27c4b111ffc17406b4b9d

SHA256
294d8bb3877113829ab23f89fc0cac886ccfd2db21e1fa56e2f55ffd34a7e469

SHA512
8d7f4ad85831dee4e66e2bb8013ae30f5b89a9b7b4761c98f0e813a2178c9d1239d8776639d5339dd8d5a3362a22ff907f437e5f7383f6b8028cc3c3af247264

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc46619d-510c-4f54-b36c-35f795fa94db.vbs

Filesize
707B

MD5
fe123cdbbc9d0bfa5785cb53a0eb43e7

SHA1
3ec25a49cda77e60e5c74db3b80802febb2be820

SHA256
9d94588ed78089f9435c54062124b99cc140ba971e8a51a544267a8394b6fa05

SHA512
cc6900d969e1e6f540e810d75f90764ced6390da8e92a9df5f18d9201ee438b65978c4eb8a4112b1ae3a02332e37b79448fc4179e7cb938e852648989d36f7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEDA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
995526479ab146da68e1e2c6771f436a

SHA1
08afedc1bc88361f48ccd0b31297682f4b5bd73c

SHA256
ed472e6eef3818de4f80ef8b15e61d95f0054c9e67d5b51364161da95fbb1b0d

SHA512
2f8cf7dc0f20e47eb19759e7cae07ec5886b44603383ead2fedab006c958487e337b0b67c6344323a138a8597a19a1bc28d3077df8b5ea12a8ee971dda13e02a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
da722c3e02944e005b01d37043e9dbc7

SHA1
481be0d8f5def4e67fb75fc334054b5d532e0b9a

SHA256
168b70fd8d0b614f1284200eb7c76c1a148b688cc8de2f0a6514fe69d75d9dec

SHA512
6cdd85bc16800c0809fd89bc3d005886bfc6002f1fb67f4d09fa70e6dd0f82515d1dff3a7c3377f627c3d0dfc28c77a4f04af31a27d6e58343b8939011262baf

Download Submit
memory/1196-441-0x0000000001140000-0x0000000001634000-memory.dmp

Filesize
5.0MB

Download
memory/1324-396-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/1324-395-0x00000000002A0000-0x0000000000794000-memory.dmp

Filesize
5.0MB

Download
memory/1492-310-0x00000000011C0000-0x00000000016B4000-memory.dmp

Filesize
5.0MB

Download
memory/1984-6-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/1984-4-0x0000000000A40000-0x0000000000A5C000-memory.dmp

Filesize
112KB

Download
memory/1984-1-0x0000000000BC0000-0x00000000010B4000-memory.dmp

Filesize
5.0MB

Download
memory/1984-166-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-8-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/1984-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-14-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/1984-10-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1984-3-0x000000001B480000-0x000000001B5AE000-memory.dmp

Filesize
1.2MB

Download
memory/1984-15-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/1984-9-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1984-7-0x0000000000A80000-0x0000000000A96000-memory.dmp

Filesize
88KB

Download
memory/1984-146-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-12-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/1984-11-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/1984-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/1984-13-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/1984-133-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/1984-5-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/1984-16-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/2268-411-0x0000000000E70000-0x0000000001364000-memory.dmp

Filesize
5.0MB

Download
memory/2268-412-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2584-309-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2584-311-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2664-187-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2700-231-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2700-230-0x00000000002E0000-0x00000000007D4000-memory.dmp

Filesize
5.0MB

Download
memory/2904-380-0x0000000000390000-0x0000000000884000-memory.dmp

Filesize
5.0MB

Download
memory/3028-188-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download