dcrat | 03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Size

1.5MB
MD5

809d07e665342266dbea6c6017c021f8
SHA1

4e51b1936b39b1df13792cb2ee0a3e2cf2c098b1
SHA256

03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26
SHA512

69908b7064f6a482820eff4e3f83c15f6e6b30dea7d155bb007aa58fecaac1902475c392627c675ea1bcd8cf0158bdcd0d23c735d1ba7f8b85823125823b5dec
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
		2780	schtasks.exe
		1128	schtasks.exe
		2936	schtasks.exe
		2100	schtasks.exe
		2716	schtasks.exe
		2600	schtasks.exe
		1740	schtasks.exe
		2312	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\Windows\\System32\\l2gpstore\\smss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\Windows\\System32\\l2gpstore\\smss.exe\", \"C:\\Windows\\System32\\NlsData0c1a\\taskhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\Windows\\System32\\l2gpstore\\smss.exe\", \"C:\\Windows\\System32\\NlsData0c1a\\taskhost.exe\", \"C:\\Windows\\System32\\devenum\\dwm.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\Windows\\System32\\l2gpstore\\smss.exe\", \"C:\\Windows\\System32\\NlsData0c1a\\taskhost.exe\", \"C:\\Windows\\System32\\devenum\\dwm.exe\", \"C:\\Windows\\System32\\MCEWMDRMNDBootstrap\\csrss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\Windows\\System32\\l2gpstore\\smss.exe\", \"C:\\Windows\\System32\\NlsData0c1a\\taskhost.exe\", \"C:\\Windows\\System32\\devenum\\dwm.exe\", \"C:\\Windows\\System32\\MCEWMDRMNDBootstrap\\csrss.exe\", \"C:\\Users\\Default User\\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\", \"C:\\Windows\\System32\\l2gpstore\\smss.exe\", \"C:\\Windows\\System32\\NlsData0c1a\\taskhost.exe\", \"C:\\Windows\\System32\\devenum\\dwm.exe\", \"C:\\Windows\\System32\\MCEWMDRMNDBootstrap\\csrss.exe\", \"C:\\Users\\Default User\\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe\", \"C:\\Users\\Default User\\csrss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\taskhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2852	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2852	schtasks.exe	29

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1088	powershell.exe
2272	powershell.exe
2472	powershell.exe
1084	powershell.exe
1920	powershell.exe
632	powershell.exe
2124	powershell.exe
2232	powershell.exe
2140	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Executes dropped EXE 11 IoCs

pid	Process
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2936	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2224	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
264	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
808	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2304	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2784	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
1676	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2856	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
1480	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
868	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\taskhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\MCEWMDRMNDBootstrap\\csrss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\l2gpstore\\smss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\NlsData0c1a\\taskhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\devenum\\dwm.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26 = "\"C:\\Users\\Default User\\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\taskhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\devenum\\dwm.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\MCEWMDRMNDBootstrap\\csrss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\explorer.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\l2gpstore\\smss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\NlsData0c1a\\taskhost.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26 = "\"C:\\Users\\Default User\\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\NlsData0c1a\taskhost.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\NlsData0c1a\b75386f1303e64	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\devenum\RCX1E6E.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\devenum\dwm.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\l2gpstore\69ddcba757bf72	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\l2gpstore\RCX19DA.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\l2gpstore\smss.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\NlsData0c1a\RCX1BEE.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\MCEWMDRMNDBootstrap\RCX2082.tmp	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\MCEWMDRMNDBootstrap\csrss.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\MCEWMDRMNDBootstrap\csrss.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\MCEWMDRMNDBootstrap\886983d96e3d3e	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\l2gpstore\smss.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\devenum\6cb0b6c459d5d3	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File opened for modification	C:\Windows\System32\NlsData0c1a\taskhost.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
File created	C:\Windows\System32\devenum\dwm.exe	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1740	schtasks.exe
2312	schtasks.exe
2716	schtasks.exe
2780	schtasks.exe
2600	schtasks.exe
1128	schtasks.exe
2936	schtasks.exe
2100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
632	powershell.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
1084	powershell.exe
2124	powershell.exe
2472	powershell.exe
2140	powershell.exe
1920	powershell.exe
2232	powershell.exe
1088	powershell.exe
2272	powershell.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	2936	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	2224	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	264	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	808	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	2304	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	2784	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	1676	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	2856	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	1480	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Token: SeDebugPrivilege	868	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1088	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	38
PID 2172 wrote to memory of 1088	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	38
PID 2172 wrote to memory of 1088	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	38
PID 2172 wrote to memory of 632	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	39
PID 2172 wrote to memory of 632	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	39
PID 2172 wrote to memory of 632	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	39
PID 2172 wrote to memory of 1084	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	40
PID 2172 wrote to memory of 1084	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	40
PID 2172 wrote to memory of 1084	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	40
PID 2172 wrote to memory of 1920	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	41
PID 2172 wrote to memory of 1920	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	41
PID 2172 wrote to memory of 1920	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	41
PID 2172 wrote to memory of 2124	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	43
PID 2172 wrote to memory of 2124	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	43
PID 2172 wrote to memory of 2124	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	43
PID 2172 wrote to memory of 2472	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	45
PID 2172 wrote to memory of 2472	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	45
PID 2172 wrote to memory of 2472	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	45
PID 2172 wrote to memory of 2140	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	47
PID 2172 wrote to memory of 2140	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	47
PID 2172 wrote to memory of 2140	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	47
PID 2172 wrote to memory of 2272	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	48
PID 2172 wrote to memory of 2272	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	48
PID 2172 wrote to memory of 2272	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	48
PID 2172 wrote to memory of 2232	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	49
PID 2172 wrote to memory of 2232	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	49
PID 2172 wrote to memory of 2232	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	49
PID 2172 wrote to memory of 2376	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	56
PID 2172 wrote to memory of 2376	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	56
PID 2172 wrote to memory of 2376	2172	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	56
PID 2376 wrote to memory of 2760	2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	57
PID 2376 wrote to memory of 2760	2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	57
PID 2376 wrote to memory of 2760	2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	57
PID 2376 wrote to memory of 2700	2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	58
PID 2376 wrote to memory of 2700	2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	58
PID 2376 wrote to memory of 2700	2376	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	58
PID 2760 wrote to memory of 2936	2760	WScript.exe	59
PID 2760 wrote to memory of 2936	2760	WScript.exe	59
PID 2760 wrote to memory of 2936	2760	WScript.exe	59
PID 2936 wrote to memory of 3060	2936	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	60
PID 2936 wrote to memory of 3060	2936	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	60
PID 2936 wrote to memory of 3060	2936	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	60
PID 2936 wrote to memory of 1692	2936	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	61
PID 2936 wrote to memory of 1692	2936	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	61
PID 2936 wrote to memory of 1692	2936	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	61
PID 3060 wrote to memory of 2224	3060	WScript.exe	62
PID 3060 wrote to memory of 2224	3060	WScript.exe	62
PID 3060 wrote to memory of 2224	3060	WScript.exe	62
PID 2224 wrote to memory of 1512	2224	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	63
PID 2224 wrote to memory of 1512	2224	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	63
PID 2224 wrote to memory of 1512	2224	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	63
PID 2224 wrote to memory of 1728	2224	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	64
PID 2224 wrote to memory of 1728	2224	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	64
PID 2224 wrote to memory of 1728	2224	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	64
PID 1512 wrote to memory of 264	1512	WScript.exe	65
PID 1512 wrote to memory of 264	1512	WScript.exe	65
PID 1512 wrote to memory of 264	1512	WScript.exe	65
PID 264 wrote to memory of 2640	264	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	66
PID 264 wrote to memory of 2640	264	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	66
PID 264 wrote to memory of 2640	264	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	66
PID 264 wrote to memory of 1428	264	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	67
PID 264 wrote to memory of 1428	264	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	67
PID 264 wrote to memory of 1428	264	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe	67
PID 2640 wrote to memory of 808	2640	WScript.exe	68

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
"C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\l2gpstore\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsData0c1a\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\devenum\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\MCEWMDRMNDBootstrap\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
  "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2376
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35622362-c174-4ccf-ae35-1a033f409af6.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
      "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2936
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0a8bcc3-01c3-4e80-bd04-00e2c82b18cc.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
        
        "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d9a6ba5-a2ce-4970-8c94-7ba583ea5500.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
        
        "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38b6a0e9-b644-43a9-8490-f8c600a44041.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
        
        "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5caf43cf-460f-4959-9c48-22cd51eecf71.vbs"
        11⤵
        
        PID:1584
        
        C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
        
        "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc383f29-bccb-497b-944e-5314d1ce4428.vbs"
        13⤵
        
        PID:2428
        
        C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
        
        "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\238dbf23-f4f9-4e56-9666-e04ccac77526.vbs"
        15⤵
        
        PID:2760
        
        C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
        
        "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8935f1df-d94d-4302-86f1-f76588fc37de.vbs"
        17⤵
        
        PID:2424
        
        C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
        
        "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5a38a99-9909-46d9-acd4-7175d46a1327.vbs"
        19⤵
        
        PID:2300
        
        C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
        
        "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\847c440f-ba69-4a53-b7c8-bff2e83bf326.vbs"
        21⤵
        
        PID:2188
        
        C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe
        
        "C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac069e59-bdd5-4264-8e92-c03089eca6d6.vbs"
        23⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\381e6827-c9f8-4dc9-a3ee-fdcda3d0213c.vbs"
        23⤵
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\098f0d46-dd8f-4e30-bf73-b5fc73192d32.vbs"
        21⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac79ada-e8d5-4814-ab7b-7dbc24e986f8.vbs"
        19⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\561da0fe-2db0-4e3e-814a-5d7aff37074c.vbs"
        17⤵
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07c7d6fb-3629-4c5e-b43c-304613984417.vbs"
        15⤵
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb25612a-fe9d-4533-a9e0-3f2fcbdd41d5.vbs"
        13⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8871ca62-be4e-456d-92bd-65a5a418a7f2.vbs"
        11⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4895f077-efc3-4023-ae32-af5963436e4d.vbs"
        9⤵
        
        PID:1428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe991ce9-0d7b-4f30-be19-f20a2239bf39.vbs"
        7⤵
        
        PID:1728
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19cc7148-5606-463d-8e19-b36d62abf373.vbs"
        5⤵
        
        PID:1692
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79bfa4ef-6aff-4d77-851d-75d1facd060a.vbs"
    3⤵
    PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\l2gpstore\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsData0c1a\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\devenum\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\MCEWMDRMNDBootstrap\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26" /sc ONLOGON /tr "'C:\Users\Default User\03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\238dbf23-f4f9-4e56-9666-e04ccac77526.vbs

Filesize
766B

MD5
90325a6049d621e5410fc4fe945f7fb5

SHA1
59a21f0f21410261bec4b23190512eaae1241459

SHA256
30dca314d82feaa422361c3dd4d4ff5e3a558d32a61a7f2507bf35694498c9ab

SHA512
5fdda639e4257b240ab15e8916c0b74acfd47aa71d51db1da82e97ac3919f20f54bea76756cdc089a94c284c90f93b5eea9bb687e4c58dc26aa13b8ab5410d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d9a6ba5-a2ce-4970-8c94-7ba583ea5500.vbs

Filesize
766B

MD5
4543a7c38a01fa5ef5ff2f7f934fa362

SHA1
6ae1db900e1dd4933503f5352664f27119533276

SHA256
097b1d402e444698670c088848fb2c26060c3a5a1554702d4f3df73a4ab11e8a

SHA512
367f1ccf551f96888166a09b541ddcef2d7cc68327d295415e92979fa33dedf73cb5e20f7922bc409c7a4b26e4020c278b44c3a13ab300e1af0036454bdac981

Download Submit
C:\Users\Admin\AppData\Local\Temp\35622362-c174-4ccf-ae35-1a033f409af6.vbs

Filesize
766B

MD5
60c504e631fc3d90379f0bf80c3a37ed

SHA1
9b39940923223bfe344253fb93312b4f0e85d30b

SHA256
467348b16b80c48a1b59479d1c4f0e4e09723f79fb52f80390b37f8ee6cb680a

SHA512
00abd2659944f1260b092fb8c8f28accbd597f3e9c9991aee0e5babfd4bfc292fab82dbefca2893dfdaf56f9e6c7898a77eb47e35908041fade083668eb1c9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\38b6a0e9-b644-43a9-8490-f8c600a44041.vbs

Filesize
765B

MD5
1ae1c5eea8fcffbd007eecb9a47b331c

SHA1
7d7f7eaf7b68d414d579b9af942b11d5e4967057

SHA256
2ebe52d3210119f02db9b4454cf01ce5bde484c316f916641851ec2b36c6fdd6

SHA512
1b420fadb6f69e93d30bd84ba634350a2521320f34f34014c222957c29ff1af3fcc6c528d6f31e8c784b09efd363e84e8658deb2836553f742ab4dee09d7037f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5caf43cf-460f-4959-9c48-22cd51eecf71.vbs

Filesize
765B

MD5
8f8b094874d1a6a4e42b4f70e3224355

SHA1
96bda59b30097ec62bb3f8a8855cb8a955cfad6c

SHA256
c21fe70e58d0d063edcc2fe376cf7e8338b55a535fb5ceec47e6c0e135221b69

SHA512
52008b7084e1d587a7a2e1bbfc4b1d145f62769c9aa5e21035a52d0013377b15f95bcccae17bd9fc2326bcf9e21d65ba7a0de14b2727790a3b9b0538e7648ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\70c9296fcd31ccdbcb9841270e1692161dba3f05.exe

Filesize
1.5MB

MD5
23121c614fbddcb73e6437a9fcb7d5f8

SHA1
c01125572b87b082b0d5cb0b8f2fe1acd187a738

SHA256
1de874aa90079e6ef2244cb2034f05f185837eef76e17c1b001e9d00df6f963b

SHA512
d3295bb12807b1adca04a5162523880aeb57db884f90850a3bc1b70c7c132b24a4126681f62b317989483f61e0091fed61efabdce53668f27763d7591e944128

Download Submit
C:\Users\Admin\AppData\Local\Temp\70c9296fcd31ccdbcb9841270e1692161dba3f05.exe

Filesize
1.5MB

MD5
90354d75812cb5d0129edfb4adb2eec9

SHA1
3c0aceab9cd36c9cce86e277a4edaca3ee0613c1

SHA256
5148f370678ede710cff1f8066cadf7b180ab9122a39aa5ced58e1d68d910eb8

SHA512
8099034d116b79c2b97aa9331fb9805f7d2fec090bae0ef867be3ddcb9f33e23ea95d51eb9d0a4380c672920d01a2f04214bf8dbd943bdd3421b9da63620bba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\79bfa4ef-6aff-4d77-851d-75d1facd060a.vbs

Filesize
542B

MD5
802446c6244be9f5006ffb8f78a9d10d

SHA1
076c4b4893217b71a362887b88fb34d288a73849

SHA256
7ac5c49f02a793979143ff684b496d8aae07157362a6140b145ca2601f44bbf4

SHA512
66db9802a4cc3a05ad44863cd323b8f702189d4ca2d3089f370e99eccd11878655af7b8a484e0bb9b33aef91626edae40371e532a3cee74aec744f5a67174d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\847c440f-ba69-4a53-b7c8-bff2e83bf326.vbs

Filesize
766B

MD5
5ca96866ebf70a4049e054c6021670c1

SHA1
20a4107be34bcb2855dc875fe8c02263c0d2af50

SHA256
5e5d7afbdbe4f739b09587cb5d2de9fb4e147c7e8ed382bafefaf2ba348f2ed1

SHA512
ed79312f04bfbdd628965e00c431bd83fad39ec9e35d48bee93c8994bea3eb056ec110b2309d81f8e74e0ecd29a34bc01ded5f3709233464f260067058285fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8935f1df-d94d-4302-86f1-f76588fc37de.vbs

Filesize
766B

MD5
e8d6ebe3da12add45d7254727e457022

SHA1
d30e447f18ff51fc5b268b27e17d7e843e9f4d53

SHA256
7dd469bb51ea6077e6e944e792d896e8f32f303315e2de6f09ae1c27912e36e3

SHA512
aee8bdb6e817e090e83679f3631f4441dee80f3c1e96e14625a262594b44c1f81cc37f136716c1b57a0182698ef6a50a063fe099288a65cdfc47a8e9a149e40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0a8bcc3-01c3-4e80-bd04-00e2c82b18cc.vbs

Filesize
766B

MD5
7d07c95c6498109a5551262f0c11b40f

SHA1
be6699e9fc5b26e9b800a625fba5db2493495fd8

SHA256
c8cea5085d74b9bdc68f673f65aa4dff534018952a2e670ec32de9ae43e059cf

SHA512
61ab2e40b461e190a54c4a04de3391a26ec34d5b171a4c37ffc4829cd2457d130bb62de611ba5ddd8b334b68dedb3c479b51e0aa5957a015f4d5e18d16b344fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac069e59-bdd5-4264-8e92-c03089eca6d6.vbs

Filesize
765B

MD5
3c2b86c4fb2eeeb42c474ecf941d67ae

SHA1
8e994628001fbb8424205daaaa368065d739e590

SHA256
c6e66eaf7b2359cb77308cb76f01bf5b39b0f322707b93a16328b0c3f14ec98f

SHA512
b20ecd8b1417c2b1a6a0a3665ffb00e2ffeffa13ceea7f74860a87fe70b51b12dc222fcd5e48558bc86d7e5c1fedcf673f66f1e31a6b25c2386218a8d3529bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5a38a99-9909-46d9-acd4-7175d46a1327.vbs

Filesize
766B

MD5
7f159832c2245e61463a482f8080f94d

SHA1
002c46d08bf9c1110b7c66c1ba79a84c4bfe0cc9

SHA256
6b5131b05bfcd2f716650e783c2f390f71c025cedfc55b7765f65ca8c7bd0e5e

SHA512
7343fc5733f2da8f49a65244389abcde1dfce3b5b2d6ca926111da808a5d947a14f0f7c142d2be1bb2b7d86cba168cd1abd93fd452d60d8b43e2f218ca1f9281

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc383f29-bccb-497b-944e-5314d1ce4428.vbs

Filesize
766B

MD5
762b08124297b71e7ea184525ca6f109

SHA1
338c72259b4662fa79dda3b278e190dcb2099cf9

SHA256
f77033df0d4ba84fe4be33494dfc7b717e8024116f12d53ab89db8601fdd5a95

SHA512
d226cd93b6a2f4aae9388d2ca97d9cc8748f19e181768a6cee14997924245a0b8971a184e7225874cc84545a15cc0ca3df1c8f071dbcbe6d612cc2f066fbc145

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OEKGHOV83XXZELOOYTLW.temp

Filesize
7KB

MD5
6ca8580a6820295eb40ec74b45104ff7

SHA1
68ded3853d50fc5b2f5b1af167c8d3ba4bf21c29

SHA256
ce8f32995ffae6c953ee303cfb4c708b0ef341fb5effc164b4b2b45d2b26b09b

SHA512
a2c9135f77031b8ff9410a8f4a5c870f7726d4e35db973329fa3c77793603a8773d3ecb7b6041425974369a84fb6c8a61981392763271fa17c71b4e48a37d22c

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.5MB

MD5
c84dd1ce107b7191d647c3374893a27d

SHA1
b2d9510a54ebaeb8e50987adc9b9273f3438e21c

SHA256
ca3f3099bf06822f9975ca6cd8d3f99da68c533af55e213b68d4c58c225e73c3

SHA512
553627bacdf1286f3b511e2b1730c6556428d59f30e3b715545cc42fb6a0b7abb12d08aae50de2cf55ab4c98cfbe54ef6e1590a6e5f304150d0872946034c3ce

Download Submit
C:\Windows\System32\devenum\dwm.exe

Filesize
1.5MB

MD5
809d07e665342266dbea6c6017c021f8

SHA1
4e51b1936b39b1df13792cb2ee0a3e2cf2c098b1

SHA256
03b631f2b53c3b992a0a0a1ed292646a298c74ee0c82bb11766c0b2e03f38c26

SHA512
69908b7064f6a482820eff4e3f83c15f6e6b30dea7d155bb007aa58fecaac1902475c392627c675ea1bcd8cf0158bdcd0d23c735d1ba7f8b85823125823b5dec

Download Submit
memory/632-137-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/632-136-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/868-265-0x0000000001200000-0x000000000137E000-memory.dmp

Filesize
1.5MB

Download
memory/1480-252-0x00000000002F0000-0x000000000046E000-memory.dmp

Filesize
1.5MB

Download
memory/1480-253-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2172-12-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2172-15-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/2172-36-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-92-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download
memory/2172-24-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-100-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-21-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2172-20-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2172-18-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/2172-1-0x0000000000B60000-0x0000000000CDE000-memory.dmp

Filesize
1.5MB

Download
memory/2172-149-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-17-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2172-16-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2172-2-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-3-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2172-27-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-14-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2172-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download
memory/2172-13-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2172-11-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2172-4-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2172-10-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2172-9-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2172-8-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2172-5-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2172-6-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2172-7-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2304-206-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2376-148-0x0000000000E80000-0x0000000000FFE000-memory.dmp

Filesize
1.5MB

Download
memory/2856-240-0x0000000000160000-0x00000000002DE000-memory.dmp

Filesize
1.5MB

Download
memory/2936-161-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2936-160-0x0000000000F40000-0x00000000010BE000-memory.dmp

Filesize
1.5MB

Download