dcrat | e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Size

4.9MB
MD5

7f124e1fb3980bc3871284f7baed824c
SHA1

7f0ab3d0a1ae21c5dd3a737055ddd5c67093d252
SHA256

e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2
SHA512

2d7f6197e317e91b5a7c07c5cbe0ae1964a955f88a0d4d5cec76111474c9aaaddd692b4555d1beec9061c00d1c13ccf92e1f4d3db26a06672997028e155c8f49
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exee60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		3048	schtasks.exe
		2888	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
		2448	schtasks.exe
		1128	schtasks.exe
		2232	schtasks.exe
		1600	schtasks.exe
		2456	schtasks.exe
		1700	schtasks.exe
		1156	schtasks.exe
		1736	schtasks.exe
		2028	schtasks.exe
		2712	schtasks.exe
		476	schtasks.exe
		2116	schtasks.exe
		2488	schtasks.exe
		1032	schtasks.exe
		1544	schtasks.exe
		2996	schtasks.exe
File created	C:\Program Files\Windows Portable Devices\101b941d020240		e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
		2772	schtasks.exe
		1796	schtasks.exe
		2160	schtasks.exe
		2120	schtasks.exe
		2728	schtasks.exe
		2036	schtasks.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\886983d96e3d3e		e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
		1360	schtasks.exe
		2644	schtasks.exe
		2856	schtasks.exe
		3008	schtasks.exe
		2296	schtasks.exe
File created	C:\Windows\PolicyDefinitions\it-IT\24dbde2999530e		e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
		3000	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\6cb0b6c459d5d3		e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
		2132	schtasks.exe
		620	schtasks.exe
		2544	schtasks.exe
		1816	schtasks.exe
		1752	schtasks.exe
		824	schtasks.exe
		2716	schtasks.exe
		3068	schtasks.exe
		2916	schtasks.exe
		3036	schtasks.exe
		2468	schtasks.exe
		1552	schtasks.exe
		2440	schtasks.exe
		1240	schtasks.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc		e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
		548	schtasks.exe
		2224	schtasks.exe
		824	schtasks.exe
		944	schtasks.exe
		2632	schtasks.exe
File created	C:\Program Files\Windows Mail\de-DE\75a57c1bdf437c		e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
		1928	schtasks.exe
		1640	schtasks.exe
		2308	schtasks.exe
		2128	schtasks.exe
		2968	schtasks.exe
		2688	schtasks.exe
		2916	schtasks.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\5940a34987c991		e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2976	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2976	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exee60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exelsm.exelsm.exelsm.exelsm.exee60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2100-3-0x000000001AD20000-0x000000001AE4E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2236	powershell.exe
1680	powershell.exe
628	powershell.exe
2736	powershell.exe
316	powershell.exe
2824	powershell.exe
1940	powershell.exe
336	powershell.exe
1320	powershell.exe
1648	powershell.exe
1188	powershell.exe
2004	powershell.exe
2844	powershell.exe
2152	powershell.exe
860	powershell.exe
1320	powershell.exe
2896	powershell.exe
2024	powershell.exe
2036	powershell.exe
1580	powershell.exe
832	powershell.exe
2036	powershell.exe
832	powershell.exe
2888	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	Process
1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
2304	lsm.exe
2132	lsm.exe
2224	lsm.exe
1508	lsm.exe
1760	lsm.exe
2908	lsm.exe
2128	lsm.exe
1856	lsm.exe
1840	lsm.exe
2672	lsm.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsm.exee60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exee60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe

Drops file in Program Files directory 41 IoCs

Processes:

e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exee60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe

description	ioc	Process
File created	C:\Program Files\Google\101b941d020240	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX23.tmp	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\088424020bedd6	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\csrss.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Idle.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\RCXF0B2.tmp	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsm.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files\Google\lsm.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\csrss.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Windows Mail\de-DE\WMIADAP.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\dllhost.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\WMIADAP.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dwm.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXE0C3.tmp	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\explorer.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\explorer.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Windows Mail\de-DE\75a57c1bdf437c	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Windows Portable Devices\101b941d020240	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\dllhost.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFBAF.tmp	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dwm.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\7a0fd90576e088	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\csrss.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\5940a34987c991	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Adobe\Idle.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Adobe\6ccacd8608530f	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXF323.tmp	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Google\lsm.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\886983d96e3d3e	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files\Windows Portable Devices\lsm.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\6cb0b6c459d5d3	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\RCXE334.tmp	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXE538.tmp	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe

Drops file in Windows directory 7 IoCs

Processes:

e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exee60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\886983d96e3d3e	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Windows\PolicyDefinitions\it-IT\WmiPrvSE.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Windows\PolicyDefinitions\it-IT\24dbde2999530e	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\RCXE73C.tmp	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\WmiPrvSE.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File created	C:\Windows\DigitalLocker\en-US\csrss.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\csrss.exe	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2136	schtasks.exe
1544	schtasks.exe
2688	schtasks.exe
1668	schtasks.exe
2472	schtasks.exe
1600	schtasks.exe
2516	schtasks.exe
824	schtasks.exe
2028	schtasks.exe
2224	schtasks.exe
1128	schtasks.exe
2392	schtasks.exe
1816	schtasks.exe
2712	schtasks.exe
2448	schtasks.exe
1868	schtasks.exe
3008	schtasks.exe
2844	schtasks.exe
2116	schtasks.exe
2128	schtasks.exe
3036	schtasks.exe
408	schtasks.exe
3068	schtasks.exe
476	schtasks.exe
620	schtasks.exe
1700	schtasks.exe
2468	schtasks.exe
2232	schtasks.exe
2632	schtasks.exe
2036	schtasks.exe
944	schtasks.exe
1820	schtasks.exe
2544	schtasks.exe
2968	schtasks.exe
2488	schtasks.exe
3000	schtasks.exe
2728	schtasks.exe
1640	schtasks.exe
1552	schtasks.exe
2080	schtasks.exe
1664	schtasks.exe
2716	schtasks.exe
2856	schtasks.exe
1788	schtasks.exe
3048	schtasks.exe
2440	schtasks.exe
2456	schtasks.exe
2772	schtasks.exe
1712	schtasks.exe
972	schtasks.exe
884	schtasks.exe
2644	schtasks.exe
1132	schtasks.exe
1752	schtasks.exe
1156	schtasks.exe
2120	schtasks.exe
1796	schtasks.exe
1360	schtasks.exe
1736	schtasks.exe
864	schtasks.exe
1240	schtasks.exe
2996	schtasks.exe
2916	schtasks.exe
2964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exee60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	Process
2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
336	powershell.exe
832	powershell.exe
2036	powershell.exe
2236	powershell.exe
1320	powershell.exe
860	powershell.exe
1940	powershell.exe
2896	powershell.exe
2824	powershell.exe
1680	powershell.exe
2024	powershell.exe
1580	powershell.exe
1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
2036	powershell.exe
1188	powershell.exe
2152	powershell.exe
316	powershell.exe
628	powershell.exe
2736	powershell.exe
2004	powershell.exe
832	powershell.exe
1648	powershell.exe
2888	powershell.exe
1320	powershell.exe
2844	powershell.exe
2304	lsm.exe
2132	lsm.exe
2224	lsm.exe
1508	lsm.exe
1760	lsm.exe
2908	lsm.exe
2128	lsm.exe
1856	lsm.exe
1840	lsm.exe
2672	lsm.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2304	lsm.exe
Token: SeDebugPrivilege	2132	lsm.exe
Token: SeDebugPrivilege	2224	lsm.exe
Token: SeDebugPrivilege	1508	lsm.exe
Token: SeDebugPrivilege	1760	lsm.exe
Token: SeDebugPrivilege	2908	lsm.exe
Token: SeDebugPrivilege	2128	lsm.exe
Token: SeDebugPrivilege	1856	lsm.exe
Token: SeDebugPrivilege	1840	lsm.exe
Token: SeDebugPrivilege	2672	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exee60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe

description	pid	Process	procid_target
PID 2100 wrote to memory of 2896	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	86
PID 2100 wrote to memory of 2896	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	86
PID 2100 wrote to memory of 2896	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	86
PID 2100 wrote to memory of 2824	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	87
PID 2100 wrote to memory of 2824	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	87
PID 2100 wrote to memory of 2824	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	87
PID 2100 wrote to memory of 1320	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	88
PID 2100 wrote to memory of 1320	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	88
PID 2100 wrote to memory of 1320	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	88
PID 2100 wrote to memory of 1940	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	90
PID 2100 wrote to memory of 1940	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	90
PID 2100 wrote to memory of 1940	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	90
PID 2100 wrote to memory of 2236	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	92
PID 2100 wrote to memory of 2236	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	92
PID 2100 wrote to memory of 2236	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	92
PID 2100 wrote to memory of 832	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	93
PID 2100 wrote to memory of 832	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	93
PID 2100 wrote to memory of 832	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	93
PID 2100 wrote to memory of 1580	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	94
PID 2100 wrote to memory of 1580	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	94
PID 2100 wrote to memory of 1580	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	94
PID 2100 wrote to memory of 1680	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	95
PID 2100 wrote to memory of 1680	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	95
PID 2100 wrote to memory of 1680	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	95
PID 2100 wrote to memory of 336	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	96
PID 2100 wrote to memory of 336	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	96
PID 2100 wrote to memory of 336	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	96
PID 2100 wrote to memory of 2036	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	97
PID 2100 wrote to memory of 2036	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	97
PID 2100 wrote to memory of 2036	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	97
PID 2100 wrote to memory of 860	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	98
PID 2100 wrote to memory of 860	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	98
PID 2100 wrote to memory of 860	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	98
PID 2100 wrote to memory of 2024	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	99
PID 2100 wrote to memory of 2024	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	99
PID 2100 wrote to memory of 2024	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	99
PID 2100 wrote to memory of 1760	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	110
PID 2100 wrote to memory of 1760	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	110
PID 2100 wrote to memory of 1760	2100	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	110
PID 1760 wrote to memory of 1648	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	135
PID 1760 wrote to memory of 1648	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	135
PID 1760 wrote to memory of 1648	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	135
PID 1760 wrote to memory of 2036	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	136
PID 1760 wrote to memory of 2036	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	136
PID 1760 wrote to memory of 2036	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	136
PID 1760 wrote to memory of 2152	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	137
PID 1760 wrote to memory of 2152	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	137
PID 1760 wrote to memory of 2152	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	137
PID 1760 wrote to memory of 2888	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	138
PID 1760 wrote to memory of 2888	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	138
PID 1760 wrote to memory of 2888	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	138
PID 1760 wrote to memory of 832	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	140
PID 1760 wrote to memory of 832	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	140
PID 1760 wrote to memory of 832	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	140
PID 1760 wrote to memory of 2844	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	141
PID 1760 wrote to memory of 2844	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	141
PID 1760 wrote to memory of 2844	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	141
PID 1760 wrote to memory of 2736	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	142
PID 1760 wrote to memory of 2736	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	142
PID 1760 wrote to memory of 2736	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	142
PID 1760 wrote to memory of 316	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	144
PID 1760 wrote to memory of 316	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	144
PID 1760 wrote to memory of 316	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	144
PID 1760 wrote to memory of 1320	1760	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe	149

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exee60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
"C:\Users\Admin\AppData\Local\Temp\e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe
  "C:\Users\Admin\AppData\Local\Temp\e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- - C:\Program Files\Google\lsm.exe
    "C:\Program Files\Google\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2304
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d01e712-20e2-4d80-aad7-b5c146d32053.vbs"
      4⤵
      PID:1028
    - - C:\Program Files\Google\lsm.exe
        
        "C:\Program Files\Google\lsm.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2132
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60b7d892-fedc-4d87-9b7f-94ae706c49cc.vbs"
        6⤵
        
        PID:1416
        
        C:\Program Files\Google\lsm.exe
        
        "C:\Program Files\Google\lsm.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51f2774c-ca47-4219-a558-9e1a4442a97f.vbs"
        8⤵
        
        PID:1032
        
        C:\Program Files\Google\lsm.exe
        
        "C:\Program Files\Google\lsm.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78f89cb0-c984-414a-bf97-b834da596361.vbs"
        10⤵
        
        PID:2360
        
        C:\Program Files\Google\lsm.exe
        
        "C:\Program Files\Google\lsm.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c536287c-fddd-423a-b37a-470cc9d76c1b.vbs"
        12⤵
        
        PID:2268
        
        C:\Program Files\Google\lsm.exe
        
        "C:\Program Files\Google\lsm.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c9a59b2-086d-4f75-8c14-870e2b4d1e2e.vbs"
        14⤵
        
        PID:2544
        
        C:\Program Files\Google\lsm.exe
        
        "C:\Program Files\Google\lsm.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\480cec63-d76f-4428-9e44-951498defd68.vbs"
        16⤵
        
        PID:1308
        
        C:\Program Files\Google\lsm.exe
        
        "C:\Program Files\Google\lsm.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2253dd0b-618f-4ddf-9ecc-1969c3e431a2.vbs"
        18⤵
        
        PID:2848
        
        C:\Program Files\Google\lsm.exe
        
        "C:\Program Files\Google\lsm.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7594f0fa-cfa9-45bb-9a06-52f3d97db9aa.vbs"
        20⤵
        
        PID:2284
        
        C:\Program Files\Google\lsm.exe
        
        "C:\Program Files\Google\lsm.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\713f90b2-344d-4b64-b1c6-44d94b824e75.vbs"
        22⤵
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\721f2614-3017-482b-8cde-6035a3d812a8.vbs"
        22⤵
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27476d7a-1fcf-4623-abd7-98b1e6c8f7f4.vbs"
        20⤵
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3abcdf5f-19f7-4f85-a3f0-630c577f9921.vbs"
        18⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1367e1ce-96fb-4565-adc0-bcf6c85c4fb9.vbs"
        16⤵
        
        PID:676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\077ada96-b67d-4ef1-9ab9-f0ca26003f6f.vbs"
        14⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e076e78-47f8-46cd-aa2e-1dc3fed4a24f.vbs"
        12⤵
        
        PID:1356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a518570-a64c-4f70-8e0c-5023e5cbc5f6.vbs"
        10⤵
        
        PID:476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd30cdb5-ab23-4356-a4ce-4c02908a2d67.vbs"
        8⤵
        
        PID:1164
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5bb3104-05da-4484-bca3-fbafa3c4d9ea.vbs"
        6⤵
        
        PID:2856
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\353907e3-d401-4d90-b24b-9ec4ff2cad7e.vbs"
      4⤵
      PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\SendTo\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\it-IT\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Pictures\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\de-DE\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Videos\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f
1⤵
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\powershell.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\Favorites\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXF323.tmp

Filesize
4.9MB

MD5
77d18adf1527b6b942efbfe25ef8715c

SHA1
dd9c1fd27286239f88550398b56e694ce3a0e490

SHA256
0dca899faf3f5627fbdb965510617f58a710f633975a7555053ca63b77fd5f5d

SHA512
2eb0d8e63a42cfa4d56f2ad4a6524648d100c8e8ea4daf20ed8679e02d60ddf7fade61e129e813eb949195d95fb212d00437a35935f60c27a77d36b469bd95c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\dllhost.exe

Filesize
4.9MB

MD5
7f124e1fb3980bc3871284f7baed824c

SHA1
7f0ab3d0a1ae21c5dd3a737055ddd5c67093d252

SHA256
e60e7930fbd9755486476e68fb25c9e90d050d53788b97aecb9b9492e47b57c2

SHA512
2d7f6197e317e91b5a7c07c5cbe0ae1964a955f88a0d4d5cec76111474c9aaaddd692b4555d1beec9061c00d1c13ccf92e1f4d3db26a06672997028e155c8f49

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\csrss.exe

Filesize
4.9MB

MD5
80e0fa7fa736829804835f2fd3190ac9

SHA1
ec3561ef35ed2743ad0e7c7858c51b7c03313c6d

SHA256
84f8546a8b2a44c48fd98d835f7591e66a659ae6bb205ec3b38aa44722ed092b

SHA512
0d1d701b9d114caeea9651f83405c4de82fc659bf9d1ea6a720058df25a70f4c5a5a5a08f49b6ff757b316c8a8f9ed57efc6a24dd3559e35de6ac5b5b5ba19c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2253dd0b-618f-4ddf-9ecc-1969c3e431a2.vbs

Filesize
707B

MD5
efdb2c12289c606202d7a3f5813be253

SHA1
26fd00d5f1eef28864f0b2708b7de014f30380ae

SHA256
56b9c803399a21ac66e2511eef47ea28988b088ed9348bc08d12573c1f3f9f84

SHA512
d5c83e51225ffe1a9d801c11ebaf5b2d460cf9374fe894628e60dcd8acd5db4bb7dbcea0782bf4566de88c3b41e4baaa9fd69b1802f93aa8f015b8080572713f

Download Submit
C:\Users\Admin\AppData\Local\Temp\353907e3-d401-4d90-b24b-9ec4ff2cad7e.vbs

Filesize
483B

MD5
6b89aa3a13c111b0a2ab2b25e66ee98a

SHA1
b3da80d7a3db2a76cda4652cf5663221c923a208

SHA256
0b5f8d3e0a1c0fcca27c5a6c3c53794237325d8d1655e90b311ff41933bfb709

SHA512
6787c6f3a5bc635b290b132b775354893272342ec603f88c80c7d853977fb603b417692f63e33b5bbe7bfdf56132bae7dc9a57982db841c0def8acef6f4e1cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\480cec63-d76f-4428-9e44-951498defd68.vbs

Filesize
707B

MD5
7ccafe21045aa09643a2c6bdf509676f

SHA1
154a43451d04442b320e631318732f90d90f9d07

SHA256
8abe9bd4e5f4d73689eb1a4d2c670588a9fc0c5534bb5c8033e6533e402987d7

SHA512
5deed0d348bb1ef5a0ac40f82d8c00f194fdbbb6d3441228949be4893414e5611e26433660168a13a3d39f7d647acd586360a4ad4a57375f437da5e37a357b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c9a59b2-086d-4f75-8c14-870e2b4d1e2e.vbs

Filesize
707B

MD5
3e0547232954053919be7cf6d34d86d8

SHA1
e757bc0f9cb7ded966458aa15b11442212f349d5

SHA256
53aeda1f660525bb0a11dbfc3051fe3ec8cc23fa753b809524b92bfa029d319a

SHA512
66ac43cd35737d998ff77f9f2c21f6610ba95a42e39f8cfbace40dcf78a6bbbeb4fbe45e69e3cd83724e53e0d2bd02d3bcfd948f7260840afe747247bfdcf9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d01e712-20e2-4d80-aad7-b5c146d32053.vbs

Filesize
707B

MD5
36cee37218120c2bda88633092f66a0d

SHA1
58966746173adc38f563b4f70a45102212553a9e

SHA256
8117db9cb1e98f686030b717115fc3bdef083586a2a439df4d4e19ce233b9b96

SHA512
b9fdec21701d5424506459fa8c3d8c42339e452bbec6ca6df1cebaf4ae32ba01cc9bf0fe6b578f12d0a7306afe1d8a873b0a17154f6753a5d38582826b2b8669

Download Submit
C:\Users\Admin\AppData\Local\Temp\51f2774c-ca47-4219-a558-9e1a4442a97f.vbs

Filesize
707B

MD5
d473281a4f1030c4450b24f7ffd43bfa

SHA1
f85ed64c4c9752f0fbfba66a38f969e56ae6683f

SHA256
ed7289818c781e44ae1979cabf1ae4c69ed5f6dfa8abe1f84ad58eb8b4ebb262

SHA512
859c23cc9e4ecd8327e8b8881e1c785515f366b3ceff27531350c561c1e41d624fdbf9d3851e1a21dc604f98093855c8bea1e46e77e5b1385027547f24223b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\60b7d892-fedc-4d87-9b7f-94ae706c49cc.vbs

Filesize
707B

MD5
344306bdeadfe7a4e20ca5efb3f68dd0

SHA1
23aaeac13cf300c6d6bff8a970567e9153b23fcb

SHA256
06a05289c489b61f975dc20dd9fbe5308053dd8a932e7d1dbeb5d3331d2658a2

SHA512
4dc221a585563502912a0fb05eb3c6c151c36010317c751e1adca4dddcab87159aed87c64d1312c36e8ef8bebdc5b157e7c378b6f6fe965a865453ac41c49acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7594f0fa-cfa9-45bb-9a06-52f3d97db9aa.vbs

Filesize
707B

MD5
d9facb54963389a43049d42ec8dbb173

SHA1
f8596a4d3fa5c5ef7fec386f096ff6817cf009bc

SHA256
d5570b5e99513ce80c3986b1c683c908903fa6de0ec72225579544852c4db8a5

SHA512
60aba0cec8c5f67060a3b1830785783492586fcd26f2272dbe612955473bd427172cd19500abbdf830f0535d2583aab4045e297acfe49d3c71f93204b3485aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\78f89cb0-c984-414a-bf97-b834da596361.vbs

Filesize
707B

MD5
6b369733849d5ccbc4c45a3371d3969e

SHA1
2a331f0ea5c379f905c383f16cb4483e68bb562a

SHA256
e10ebceed9ef03292286e90f9d440274d7383af5e4211de5c50a30949b95d051

SHA512
de19f7e956117836e5fc2cf64800cc5da8e07d404638841e99a895b496a228dbc1bd938a4ceae2c17ca7adfc14cff403af891260501b7b446978569f0214457e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c536287c-fddd-423a-b37a-470cc9d76c1b.vbs

Filesize
707B

MD5
ba2c469c30a6c17546d9b6187d488aad

SHA1
3cd2b7407e8bab34046ef8f53e8fbed8e5d4d49c

SHA256
4a3dc4369f17452f1adab0a7401b2d04bd1b951d8e94046633118d3e7a048b9c

SHA512
e5e25846ecfe5c1cd5fc6cd9b4ac97fa87cd4e6fae4ddf2177651f8a3026e6ff3412ba9614e688f6bcbc8ee1b421c2344d062327f11e952035543cfb12db7d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp17E4.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bfbcbe854b38ea4d35457ef266139294

SHA1
f398a164d351e9c185ea94e7334264b68117da00

SHA256
f19415014873aad338dbe07cea262b7ac6eb0a4b961a8b5836631ef667a206e3

SHA512
e9f07702bb6ab665d3587be440e27dfc8e630489e1466df5f4543f984e823b57ca46ada6ec90d8c40cadf8ce5f987639170d49c09ceda81fe7154decfc82d820

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9d201eb00e71953b0c27d851ea472b0d

SHA1
96201f8ead26a76a05162c63b770217b2b1d0cee

SHA256
f7e8ba9921ca31f02f8b09fd454abdb74a69efe6787b744507fbb9320e5ce6dd

SHA512
28d7ebcbaaa81886aa502395397b878ebbfa56232c8ccb93044b640331f4b9ed346ac33469813895e21e8ef244742e5e52e01842579e75c1073a2764568e0722

Download Submit
C:\Users\Default\Pictures\WmiPrvSE.exe

Filesize
4.9MB

MD5
d9f14cba0234d688cfa66505625517da

SHA1
03431390bf042d3d44d2e331b7ddb8ab45b3d805

SHA256
5c868b491cb9f4b6f1883575849f144f20d9aea80610b3c1b60963bcb2c18fc9

SHA512
9b8bbb850f596b0b14fa63cde0f3e0a07228b131cf90b78c2b3cc2f9d1fe5b059be06fa702854bffd1aeca255637bdbc1acc0e22eb593a9bfe80e1f3862eef92

Download Submit
memory/336-217-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/336-184-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1188-294-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1508-388-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/1760-241-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2036-338-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2100-183-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-8-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2100-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2100-13-0x00000000005D0000-0x00000000005DE000-memory.dmp

Filesize
56KB

Download
memory/2100-149-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-12-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/2100-11-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/2100-142-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x0000000000F90000-0x0000000001484000-memory.dmp

Filesize
5.0MB

Download
memory/2100-14-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2100-10-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2100-9-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2100-2-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

Filesize
4KB

Download
memory/2100-3-0x000000001AD20000-0x000000001AE4E000-memory.dmp

Filesize
1.2MB

Download
memory/2100-4-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2100-7-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2100-15-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2100-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2100-5-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/2132-357-0x0000000000B20000-0x0000000001014000-memory.dmp

Filesize
5.0MB

Download
memory/2224-373-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/2224-372-0x0000000000F20000-0x0000000001414000-memory.dmp

Filesize
5.0MB

Download
memory/2304-337-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download
memory/2672-474-0x0000000000270000-0x0000000000764000-memory.dmp

Filesize
5.0MB

Download
memory/2908-417-0x0000000001050000-0x0000000001544000-memory.dmp

Filesize
5.0MB

Download