dcrat | 078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

646A50D060AE1B649F0CA735AABF5744.exe
Size

3.6MB
MD5

646a50d060ae1b649f0ca735aabf5744
SHA1

a666932e153ef1d2c2463009e0df4de9bdf73322
SHA256

078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
SHA512

0872641f90557c8ab8dd015b9486061b85a48ab7db06a74f6787ab87685f2bb6358eda822ba16757a7b6fc8fe1744a831ea76f47d6130225596a285bf9dd1f4c
SSDEEP

98304:EbRxeIaNRcgnk9MO32RzRpAH267w3adH2fte4I/Bu:E+IoREF32B67wuH2I5/M

Score

10^/10

dcrat discovery evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe646A50D060AE1B649F0CA735AABF5744.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		1344	schtasks.exe
		2400	schtasks.exe
		2924	schtasks.exe
		748	schtasks.exe
		444	schtasks.exe
		2380	schtasks.exe
		1528	schtasks.exe
		2740	schtasks.exe
		2500	schtasks.exe
		1564	schtasks.exe
		2568	schtasks.exe
		1544	schtasks.exe
		2776	schtasks.exe
		2164	schtasks.exe
		2284	schtasks.exe
		804	schtasks.exe
		2984	schtasks.exe
		1908	schtasks.exe
		2128	schtasks.exe
		1776	schtasks.exe
		948	schtasks.exe
		2696	schtasks.exe
		1532	schtasks.exe
		2004	schtasks.exe
		1796	schtasks.exe
		1852	schtasks.exe
		1392	schtasks.exe
		1196	schtasks.exe
		2896	schtasks.exe
		2016	schtasks.exe
		2132	schtasks.exe
		1880	schtasks.exe
		2564	schtasks.exe
		1356	schtasks.exe
		1748	schtasks.exe
		2948	schtasks.exe
		2576	schtasks.exe
		2372	schtasks.exe
		756	schtasks.exe
		2464	schtasks.exe
		2340	schtasks.exe
		2752	schtasks.exe
		2236	schtasks.exe
		2492	schtasks.exe
		2512	schtasks.exe
		2924	schtasks.exe
		1472	schtasks.exe
		1504	schtasks.exe
		284	schtasks.exe
		1700	schtasks.exe
		532	schtasks.exe
		2140	schtasks.exe
		1128	schtasks.exe
		676	schtasks.exe
		1556	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		646A50D060AE1B649F0CA735AABF5744.exe
		1596	schtasks.exe
		1656	schtasks.exe
		1736	schtasks.exe
		1828	schtasks.exe
		2668	schtasks.exe
		2160	schtasks.exe
		2424	schtasks.exe
		644	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 29 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

chainagent.exechainagent.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Admin\\Recent\\dwm.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Admin\\Recent\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Admin\\Recent\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\fontMonitor\\taskhost.exe\", \"C:\\fontMonitor\\Idle.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\audiodg.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Admin\\Recent\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\fontMonitor\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Admin\\Recent\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\fontMonitor\\taskhost.exe\", \"C:\\fontMonitor\\Idle.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\audiodg.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\fontMonitor\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Admin\\Recent\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\fontMonitor\\taskhost.exe\", \"C:\\fontMonitor\\Idle.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\audiodg.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Admin\\Recent\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\fontMonitor\\taskhost.exe\", \"C:\\fontMonitor\\Idle.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\audiodg.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\fontMonitor\\explorer.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Admin\\Recent\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\fontMonitor\\taskhost.exe\", \"C:\\fontMonitor\\Idle.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\audiodg.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\fontMonitor\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\taskhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\chainagent.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\System.exe\", \"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\", \"C:\\Windows\\L2Schemas\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\", \"C:\\Windows\\Fonts\\taskhost.exe\", \"C:\\Users\\Default\\Links\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\", \"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\", \"C:\\Windows\\it-IT\\taskhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\", \"C:\\Program Files (x86)\\Adobe\\lsm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Users\\Admin\\Recent\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\fontMonitor\\taskhost.exe\", \"C:\\fontMonitor\\Idle.exe\""	chainagent.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2300	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2300	schtasks.exe	34

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

chainagent.exechainagent.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chainagent.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016d18-9.dat	dcrat
behavioral1/memory/2756-13-0x0000000001340000-0x000000000169C000-memory.dmp	dcrat
behavioral1/memory/2652-351-0x0000000000050000-0x00000000003AC000-memory.dmp	dcrat
behavioral1/memory/1828-470-0x00000000010E0000-0x000000000143C000-memory.dmp	dcrat
behavioral1/memory/1488-590-0x00000000002A0000-0x00000000005FC000-memory.dmp	dcrat
behavioral1/memory/2844-709-0x0000000000ED0000-0x000000000122C000-memory.dmp	dcrat
behavioral1/memory/2084-829-0x00000000010A0000-0x00000000013FC000-memory.dmp	dcrat
behavioral1/memory/1012-1184-0x0000000000200000-0x000000000055C000-memory.dmp	dcrat
behavioral1/memory/1736-1304-0x0000000001240000-0x000000000159C000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

Processes:

chainagent.exechainagent.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2756	chainagent.exe
1620	chainagent.exe
1608	csrss.exe
1468	csrss.exe
2652	csrss.exe
1828	csrss.exe
1488	csrss.exe
2844	csrss.exe
2084	csrss.exe
2444	csrss.exe
1784	csrss.exe
1012	csrss.exe
1736	csrss.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2352	cmd.exe
2352	cmd.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

chainagent.exechainagent.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\fontMonitor\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Photo Viewer\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\chainagent = "\"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\chainagent.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Mozilla Firefox\\browser\\audiodg.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chainagent = "\"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\chainagent.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Fonts\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\Recent\\dwm.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\Fonts\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\it-IT\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\it-IT\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Adobe\\lsm.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Photo Viewer\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Photo Viewer\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\L2Schemas\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\PolicyDefinitions\\it-IT\\lsm.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\fontMonitor\\Idle.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\fontMonitor\\explorer.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\de-DE\\winlogon.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Microsoft Games\\Mahjong\\en-US\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\Recent\\dwm.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Mozilla Firefox\\browser\\audiodg.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\explorer.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Adobe\\lsm.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\fontMonitor\\Idle.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\fontMonitor\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\fontMonitor\\explorer.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\Links\\Idle.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\spoolsv.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\L2Schemas\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\Links\\Idle.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\services.exe\""	chainagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\taskhost.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Photo Viewer\\System.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\csrss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\smss.exe\""	chainagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\winlogon.exe\""	chainagent.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

chainagent.exechainagent.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chainagent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 24 IoCs

Processes:

chainagent.exechainagent.exe

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\smss.exe	chainagent.exe
File created	C:\Program Files (x86)\Windows Portable Devices\winlogon.exe	chainagent.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\9257bd4d9760cb	chainagent.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\spoolsv.exe	chainagent.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\f3b6ecef712a24	chainagent.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	chainagent.exe
File created	C:\Program Files\Windows Photo Viewer\27d1bcfc3c54e0	chainagent.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\cc11b995f2a76d	chainagent.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\886983d96e3d3e	chainagent.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe	chainagent.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\69ddcba757bf72	chainagent.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\chainagent.exe	chainagent.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\886983d96e3d3e	chainagent.exe
File created	C:\Program Files (x86)\Adobe\lsm.exe	chainagent.exe
File created	C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d	chainagent.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc	chainagent.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\27d1bcfc3c54e0	chainagent.exe
File created	C:\Program Files\Mozilla Firefox\browser\42af1c969fbb7b	chainagent.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\System.exe	chainagent.exe
File created	C:\Program Files\Windows Photo Viewer\System.exe	chainagent.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe	chainagent.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe	chainagent.exe
File created	C:\Program Files (x86)\Adobe\101b941d020240	chainagent.exe
File created	C:\Program Files\Mozilla Firefox\browser\audiodg.exe	chainagent.exe

Drops file in Windows directory 11 IoCs

Processes:

chainagent.exechainagent.exe

description	ioc	Process
File created	C:\Windows\L2Schemas\smss.exe	chainagent.exe
File created	C:\Windows\L2Schemas\69ddcba757bf72	chainagent.exe
File created	C:\Windows\it-IT\taskhost.exe	chainagent.exe
File created	C:\Windows\CSC\v2.0.6\audiodg.exe	chainagent.exe
File created	C:\Windows\Fonts\b75386f1303e64	chainagent.exe
File created	C:\Windows\it-IT\b75386f1303e64	chainagent.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..nsettings.resources_31bf3856ad364e35_6.1.7600.16385_de-de_10ca8623c6937198\csrss.exe	chainagent.exe
File created	C:\Windows\PolicyDefinitions\it-IT\lsm.exe	chainagent.exe
File created	C:\Windows\PolicyDefinitions\it-IT\101b941d020240	chainagent.exe
File created	C:\Windows\Fonts\taskhost.exe	chainagent.exe
File opened for modification	C:\Windows\Fonts\taskhost.exe	chainagent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe646A50D060AE1B649F0CA735AABF5744.exeWScript.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	646A50D060AE1B649F0CA735AABF5744.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2512	schtasks.exe
284	schtasks.exe
676	schtasks.exe
1748	schtasks.exe
2492	schtasks.exe
1908	schtasks.exe
2284	schtasks.exe
2740	schtasks.exe
2236	schtasks.exe
1280	schtasks.exe
1952	schtasks.exe
872	schtasks.exe
1656	schtasks.exe
2132	schtasks.exe
1128	schtasks.exe
2896	schtasks.exe
1244	schtasks.exe
2464	schtasks.exe
2140	schtasks.exe
1512	schtasks.exe
2668	schtasks.exe
644	schtasks.exe
2924	schtasks.exe
1796	schtasks.exe
1392	schtasks.exe
2948	schtasks.exe
2164	schtasks.exe
1396	schtasks.exe
2012	schtasks.exe
444	schtasks.exe
2380	schtasks.exe
2984	schtasks.exe
1640	schtasks.exe
2564	schtasks.exe
2776	schtasks.exe
1104	schtasks.exe
2820	schtasks.exe
268	schtasks.exe
1880	schtasks.exe
2752	schtasks.exe
1544	schtasks.exe
1532	schtasks.exe
804	schtasks.exe
1596	schtasks.exe
2016	schtasks.exe
532	schtasks.exe
936	schtasks.exe
2128	schtasks.exe
2844	schtasks.exe
1356	schtasks.exe
1196	schtasks.exe
748	schtasks.exe
1700	schtasks.exe
2088	schtasks.exe
2568	schtasks.exe
1944	schtasks.exe
2400	schtasks.exe
2640	schtasks.exe
2632	schtasks.exe
2160	schtasks.exe
2372	schtasks.exe
1828	schtasks.exe
2340	schtasks.exe
1528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chainagent.exechainagent.execsrss.execsrss.exe

pid	Process
2756	chainagent.exe
2756	chainagent.exe
2756	chainagent.exe
2756	chainagent.exe
2756	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1620	chainagent.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1608	csrss.exe
1468	csrss.exe
1468	csrss.exe
1468	csrss.exe
1468	csrss.exe
1468	csrss.exe
1468	csrss.exe
1468	csrss.exe
1468	csrss.exe
1468	csrss.exe
1468	csrss.exe
1468	csrss.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

chainagent.exechainagent.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	2756	chainagent.exe
Token: SeDebugPrivilege	1620	chainagent.exe
Token: SeDebugPrivilege	1608	csrss.exe
Token: SeDebugPrivilege	1468	csrss.exe
Token: SeDebugPrivilege	2652	csrss.exe
Token: SeDebugPrivilege	1828	csrss.exe
Token: SeDebugPrivilege	1488	csrss.exe
Token: SeDebugPrivilege	2844	csrss.exe
Token: SeDebugPrivilege	2084	csrss.exe
Token: SeDebugPrivilege	2444	csrss.exe
Token: SeDebugPrivilege	1784	csrss.exe
Token: SeDebugPrivilege	1012	csrss.exe
Token: SeDebugPrivilege	1736	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

646A50D060AE1B649F0CA735AABF5744.exeWScript.execmd.exechainagent.exechainagent.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exe

description	pid	Process	procid_target
PID 1640 wrote to memory of 2060	1640	646A50D060AE1B649F0CA735AABF5744.exe	30
PID 1640 wrote to memory of 2060	1640	646A50D060AE1B649F0CA735AABF5744.exe	30
PID 1640 wrote to memory of 2060	1640	646A50D060AE1B649F0CA735AABF5744.exe	30
PID 1640 wrote to memory of 2060	1640	646A50D060AE1B649F0CA735AABF5744.exe	30
PID 2060 wrote to memory of 2352	2060	WScript.exe	31
PID 2060 wrote to memory of 2352	2060	WScript.exe	31
PID 2060 wrote to memory of 2352	2060	WScript.exe	31
PID 2060 wrote to memory of 2352	2060	WScript.exe	31
PID 2352 wrote to memory of 2756	2352	cmd.exe	33
PID 2352 wrote to memory of 2756	2352	cmd.exe	33
PID 2352 wrote to memory of 2756	2352	cmd.exe	33
PID 2352 wrote to memory of 2756	2352	cmd.exe	33
PID 2756 wrote to memory of 1620	2756	chainagent.exe	65
PID 2756 wrote to memory of 1620	2756	chainagent.exe	65
PID 2756 wrote to memory of 1620	2756	chainagent.exe	65
PID 1620 wrote to memory of 1608	1620	chainagent.exe	123
PID 1620 wrote to memory of 1608	1620	chainagent.exe	123
PID 1620 wrote to memory of 1608	1620	chainagent.exe	123
PID 1608 wrote to memory of 656	1608	csrss.exe	124
PID 1608 wrote to memory of 656	1608	csrss.exe	124
PID 1608 wrote to memory of 656	1608	csrss.exe	124
PID 1608 wrote to memory of 2816	1608	csrss.exe	125
PID 1608 wrote to memory of 2816	1608	csrss.exe	125
PID 1608 wrote to memory of 2816	1608	csrss.exe	125
PID 656 wrote to memory of 1468	656	WScript.exe	127
PID 656 wrote to memory of 1468	656	WScript.exe	127
PID 656 wrote to memory of 1468	656	WScript.exe	127
PID 1468 wrote to memory of 2324	1468	csrss.exe	128
PID 1468 wrote to memory of 2324	1468	csrss.exe	128
PID 1468 wrote to memory of 2324	1468	csrss.exe	128
PID 1468 wrote to memory of 1668	1468	csrss.exe	129
PID 1468 wrote to memory of 1668	1468	csrss.exe	129
PID 1468 wrote to memory of 1668	1468	csrss.exe	129
PID 2324 wrote to memory of 2652	2324	WScript.exe	130
PID 2324 wrote to memory of 2652	2324	WScript.exe	130
PID 2324 wrote to memory of 2652	2324	WScript.exe	130
PID 2652 wrote to memory of 1808	2652	csrss.exe	131
PID 2652 wrote to memory of 1808	2652	csrss.exe	131
PID 2652 wrote to memory of 1808	2652	csrss.exe	131
PID 2652 wrote to memory of 3064	2652	csrss.exe	132
PID 2652 wrote to memory of 3064	2652	csrss.exe	132
PID 2652 wrote to memory of 3064	2652	csrss.exe	132
PID 1808 wrote to memory of 1828	1808	WScript.exe	133
PID 1808 wrote to memory of 1828	1808	WScript.exe	133
PID 1808 wrote to memory of 1828	1808	WScript.exe	133
PID 1828 wrote to memory of 600	1828	csrss.exe	134
PID 1828 wrote to memory of 600	1828	csrss.exe	134
PID 1828 wrote to memory of 600	1828	csrss.exe	134
PID 1828 wrote to memory of 2540	1828	csrss.exe	135
PID 1828 wrote to memory of 2540	1828	csrss.exe	135
PID 1828 wrote to memory of 2540	1828	csrss.exe	135
PID 600 wrote to memory of 1488	600	WScript.exe	136
PID 600 wrote to memory of 1488	600	WScript.exe	136
PID 600 wrote to memory of 1488	600	WScript.exe	136
PID 1488 wrote to memory of 2284	1488	csrss.exe	137
PID 1488 wrote to memory of 2284	1488	csrss.exe	137
PID 1488 wrote to memory of 2284	1488	csrss.exe	137
PID 1488 wrote to memory of 2792	1488	csrss.exe	138
PID 1488 wrote to memory of 2792	1488	csrss.exe	138
PID 1488 wrote to memory of 2792	1488	csrss.exe	138
PID 2284 wrote to memory of 2844	2284	WScript.exe	139
PID 2284 wrote to memory of 2844	2284	WScript.exe	139
PID 2284 wrote to memory of 2844	2284	WScript.exe	139
PID 2844 wrote to memory of 268	2844	csrss.exe	140

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.exechainagent.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exechainagent.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	chainagent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\646A50D060AE1B649F0CA735AABF5744.exe
"C:\Users\Admin\AppData\Local\Temp\646A50D060AE1B649F0CA735AABF5744.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\fontMonitor\GFcBidplGj1mDhuTvzK8nh.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\fontMonitor\B6f2SnQ47.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\fontMonitor\chainagent.exe
      "C:\fontMonitor\chainagent.exe"
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2756
    - - C:\fontMonitor\chainagent.exe
        
        "C:\fontMonitor\chainagent.exe"
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1620
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\573d88df-fbee-4e1a-b178-94defe651605.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d264708-fecf-4735-8a3b-3365576a9b44.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e44e4e8c-4e6f-4165-a516-1a55c6648e1e.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80250c2a-f815-42f5-9326-34a3c4e61b19.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9696b6-458b-498c-985f-eaa0e1a41b7c.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\129ddd22-a040-47e8-9703-ba9d80ec6943.vbs"
        17⤵
        
        PID:268
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\652f3ec3-b1e5-4adc-90ca-1dd1bdf35a81.vbs"
        19⤵
        
        PID:2796
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b710f29-4dcb-4c10-bb9f-a0d373ad86bd.vbs"
        21⤵
        
        PID:2964
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59db4efd-b79f-47c6-acf3-e93833f8fdf1.vbs"
        23⤵
        
        PID:3048
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ca7257b-88b3-4d9e-adba-785d719dc61b.vbs"
        25⤵
        
        PID:1232
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe"
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afed1cc4-f532-4e9a-857b-a7daef91385d.vbs"
        27⤵
        
        PID:1132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61dfab41-32b6-4bbb-8d21-837b825cfde9.vbs"
        27⤵
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e417382a-795e-44e7-8aff-a2626c53316e.vbs"
        25⤵
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4600e9e8-b06c-4c3d-ba5d-031fd04aed22.vbs"
        23⤵
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f98016c-8048-4a3a-b2e9-bc88de2e7a51.vbs"
        21⤵
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b33ce88e-9ea4-42aa-b5a5-10c76dd31d13.vbs"
        19⤵
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf80b737-e41f-47b1-96db-0c6c1690e534.vbs"
        17⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbfa5505-758b-43e9-b050-cdea3b980661.vbs"
        15⤵
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2ac818a-07e0-4566-a0dd-f10d69653d17.vbs"
        13⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc2cbf40-7baf-420c-83b0-0b49dba83271.vbs"
        11⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c4aabea-79a6-4517-a67d-dd71a036fbab.vbs"
        9⤵
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8625e51-d382-463d-ae70-26aeafa1de33.vbs"
        7⤵
        
        PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\it-IT\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Fonts\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Links\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Mahjong\en-US\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Mahjong\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Recent\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Recent\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Recent\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\fontMonitor\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\fontMonitor\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\fontMonitor\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\fontMonitor\Idle.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\fontMonitor\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\fontMonitor\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\audiodg.exe'" /f
1⤵
- DcRat
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\fontMonitor\explorer.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\fontMonitor\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\fontMonitor\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\taskhost.exe'" /f
1⤵
- DcRat
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainagentc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\chainagent.exe'" /f
1⤵
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainagent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\chainagent.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainagentc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\chainagent.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\27d1bcfc3c54e0

Filesize
420B

MD5
d7673d95865f41327f48402c7c941b99

SHA1
f34d26ca887ee8a13bf2713ca0e47e478724d759

SHA256
f04a6dd5ce97a248ed89a7f351de558966bba7b90d075c5b066cae0e172319e2

SHA512
6e9eb1f085b1ac9c108ea97dfa8d1ffbff5c14db3e4b8dd43cead7c6be3d5c6b0282fc67c67bf4a415d0d86c0cf3ddec9c796f5b8d24ec4d9cedd6948b8e0a6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e435875de160a74f7bb9593f855bd1f1

SHA1
0fdcd18833673a7c337b04f576bcda0f8c8cec13

SHA256
d528dcb6b8cc359b6c42b4f5b654c7c35193d17c070eaca25413ef8e9f42b3da

SHA512
d4f79c58a7a1a845419ff11fa9038fa1c40c6584f5540a094a62ea05d55e2544e9d19ad83e85b5175a061a02bc838bebbb7b562331547867ff51c094b9761d3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b7476e7f7c6cf940111ff8321340259

SHA1
21c501c6a9e4a9619f27503b1b337a6083655826

SHA256
6d6bfc5a92f2d9ba1af52f141105e6d8b2e96fc3399df45f0dc45ba90d24b095

SHA512
cda4229822459fae89d07beab1e8c91f000c04773bbe9ccd0c40aab3e7cdfd94cf973389af2e6bf4f54b9c391ac113ae31409658bf95f35e103ba62ae2a45d90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a193672c073d0552c0a684053c32bb5f

SHA1
9f8d4ce6be3edbc7af3293e1f2b075268e625be7

SHA256
7e7cb65c9504142eed2bee802db5fef50d77b4fbbf792fc78efb31f62699d50a

SHA512
bd719591cfa06437f6bf79cca955d13809cd61d730a9f07ebec3c01228c9d326685750b95373ecc7a4976af1ee1a87aef007524b3cfc30cae793c3aea8e6a93e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ade866e4831b22df1953cd190c75bc98

SHA1
4e30810dfa8c3d08192f18d93a4020608f311ec2

SHA256
9511e2b21140f0e9f70bd5fd18b7dd0544f5f0733a0ea046c5882a80f8e95162

SHA512
23f83d0aac6800e257f0d5d4df215f9e3a4f4f61fdf614b6d6008071765bf7ae7df409268fdd52e216a2ea030d5d640196df09a24680785ffbf6514cffd9d9d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26b0d145f026a8b60edb2a6cba3f69bc

SHA1
1e6eed52116f6d068f083601eab6ac28dd382edc

SHA256
c08bd49929f89a1a003d8f5f9091d308565ba3549b5fcb16378343636b20858c

SHA512
2371906dd2142f0d890155e2f108f0dd9e4ddf5fa12d958906725fffb4cc4c73c8bc04f5433feeede31db7d4486c5e7b76f6a9a9f8f8384f6061d10f76d2198e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7c6b03ecae4f1de8be44425b17701c6

SHA1
6603262397885fd546b60d0f6145f1e2c1405ffd

SHA256
9b5163016248aec5e2bd2906f248584dcf5a638d28a84783a7ad8aab03cd1b84

SHA512
057fce3ae03050c3b734d3767b91fff89ce09cbd82f17a715100d3cf2f74f73ec6492dadbf34d2822e332e040aaad44ddf3580a5f7a284989b58a3b9bcee0453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eab05b618448c4a4beefef9381024674

SHA1
f2127f76fcb81470cf58a588e4ed8efa7cb33770

SHA256
a6b79864418d01aa0c0c75aafe18354e0f424aa4fa1793413bee27bd82c2eacf

SHA512
5f1a25b7c7ab543f1282b3d028f5defaee1bb4cd14a586d83b160ac84c62c7e48396226b4100cb8b2635c284d2502f0298aa26c28f90bc77ef1f41baeb846d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20a2a2179707497f19bb1a0fd9e8c626

SHA1
25244813ab8f49e1aa886db3c6c9a484845cd3c0

SHA256
1994958255d95429ffda1e2bb9e5d79c10c26817518a602d8f527d2f71c2af36

SHA512
fb0ac458224115f7b993e41f3f687343299093474fa8c0529a32805e2e265fa9e00878a9673555319cea69840e47dff6183a5743193742320e9b984b4d41e251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31b36610c986a0e92e34894c753fa108

SHA1
e2f57228354227aabe5a37d2cf68279e74e227a4

SHA256
586f46bd559f0163db03a3f45d571aba7f01ace39407b060486ffa0ddf564746

SHA512
4cd5be0164eef362a435bbaa88795462e5ebb7b70081931e4c0aab2820a3311827d3e1fe4603ff7434777f9ab7e033696b3c585cc894af30e715ced3c367592f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48e9ddbb5b359017f3c565da0af87698

SHA1
e95ea678880502d35a1348fdfc0c2db4dc2e2684

SHA256
b85005724475ad68996804dd905dd020a399f3cb632b2c906a2e789d3c818edb

SHA512
f074f4b4b6c1b6d9388bd9455ab63b822e2a65bed189b37dbc3185d6be714b381c5790703067d5bf578e17f7308b87bc45f518fc8178b9f9d4a1c35d95fc3a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\129ddd22-a040-47e8-9703-ba9d80ec6943.vbs

Filesize
757B

MD5
edd885146b3a8f348ff7114ac0b689ec

SHA1
424c3d5600e90cc89e14b3891368c1020929fa9f

SHA256
baf7a8598e8edcb3486f6130955107863371a21f2f25e62c867ef68dc1bd4266

SHA512
451042638e095fddba5352c7176b352e0a0dd05d396d3f3e8b040b644488c65f5fec08e740bed1cae35edae6ce669cc1859c018c9bf67dd1363474d9ca2c1493

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b710f29-4dcb-4c10-bb9f-a0d373ad86bd.vbs

Filesize
757B

MD5
0c42586e6d27698d05268d524ee2e432

SHA1
7e8cf5b5c3b67a5078009bdff8faa42856355417

SHA256
e9ab5a6870113d71f7086e669772b0a97283ba6d643efd5db4fe5d3f473264cd

SHA512
50e5d0c246c06da7ca9ae4009fc4dc66b3b1d6759917535a10bbbcb534411581b1766811974e5e7f30ed60e1fc1717aba6e9272e310195cd520355d6d7af848b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ca7257b-88b3-4d9e-adba-785d719dc61b.vbs

Filesize
757B

MD5
52d67603b6b3e6d628ca92292ebe269b

SHA1
d12a25d703157ccf6323c8f9f76f61772bdc2c16

SHA256
57d4d556835da22ffff2e771bbb443d176d04b881f0d63780b50ef13ee0794f8

SHA512
1fd89e105f292994db4a36b6041a4e2e6e0e69c558d5197025b5f5ddf13d73438668791748ef74882dedc4c02dd07e66464ca363d829e8e9754632f68e1e4a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\573d88df-fbee-4e1a-b178-94defe651605.vbs

Filesize
757B

MD5
4b012636a57ffb9817e2b27977ccc14e

SHA1
0fd3ac7ff9b6f21fcd4571c0b58362d6dcc61de3

SHA256
25c13c8702509459d802a32e5507f6ae748b4b319addd9142535b466fc29de3a

SHA512
606ef1dc963a8a112f6c6a9f17bf458ce4dfbf37c64e6ba78841718799620f2ceec8f8846542e134de939de2365d2002483b50c679f36544320173c1445c75e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\59db4efd-b79f-47c6-acf3-e93833f8fdf1.vbs

Filesize
757B

MD5
6fa7a86fd65bfce6017d25f64ea2f29d

SHA1
d5dea78e13e7eaf3f50e222b7759ba9b9f41bc1f

SHA256
e3fdd2bc366655e93cc5e32a51e1839eaf3afb7c4e9cc32a537893925b66246c

SHA512
e6d8c687865c0eb38d6a5f3869550b34adb7e42cfe74ec1c7faaebda1d5a9acd6e0f3d57d6e6e60fd4ca15f3f8e207f5266b225cab9164d48a0272d2b6c57043

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d264708-fecf-4735-8a3b-3365576a9b44.vbs

Filesize
757B

MD5
298ebac435116b89f117fddfce54d6b4

SHA1
6980a695f548b3b124d5afa4081a14c063ba1bbb

SHA256
6853eab47e38df940977329a9924b6876b0da98dcc486e225aa3e8964c53ea8e

SHA512
363a63e76186982cedff788f23f8379b989e6af0797912ac1a03ab4a718b05ea6a1d53746dbc886b709ea45f04bad7cc4fa83af6b69e2c4cf7631195734006d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\652f3ec3-b1e5-4adc-90ca-1dd1bdf35a81.vbs

Filesize
757B

MD5
ad639f4fa23b0b88bebc484cba734e45

SHA1
1b20e7948f7bd1d13c5599c30c6edddcef28d31a

SHA256
b7a79940622b9a3cc8ccda7d5ede17c38209143c31923b0bc841667f514bcdf3

SHA512
ccbff8ff2b12f08c8cbb7d2d329a126df05603184d93c07e3c839d3e13e622b2743f6190871970c5907de090833389f5d1514d5362be9babaa9bb344994ad9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\80250c2a-f815-42f5-9326-34a3c4e61b19.vbs

Filesize
757B

MD5
53033d237074657c35f87253cb13223a

SHA1
eb2e23f5db0b8e99e6b703ef891d83cc5f031f21

SHA256
d25ed8eb8afb8cd2243039d5df7fc85e1401f96841fac41e97cea9ebdbf38209

SHA512
f104cc8a15780aa0048d5d92f49f8d7b4941cfd0c6e59d44280019a4bcac85162be206333bc53e176dd15d0dc712809e2a8b6e7f7bbfe66bd009d5922129dc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC6CA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC6DD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\afed1cc4-f532-4e9a-857b-a7daef91385d.vbs

Filesize
757B

MD5
696a2a606ee2b6303df57c9fa37e59c2

SHA1
9b308dd59107f46a2514730f1fbe361b3fbe06e3

SHA256
6ca7f4c984c8ebfb3900d780a4a36a62267cebf33d34045cce31660a25688045

SHA512
2dfa6c5f89e60c61cc9c8c1e6816370c8da62f59cd70dcefd4779d49fe2e1b5ea23adbe0b7058d9ed5d32c0680240627fb4b5d56ddf49f553272c9c1e3de5ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb9696b6-458b-498c-985f-eaa0e1a41b7c.vbs

Filesize
757B

MD5
65c3f02d0f100e6c294fd9a96cbe5032

SHA1
0182e1c86b302d63d5de5c19dda58452b0031188

SHA256
c06e6a2393906bc30e3ae51c530346bc00e9e214e27e67a3fe192692be9c45cc

SHA512
1659ea683cb38b68bec0c93cc8be9993177ddf9e92abf030aca51ed6033ce55450f4945e490b8702830dfff4001c6d53c8d46ec1635999e27e756097251c1d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8625e51-d382-463d-ae70-26aeafa1de33.vbs

Filesize
533B

MD5
164c19928b1fcd55cf96c5349368e9dd

SHA1
7a6719163912abacb66061bf21966cfe0afd9a29

SHA256
6a1b5927154794ae00aa0b85d9abfc22690d86626da8d8bab2de12bb97b62a4c

SHA512
655f14773f9bc7e7fc772b4b30cce4cb4ebace0b432af14a6243662d1bd02618dbc424c15ae271096e1d8047facbd27155e9ae2d1024ab14e08fcac5dc427d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\e44e4e8c-4e6f-4165-a516-1a55c6648e1e.vbs

Filesize
757B

MD5
fddc4748b1279bd71493c19088ec9aec

SHA1
ec466a19faa90ee46269be372ccaa9f18234d71b

SHA256
10ea054b36bf8abc08a20f91174f57cc3862d1a38ab6d287170c5893a8840449

SHA512
3e82f63ea33fdd40abbe0d9c3d6b52108f9f35feb04ac1d8ec0e1f933694d6eac04cedafa5218078910fdf50c039b97e11e298ac04d071cce3fc078ae2758218

Download Submit
C:\fontMonitor\B6f2SnQ47.bat

Filesize
31B

MD5
d919292d76ba6af3f0a7c88b2d07c4fa

SHA1
0fa76a1456603b525f53d9e787d1a800172afdf8

SHA256
52bde46534a8a1ea436617040c311631ce470e0e60875585921e2b3fbde3809c

SHA512
3a39f5a6a544634841f20d26dcbc3b2f875639e38eb1f5db1d243517ed87e8df542459e3b65d3336c69293a37e8f3ac03fd4a11330163fbf9eb8bc2218e7a9b5

Download Submit
C:\fontMonitor\GFcBidplGj1mDhuTvzK8nh.vbe

Filesize
197B

MD5
692908a9fe7461b9736233b4b217f221

SHA1
b3bb8803bba51dd7c622d2a1e4f2c8e4b1c4184d

SHA256
d3be77c2e695644f8dfbc8342c806f5f48c3074f5ea1000aa300b6c7061e591f

SHA512
f38138284e905c6c877dd67de0858ce6d80403c712249b6e353c51389aa86c67ca29ba4f455d4ab4f1b5f5c6e3c8e1fccbdf01b8d0766aa93b35fb8da5230788

Download Submit
\fontMonitor\chainagent.exe

Filesize
3.3MB

MD5
e74be6bbac3ea0713506397d5d6ef541

SHA1
dc4c91d512cb544c5c458e1aecc6bd8a7fab61f9

SHA256
58440f3b4db0b30ffa0001857bd2cf329d470c518895ac668ab2eb25a10499f7

SHA512
09f31ce980869b6e2d53ee391a62150fdec456ceafa22879f4268094eec03614e77def0dc1adea064e59982838286020e6af45e78c7db3c4cdc1da965c1cd185

Download Submit
memory/1012-1185-0x0000000000840000-0x0000000000852000-memory.dmp

Filesize
72KB

Download
memory/1012-1184-0x0000000000200000-0x000000000055C000-memory.dmp

Filesize
3.4MB

Download
memory/1468-232-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download
memory/1488-590-0x00000000002A0000-0x00000000005FC000-memory.dmp

Filesize
3.4MB

Download
memory/1608-115-0x0000000000C00000-0x0000000000C56000-memory.dmp

Filesize
344KB

Download
memory/1620-68-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/1736-1304-0x0000000001240000-0x000000000159C000-memory.dmp

Filesize
3.4MB

Download
memory/1828-470-0x00000000010E0000-0x000000000143C000-memory.dmp

Filesize
3.4MB

Download
memory/1828-471-0x0000000000C90000-0x0000000000CE6000-memory.dmp

Filesize
344KB

Download
memory/2084-829-0x00000000010A0000-0x00000000013FC000-memory.dmp

Filesize
3.4MB

Download
memory/2084-830-0x0000000001050000-0x00000000010A6000-memory.dmp

Filesize
344KB

Download
memory/2652-351-0x0000000000050000-0x00000000003AC000-memory.dmp

Filesize
3.4MB

Download
memory/2756-29-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/2756-23-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/2756-45-0x000000001B080000-0x000000001B08A000-memory.dmp

Filesize
40KB

Download
memory/2756-44-0x000000001B070000-0x000000001B078000-memory.dmp

Filesize
32KB

Download
memory/2756-43-0x000000001B060000-0x000000001B06C000-memory.dmp

Filesize
48KB

Download
memory/2756-42-0x000000001B050000-0x000000001B05E000-memory.dmp

Filesize
56KB

Download
memory/2756-41-0x000000001B040000-0x000000001B048000-memory.dmp

Filesize
32KB

Download
memory/2756-40-0x000000001B030000-0x000000001B03E000-memory.dmp

Filesize
56KB

Download
memory/2756-39-0x000000001AF20000-0x000000001AF2A000-memory.dmp

Filesize
40KB

Download
memory/2756-38-0x000000001AF10000-0x000000001AF1C000-memory.dmp

Filesize
48KB

Download
memory/2756-37-0x000000001AB30000-0x000000001AB38000-memory.dmp

Filesize
32KB

Download
memory/2756-36-0x000000001AB20000-0x000000001AB2C000-memory.dmp

Filesize
48KB

Download
memory/2756-35-0x000000001AB10000-0x000000001AB1C000-memory.dmp

Filesize
48KB

Download
memory/2756-34-0x000000001AB00000-0x000000001AB08000-memory.dmp

Filesize
32KB

Download
memory/2756-33-0x000000001AAF0000-0x000000001AAFC000-memory.dmp

Filesize
48KB

Download
memory/2756-32-0x0000000001310000-0x0000000001322000-memory.dmp

Filesize
72KB

Download
memory/2756-31-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2756-13-0x0000000001340000-0x000000000169C000-memory.dmp

Filesize
3.4MB

Download
memory/2756-14-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/2756-30-0x0000000000E70000-0x0000000000E7C000-memory.dmp

Filesize
48KB

Download
memory/2756-28-0x0000000000E50000-0x0000000000E5C000-memory.dmp

Filesize
48KB

Download
memory/2756-27-0x000000001AAA0000-0x000000001AAF6000-memory.dmp

Filesize
344KB

Download
memory/2756-26-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/2756-24-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/2756-25-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/2756-46-0x000000001B090000-0x000000001B09C000-memory.dmp

Filesize
48KB

Download
memory/2756-22-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2756-20-0x0000000000A70000-0x0000000000A86000-memory.dmp

Filesize
88KB

Download
memory/2756-21-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2756-19-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2756-18-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2756-17-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/2756-16-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/2756-15-0x0000000000170000-0x000000000017E000-memory.dmp

Filesize
56KB

Download
memory/2844-710-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/2844-709-0x0000000000ED0000-0x000000000122C000-memory.dmp

Filesize
3.4MB

Download